04-14-2004 12:47 PM - edited 03-09-2019 07:04 AM
Extremely noisy, haven't done much analysis yet.
Anyone else seeing this generate lots of alerts? Most of them are between my VPN users and my Microsoft Exchange servers.
04-14-2004 10:37 PM
Roger that, Exchange Server 5.5 and any user (remote or local) triggers it here. Thats a lot of false positives. Guess that means there'll be yet-another-update soon :(
04-15-2004 02:03 AM
confirmed- i too see false postives for the same reasons as the rest of this thread
04-15-2004 06:41 AM
Yea... When people started logging in this morning, in one hour, IDS generated 67,451 alerts for sig 3337.
04-15-2004 09:46 AM
Do you have any more details you can provide? What destination ports, patterns of activity, network traces, etc...? I'd like try and tweak this signature a bit more, and need some input from you guys in the field. MSRPC usage and traffic can be quite arbitrary at times.
04-15-2004 02:51 PM
Clients using Outlook 2000 connecting to an Exchange 5.5 Server on TCP ports 6042 and 6043 from a random port triggers it here.
04-15-2004 05:21 PM
YES; all valid traffic between exchange servers trigger this signature.
Perhaps it needs more fine tunning.im going disable
to wait for correction
04-15-2004 11:41 PM
Client Outlook 98, Exchange server 2000 (service pack 3), thousands alarms on dest ports 1187,1189, 1567,5555.
Regards,
Milan
04-16-2004 04:33 AM
Would it be possible for either of you to turn on packet capture or even better ipLogging of the signature? I have some guesses as to why this sig may be firing innappropriately, but if I had some sample of network traffic, I could nail it down.
04-16-2004 05:30 AM
There are also some alarms fired with the destination address of the Primary or secondary Domain Controller, destination port 1026.
Regards,
Milan
04-16-2004 08:04 AM
We've addressed some of the false positives we've found with this sig. The fix will be in for S86 and is can be tracked with DDTS CSCee31185.
04-22-2004 01:27 AM
Hi,
the bug workaround says " Upgrade to signature update S86 or later."
But the S86-readme.txt says "No signatures have been tuned in this update."
There are also no caveats mentioned.
So has the bug been fixed in S86 or not?
May I remove my filters safely?
Regards,
Milan
04-22-2004 05:03 AM
Based on the feedback I have recieved here, the signature has been tuned and altered abit. It should now have a much better fidelity. Please go ahead and re-enable it. It should not be nearly as noisy now. And post back if you can and let me know how it goes.
04-22-2004 08:22 AM
Why didn't the release notes with S86 list 3337 as a tuned signature? Were any other signatures tuned?
04-22-2004 11:03 AM
It should have been. We had a slight process problem in getting this one out the door. No other sigs were modified.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide