01-20-2009 10:25 PM - edited 03-10-2019 04:28 AM
hi,
lately i've been hammered badly by this signature. the funny thing is the destination ports are highports ,etc 1025,5000,etc (non netbios) . i noticed this signature has been firing frequently since ms08-067. anyone having the same experience ? is this a true positive?
thanks in advnce
01-26-2009 02:21 PM
If you are referring to sig 3327 subsig 8, it doesn't have any event-action associated with it by default. By any chance, have you tuned the sig or added an Event Action Override that might be applied to it?
02-02-2009 06:06 PM
hi,
yes, i'm referring to 3327. I do not think we have tuned it as we have hundreds of IPS deployed.Do you mind if i send you the payload to have a look?
02-15-2009 10:53 PM
if there are no event-action associated to it, does this means the signature is actually not important ?
03-03-2009 02:12 AM
cisco IPS seems very ineffective as an IPS
03-03-2009 03:14 AM
Signature 3327-8 is a meta component and thus only part of a signature. It does not have any event actions by default as the main signature is the one that'll produce an alert once the required components have been triggered by an attack.
A component going off may not be of significance, which is why they are set not not produce alert by default. If you've changed this setting, and are now annoyed by the alerts, I suggest turning it back to default.
Martin Zeiser
IPS Signature Team
03-03-2009 03:32 AM
Hi martin,
thanks for the reply. I've tried RPC DCOM exploit over this signature. only the subsig 8 was triggered upon the exploit attempt. Do you think this signature is important ?
03-03-2009 04:04 AM
This signature is relevant to cve-2003-0352, which is the vulnerability the Blaster worm abused. I'm sure there's still a bunch of old machines out there infected by this worm and scanning the Internet for victims.
03-03-2009 07:46 AM
hi,
yes it's related to that. i'm using the exploit for that vulnerability and it triggered signature 8 only. i think this means sub id 8 should be quite important right?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: