04-14-2004 12:47 PM - edited 03-09-2019 07:04 AM
Extremely noisy, haven't done much analysis yet.
Anyone else seeing this generate lots of alerts? Most of them are between my VPN users and my Microsoft Exchange servers.
04-14-2004 10:37 PM
Roger that, Exchange Server 5.5 and any user (remote or local) triggers it here. Thats a lot of false positives. Guess that means there'll be yet-another-update soon :(
04-15-2004 02:03 AM
confirmed- i too see false postives for the same reasons as the rest of this thread
04-15-2004 06:41 AM
Yea... When people started logging in this morning, in one hour, IDS generated 67,451 alerts for sig 3337.
04-15-2004 09:46 AM
Do you have any more details you can provide? What destination ports, patterns of activity, network traces, etc...? I'd like try and tweak this signature a bit more, and need some input from you guys in the field. MSRPC usage and traffic can be quite arbitrary at times.
04-15-2004 02:51 PM
Clients using Outlook 2000 connecting to an Exchange 5.5 Server on TCP ports 6042 and 6043 from a random port triggers it here.
04-15-2004 05:21 PM
YES; all valid traffic between exchange servers trigger this signature.
Perhaps it needs more fine tunning.im going disable
to wait for correction
04-15-2004 11:41 PM
Client Outlook 98, Exchange server 2000 (service pack 3), thousands alarms on dest ports 1187,1189, 1567,5555.
Regards,
Milan
04-16-2004 04:33 AM
Would it be possible for either of you to turn on packet capture or even better ipLogging of the signature? I have some guesses as to why this sig may be firing innappropriately, but if I had some sample of network traffic, I could nail it down.
04-16-2004 05:30 AM
There are also some alarms fired with the destination address of the Primary or secondary Domain Controller, destination port 1026.
Regards,
Milan
04-16-2004 08:04 AM
We've addressed some of the false positives we've found with this sig. The fix will be in for S86 and is can be tracked with DDTS CSCee31185.
04-22-2004 01:27 AM
Hi,
the bug workaround says " Upgrade to signature update S86 or later."
But the S86-readme.txt says "No signatures have been tuned in this update."
There are also no caveats mentioned.
So has the bug been fixed in S86 or not?
May I remove my filters safely?
Regards,
Milan
04-22-2004 05:03 AM
Based on the feedback I have recieved here, the signature has been tuned and altered abit. It should now have a much better fidelity. Please go ahead and re-enable it. It should not be nearly as noisy now. And post back if you can and let me know how it goes.
04-22-2004 08:22 AM
Why didn't the release notes with S86 list 3337 as a tuned signature? Were any other signatures tuned?
04-22-2004 11:03 AM
It should have been. We had a slight process problem in getting this one out the door. No other sigs were modified.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: