Windows DCOM Overflow (Internal Servers)

Unanswered Question
Jul 3rd, 2008
User Badges:


We've just received these new appliances and I've been trying to make heads or tails of messages received about "attacks".


This is the message that I'm getting


Windows DCOM Overflow 5588/0 192.168.3.34 192.168.1.7 droppedPacket, deniedFlow, tcpOneWayResetSent 445 60 95


I have a DC and five Satellite Servers and there all on a VPN and they replicate. This is a constent "attack" that I'm getting. I've made filters to make sure that the Network IP's in question are exempt from this signature.

I also did a DCdiag on the Domain Controler. This is not the only signature that I get that my DC is "attacking" other IP's within the Network....Here's my device and versions..


IPS ver. 6.1(1) E2

Device Type: ASA-SSM 10


ASDM= ASA Ver. 8.0 (2)

Device Type: ASA5510

ASDM ver 6.0(2)


I know that it can't be anything that is making the Servers comprimised, but I'm trying to narrow this down. I really don't want to disable the signature for fear of allowing anything from the outside coming in. My gut feeling is that its a false positive anyone else have this issue?


Same issue with a sig firing of 3337/0 Windows RPC Race condition....This one is firing from my DC to my sattelite office servers....All are healthy btw.



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Farrukh Haroon Sun, 07/06/2008 - 03:28
User Badges:
  • Red, 2250 points or more

Download the latest signature update, AFAIR they just tuned this signature in the last release.


Regards


Farrukh

yuliang13 Tue, 01/20/2009 - 22:21
User Badges:



looks like a true positive. try to check whether the source has been patch. if it haven't most likely it has been infected ,etc

Actions

This Discussion