Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

5591:1 SMB: Windows Share Enumeration

We're getting alarms with Victim address = n/a and attacker/victim port = n/a for this signature.

We've tried to change the Event count key to "Attacker and victim addresses" and/or "Attacker and victim addresses and ports" but there are still alot of n/a alarms.

This is causing some problems since we cannot create a "SigEvent Action Filter" for destination ip n/a (0.0.0.0). Is there a way to either tune this signature into not producing alarms with n/a or add a "SigEvent Action Filter" for destination ip n/a?

1 REPLY
Cisco Employee

Re: 5591:1 SMB: Windows Share Enumeration

Is this maybe a summary alert you are seeing and trying to filter? When I look at 5591-1 off a 5.1.5 s278 sensor (default settings), I see the following in the alert:

signature: description=SMB: Windows Share Enumeration id=5591 version=S262

subsigId: 1

sigDetails: SMB: Windows Share Enumeration

interfaceGroup:

vlan: 0

participants:

attacker:

addr: locality=OUT 171.71.84.149

port: 445

target:

addr: locality=OUT 10.25.80.156

port: 10166

Can you provide cli output of the alert you are using to attempt to create a filter. If you'd rather not paste that into the forum, you can send it direct to me at wsulym@cisco.com

210
Views
0
Helpful
1
Replies