AD - External TCP Scanner Signature - Actions Taken ->denyPacketRequestedNotPerformed

AdnanShahid · ‎05-05-2010

Hi,

I am getting lots of High Alert of AD -External TCP Scanner... on the Action Taken tab I am seeing "denyPacketRequestedNotPerformed". I want to know what this messages mean.

The Signature fires on victim port 445. In my case, All the attackers [windows based server] are inside my network that attacks the destination 0.0.0.0 on port 445. I have already block those Attackers with ACL on my router from the most source end. But Still I am getting this signature in my report.

Want to know,

1) What this message "denyPacketRequestedNotPerformed" is?

2) Whether putting ACL in the source end is enough for this?

3) Is there any recommended Solution for this signature suppression?

Thanks in advance.

[Attached file is the Alert]

BR//

Adnan

Jennifer Halim · ‎05-06-2010

TCP/445 is used by Microsoft file sharing (CIFS), and by default that port is opened on all Microsoft PC basically to allow file sharing.

If you open up DOS prompt, and type: netstat -na, you would see that your PC is by default listening on TCP/445.

Here is more information on Microsoft-DS (TCP/445):

http://www.linklogger.com/TCP445.htm

http://en.wikipedia.org/wiki/Server_Message_Block

So it really depends on your corporate security policy, whether to allow file sharing or not within the network. IPS is picking that up because it is an easier way of exploiting a PC since the port is opened by default.