Sig Name: Worm Activity - Brute Force

Unanswered Question
Jun 28th, 2010
User Badges:

We are using the Cisco IPS 4215 and seeing this alert over and over.

Sig Name: Worm Activity - Brute Force
Sig ID: 16297
Severity: High
Risk Rating: 95
Sig Version: S392

Is this a false postive or something else?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Scott Fringer Tue, 06/29/2010 - 03:45
User Badges:
  • Cisco Employee,

It is not possible to determine from the information you provided.

You can learn more about a specific signature (and potential benign triggers) by visiting the Cisco IntelliShield site:

  For signature 16297/1, the following details are available:

  Signature 16297/1 is based on signature 16297/0:

  It would be best to look at the services running on the reported attacker, and determine if there is a legitimate reason for it to attempt a SMB logon to the victim system and cause 9 logon failures in a 30 second period.  Perhaps an automated service is still attempting to log into the victim system with outdated credentials.



This Discussion