×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

S85 and Signature 3337

Unanswered Question
Apr 14th, 2004
User Badges:

Extremely noisy, haven't done much analysis yet.


Anyone else seeing this generate lots of alerts? Most of them are between my VPN users and my Microsoft Exchange servers.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
itsupportbmw Wed, 04/14/2004 - 22:37
User Badges:

Roger that, Exchange Server 5.5 and any user (remote or local) triggers it here. Thats a lot of false positives. Guess that means there'll be yet-another-update soon :(

darin.marais Thu, 04/15/2004 - 02:03
User Badges:

confirmed- i too see false postives for the same reasons as the rest of this thread

tbulliard Thu, 04/15/2004 - 06:41
User Badges:

Yea... When people started logging in this morning, in one hour, IDS generated 67,451 alerts for sig 3337.

derwalke Thu, 04/15/2004 - 09:46
User Badges:

Do you have any more details you can provide? What destination ports, patterns of activity, network traces, etc...? I'd like try and tweak this signature a bit more, and need some input from you guys in the field. MSRPC usage and traffic can be quite arbitrary at times.



itsupportbmw Thu, 04/15/2004 - 14:51
User Badges:

Clients using Outlook 2000 connecting to an Exchange 5.5 Server on TCP ports 6042 and 6043 from a random port triggers it here.



fabiosarapu Thu, 04/15/2004 - 17:21
User Badges:

YES; all valid traffic between exchange servers trigger this signature.

Perhaps it needs more fine tunning.im going disable

to wait for correction


milan.kulik Thu, 04/15/2004 - 23:41
User Badges:
  • Red, 2250 points or more

Client Outlook 98, Exchange server 2000 (service pack 3), thousands alarms on dest ports 1187,1189, 1567,5555.


Regards,

Milan

derwalke Fri, 04/16/2004 - 04:33
User Badges:

Would it be possible for either of you to turn on packet capture or even better ipLogging of the signature? I have some guesses as to why this sig may be firing innappropriately, but if I had some sample of network traffic, I could nail it down.

milan.kulik Fri, 04/16/2004 - 05:30
User Badges:
  • Red, 2250 points or more

There are also some alarms fired with the destination address of the Primary or secondary Domain Controller, destination port 1026.


Regards,

Milan

derwalke Fri, 04/16/2004 - 08:04
User Badges:

We've addressed some of the false positives we've found with this sig. The fix will be in for S86 and is can be tracked with DDTS CSCee31185.

milan.kulik Thu, 04/22/2004 - 01:27
User Badges:
  • Red, 2250 points or more

Hi,

the bug workaround says " Upgrade to signature update S86 or later."

But the S86-readme.txt says "No signatures have been tuned in this update."

There are also no caveats mentioned.


So has the bug been fixed in S86 or not?

May I remove my filters safely?


Regards,

Milan


derwalke Thu, 04/22/2004 - 05:03
User Badges:

Based on the feedback I have recieved here, the signature has been tuned and altered abit. It should now have a much better fidelity. Please go ahead and re-enable it. It should not be nearly as noisy now. And post back if you can and let me know how it goes.


tbulliard Thu, 04/22/2004 - 08:22
User Badges:

Why didn't the release notes with S86 list 3337 as a tuned signature? Were any other signatures tuned?

derwalke Thu, 04/22/2004 - 11:03
User Badges:

It should have been. We had a slight process problem in getting this one out the door. No other sigs were modified.

milan.kulik Thu, 04/22/2004 - 22:42
User Badges:
  • Red, 2250 points or more

Yes, the signature seems to be fixed.

But how can we rely on a signature update system when there is no notice of signature modification in the readme file?


Regards,

Milan

Actions

This Discussion