cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1025
Views
0
Helpful
8
Replies

Sudden Windows DCOM Overflow flood

wgorman
Level 1
Level 1

Today, ips-4250-sx (not-in-line) upgraded from v6.0(4)E1 to 6.0(5)E2. (S335) to (S339)

1st appearance & flood of red alerts,

all internal sources and destinations:

1) Windows DCOM Overflow 0&1 subsigs:

(1100src/100dst=86k total hits)

2) Netware LSASS CIFS.NLM Driver Overflow: (145src/140dst=2.5k total hits)

3) Print Spooler Service Overflow: (140src/75dst=2.4k total hits)

- hit accumulation in 7hrs since upgrade

Is there some signature tweaking to be done? or is it TAC time?

Anybody else experience this?

-thanks for any advise

Will

8 Replies 8

rnaydenov
Level 1
Level 1

I had the same issue. Just disabled the new signature and wait for better days. as of the new signature sets 341 I see 3 new signatures already disabled. I guess with the next update these new that give us headache will be tuned also

soc_admin
Level 1
Level 1

Hi Will,

Yes same signatures are firing after S339 and Engine Update! I am quite sure that these are False positives because Windows DCOM BO fires against Domain Controller (I checked and they are healty). Moreover these sig.s started firing just after the update!

I think Cisco is going to tune S339 sig.s.

Anybody else experience this?

Marco

shivapd
Cisco Employee
Cisco Employee

Hi Will,

The IPS team is aware of this issue and investigating. An upcoming sig update will address these sigs.

- Shiva

Shiva,

What is your recommendation?

disable or not

What is the ETA for the sig update?

thanks.

-Will

andytmn
Level 1
Level 1

I got the same problem after upgrade to 5.1.7E2.

We believe we've identified an engine issue that affects signatures 5588-0,1 and 6769-0. It looks like the easiest work around is to just add the parameter smb command: 37 to the signatures. Due to the nature of the issue detection should not be affected in a negative way. We plan to ship this change in a signature update next week.

How about No.3 the Print Spooler Overflow. Sig 5565. Same workaround ?

All of these were fixed in S342 I think:

The S342 signature update contains the following modified signature:

PLATFORM SIGID SIGNAME ENGINE SEVERITY ENABLED DDTS

5.x, 6.x 5565.4 Print Spooler Service Overflow SERVICE-SMB-ADVANCED High True CSCsq99671

5.x, 6.x 5588.0 Windows DCOM Overflow SERVICE-SMB-ADVANCED High True CSCsq99671

5.x, 6.x 5588.1 Windows DCOM Overflow SERVICE-SMB-ADVANCED High True CSCsq99671

5.x, 6.x 6769.0 Netware LSASS CIFS.NLM Driver Overflow SERVICE-SMB-ADVANCED High True CSCsq99671

regards

Farrukh

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: