Sig Name: Worm Activity - Brute Force

Unanswered Question
Jun 28th, 2010

We are using the Cisco IPS 4215 and seeing this alert over and over.

Sig Name: Worm Activity - Brute Force
Sig ID: 16297
Severity: High
Risk Rating: 95
Sig Version: S392

Is this a false postive or something else?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Scott Fringer Tue, 06/29/2010 - 03:45

It is not possible to determine from the information you provided.

You can learn more about a specific signature (and potential benign triggers) by visiting the Cisco IntelliShield site:

http://www.cisco.com/security

  For signature 16297/1, the following details are available:

http://tools.cisco.com/security/center/viewIpsSignature.x?signatureId=16297&signatureSubId=1&softwareVersion=6.0&releaseVersion=S392

  Signature 16297/1 is based on signature 16297/0:

http://tools.cisco.com/security/center/viewIpsSignature.x?signatureId=16297&signatureSubId=0&softwareVersion=6.0&releaseVersion=S392

  It would be best to look at the services running on the reported attacker, and determine if there is a legitimate reason for it to attempt a SMB logon to the victim system and cause 9 logon failures in a 30 second period.  Perhaps an automated service is still attempting to log into the victim system with outdated credentials.

Scott

Actions

This Discussion