06-25-2008 04:54 PM - edited 03-10-2019 04:09 AM
Today, ips-4250-sx (not-in-line) upgraded from v6.0(4)E1 to 6.0(5)E2. (S335) to (S339)
1st appearance & flood of red alerts,
all internal sources and destinations:
1) Windows DCOM Overflow 0&1 subsigs:
(1100src/100dst=86k total hits)
2) Netware LSASS CIFS.NLM Driver Overflow: (145src/140dst=2.5k total hits)
3) Print Spooler Service Overflow: (140src/75dst=2.4k total hits)
- hit accumulation in 7hrs since upgrade
Is there some signature tweaking to be done? or is it TAC time?
Anybody else experience this?
-thanks for any advise
Will
06-25-2008 11:25 PM
I had the same issue. Just disabled the new signature and wait for better days. as of the new signature sets 341 I see 3 new signatures already disabled. I guess with the next update these new that give us headache will be tuned also
06-26-2008 12:36 AM
Hi Will,
Yes same signatures are firing after S339 and Engine Update! I am quite sure that these are False positives because Windows DCOM BO fires against Domain Controller (I checked and they are healty). Moreover these sig.s started firing just after the update!
I think Cisco is going to tune S339 sig.s.
Anybody else experience this?
Marco
06-26-2008 06:43 AM
Hi Will,
The IPS team is aware of this issue and investigating. An upcoming sig update will address these sigs.
- Shiva
06-26-2008 07:24 AM
Shiva,
What is your recommendation?
disable or not
What is the ETA for the sig update?
thanks.
-Will
06-27-2008 06:37 AM
I got the same problem after upgrade to 5.1.7E2.
06-27-2008 11:12 AM
We believe we've identified an engine issue that affects signatures 5588-0,1 and 6769-0. It looks like the easiest work around is to just add the parameter smb command: 37 to the signatures. Due to the nature of the issue detection should not be affected in a negative way. We plan to ship this change in a signature update next week.
08-29-2008 05:12 AM
How about No.3 the Print Spooler Overflow. Sig 5565. Same workaround ?
08-29-2008 05:29 AM
All of these were fixed in S342 I think:
The S342 signature update contains the following modified signature:
PLATFORM SIGID SIGNAME ENGINE SEVERITY ENABLED DDTS
5.x, 6.x 5565.4 Print Spooler Service Overflow SERVICE-SMB-ADVANCED High True CSCsq99671
5.x, 6.x 5588.0 Windows DCOM Overflow SERVICE-SMB-ADVANCED High True CSCsq99671
5.x, 6.x 5588.1 Windows DCOM Overflow SERVICE-SMB-ADVANCED High True CSCsq99671
5.x, 6.x 6769.0 Netware LSASS CIFS.NLM Driver Overflow SERVICE-SMB-ADVANCED High True CSCsq99671
regards
Farrukh
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: