Cisco Support Community
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

AD - External TCP Scanner Signature - Actions Taken ->denyPacketRequestedNotPerformed


I am getting lots of High Alert of AD -External TCP Scanner... on the Action Taken tab I am seeing "denyPacketRequestedNotPerformed". I want to know what this messages mean.

The Signature fires on  victim port 445. In my case, All the attackers [windows based server] are inside my network that  attacks the destination on port 445. I have already block those Attackers with ACL on my router from the most source end. But Still I am getting this signature in my report.

Want to know,

1) What this message "denyPacketRequestedNotPerformed" is?

2) Whether putting ACL in the source end is enough for this?

3) Is there any recommended Solution for this signature suppression?

Thanks in advance.

[Attached file is the Alert]



Cisco Employee

Re: AD - External TCP Scanner Signature - Actions Taken ->denyPa

TCP/445 is used by Microsoft file sharing (CIFS), and by default that port is opened on all Microsoft PC basically to allow file sharing.

If you open up DOS prompt, and type: netstat -na, you would see that your PC is by default listening on TCP/445.

Here is more information on Microsoft-DS (TCP/445):

So it really depends on your corporate security policy, whether to allow file sharing or not within the network. IPS is picking that up because it is an easier way of exploiting a PC since the port is opened by default.

CreatePlease to create content