How to determine is it SMB - Remote SAM server access , false positive?

fisko · ‎09-12-2008

Farrukh Haroon · ‎09-13-2008

You know it by looking at the source/destination IPs. An IPS is no magic device, its just a 'tool' to enforce your security policy. If those IPs are allowed to access SAM remotely, then its aceeptable (i.e. IPS False Positive), if they are not allowed, its NOT OK (True Positive).

Regards

Farrukh

mhellman · ‎09-16-2008

5583-0 right?

I would say that there are different types of false positives. Do you mean, how do I determine if what what was seen actually represents an attempt to access the SAM database? I would start by looking at MySDN (or whatever Cisco is calling it these days...intellishield?). It's often not very up to date and missing information, but it's an easy thing to check. Here's the link for this sig:

https://intellishield.cisco.com/security/alertmanager/ipsSignature?signatureId=5583&signatureSubId=0

If you look at the benign triggers, you'll see that it suggests that this only matters if the source is external. It's up to you whether to research any further. If you really want to inspect the signature further, you'll have to add one of the "log packets" actions. This will save a network trace when it fires again and then you can open it up in Wireshark, which understands SMB and will probably decode it enough for you to verify whether it actually was an attempt to access the "Remote SAM server".