Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
441
Views
0
Helpful
1
Replies

5591:1 SMB: Windows Share Enumeration

m-hansson
Level 1
Level 1

‎04-03-2007 09:32 AM - edited ‎03-10-2019 03:32 AM

We're getting alarms with Victim address = n/a and attacker/victim port = n/a for this signature.

We've tried to change the Event count key to "Attacker and victim addresses" and/or "Attacker and victim addresses and ports" but there are still alot of n/a alarms.

This is causing some problems since we cannot create a "SigEvent Action Filter" for destination ip n/a (0.0.0.0). Is there a way to either tune this signature into not producing alarms with n/a or add a "SigEvent Action Filter" for destination ip n/a?

Labels:
0 Helpful
1 Reply 1

wsulym
Cisco Employee
Cisco Employee

‎04-03-2007 11:24 AM

Is this maybe a summary alert you are seeing and trying to filter? When I look at 5591-1 off a 5.1.5 s278 sensor (default settings), I see the following in the alert:

signature: description=SMB: Windows Share Enumeration id=5591 version=S262

subsigId: 1

sigDetails: SMB: Windows Share Enumeration

interfaceGroup:

vlan: 0

participants:

attacker:

addr: locality=OUT 171.71.84.149

port: 445

target:

addr: locality=OUT 10.25.80.156

port: 10166

Can you provide cli output of the alert you are using to attempt to create a filter. If you'd rather not paste that into the forum, you can send it direct to me at wsulym@cisco.com

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card