Recently I've seen signature 5644/2 fire pretty regularly. This is a Client Service for Netware Overflow signature. It's always from a couple of hosts on my network, and it is directed at machines that aren't running CSNW. So I'm not really concerned about anything being compromised by it, but I want to make sure the source machines aren't sending anything malicious.
When I looked this signature up in Intellishield, it shows an alarm severity of medium. It also shows that it is a component of meta-signature 5644/3. Well, after exploring 5644/3 a bit further, I discovered it is triggered when 5644/0, 1, and 2 are all detected. So does this mean I shouldn't be concerned if one part of this meta-signature is detected by itself?
Also, I logged the packets that caused 5644/2 to trigger, and I wanted to see what exactly caused it. Well, the regex pattern for this signature is protected. I thought it would be helpful to at least be able to see what happened, so is there any other way I can look at this or find this information? Or would it not be helpful in this case to see specifically what happened in the packet?
Thanks for any help!
Nate, I didn't see what version you were running, but I looked up the signature 5644-2...it has an SFR of 60. TVR will default to 100 unless changed by the user. The "medium" results in an ASR of 75. For 6.0(5), that's a base RR of 45, (SFR*TVR*ASR)/10000. There are adding modifiers for a relevant OS (+10) and a modifier for the source being on the "watch list". The only things that can account for an adder of 30 would be the TVR being set to HIGH and some watchlist value (or just a large watchlist value). There might be bug hiding in there someplace (we did find one in Meta that was fixed in 5.1(8) and 6.0(5)), but a look at String.TCP showed that it does not have the Meta problem.
By default, that sig (component of a META sig) does not have an action assigned. This is generally how the META sigs work, Most (none?) of the the component sigs actually have an action. You should probably remove whatever actions have been added.