S85 and Signature 3337

pbobby · ‎04-14-2004

Extremely noisy, haven't done much analysis yet.

Anyone else seeing this generate lots of alerts? Most of them are between my VPN users and my Microsoft Exchange servers.

itsupportbmw · ‎04-14-2004

Roger that, Exchange Server 5.5 and any user (remote or local) triggers it here. Thats a lot of false positives. Guess that means there'll be yet-another-update soon :(

darin.marais · ‎04-15-2004

confirmed- i too see false postives for the same reasons as the rest of this thread

tbulliard · ‎04-15-2004

Yea... When people started logging in this morning, in one hour, IDS generated 67,451 alerts for sig 3337.

derwalke · ‎04-15-2004

Do you have any more details you can provide? What destination ports, patterns of activity, network traces, etc...? I'd like try and tweak this signature a bit more, and need some input from you guys in the field. MSRPC usage and traffic can be quite arbitrary at times.

itsupportbmw · ‎04-15-2004

Clients using Outlook 2000 connecting to an Exchange 5.5 Server on TCP ports 6042 and 6043 from a random port triggers it here.

fabiosarapu · ‎04-15-2004

YES; all valid traffic between exchange servers trigger this signature.

Perhaps it needs more fine tunning.im going disable

to wait for correction

milan.kulik · ‎04-15-2004

Client Outlook 98, Exchange server 2000 (service pack 3), thousands alarms on dest ports 1187,1189, 1567,5555.

Regards,

Milan

derwalke · ‎04-16-2004

Would it be possible for either of you to turn on packet capture or even better ipLogging of the signature? I have some guesses as to why this sig may be firing innappropriately, but if I had some sample of network traffic, I could nail it down.

milan.kulik · ‎04-16-2004

There are also some alarms fired with the destination address of the Primary or secondary Domain Controller, destination port 1026.

Regards,

Milan

derwalke · ‎04-16-2004

We've addressed some of the false positives we've found with this sig. The fix will be in for S86 and is can be tracked with DDTS CSCee31185.

milan.kulik · ‎04-22-2004

Hi,

the bug workaround says " Upgrade to signature update S86 or later."

But the S86-readme.txt says "No signatures have been tuned in this update."

There are also no caveats mentioned.

So has the bug been fixed in S86 or not?

May I remove my filters safely?

Regards,

Milan

derwalke · ‎04-22-2004

Based on the feedback I have recieved here, the signature has been tuned and altered abit. It should now have a much better fidelity. Please go ahead and re-enable it. It should not be nearly as noisy now. And post back if you can and let me know how it goes.

tbulliard · ‎04-22-2004

Why didn't the release notes with S86 list 3337 as a tuned signature? Were any other signatures tuned?

derwalke · ‎04-22-2004

It should have been. We had a slight process problem in getting this one out the door. No other sigs were modified.