Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Help Understanding a NetWare Signature

Recently I've seen signature 5644/2 fire pretty regularly. This is a Client Service for Netware Overflow signature. It's always from a couple of hosts on my network, and it is directed at machines that aren't running CSNW. So I'm not really concerned about anything being compromised by it, but I want to make sure the source machines aren't sending anything malicious.

When I looked this signature up in Intellishield, it shows an alarm severity of medium. It also shows that it is a component of meta-signature 5644/3. Well, after exploring 5644/3 a bit further, I discovered it is triggered when 5644/0, 1, and 2 are all detected. So does this mean I shouldn't be concerned if one part of this meta-signature is detected by itself?

Also, I logged the packets that caused 5644/2 to trigger, and I wanted to see what exactly caused it. Well, the regex pattern for this signature is protected. I thought it would be helpful to at least be able to see what happened, so is there any other way I can look at this or find this information? Or would it not be helpful in this case to see specifically what happened in the packet?

Thanks for any help!

2 ACCEPTED SOLUTIONS

Accepted Solutions
Gold

Re: Help Understanding a NetWare Signature

By default, that sig (component of a META sig) does not have an action assigned. This is generally how the META sigs work, Most (none?) of the the component sigs actually have an action. You should probably remove whatever actions have been added.

Cisco Employee

Re: Help Understanding a NetWare Signature

Nate, I didn't see what version you were running, but I looked up the signature 5644-2...it has an SFR of 60. TVR will default to 100 unless changed by the user. The "medium" results in an ASR of 75. For 6.0(5), that's a base RR of 45, (SFR*TVR*ASR)/10000. There are adding modifiers for a relevant OS (+10) and a modifier for the source being on the "watch list". The only things that can account for an adder of 30 would be the TVR being set to HIGH and some watchlist value (or just a large watchlist value). There might be bug hiding in there someplace (we did find one in Meta that was fixed in 5.1(8) and 6.0(5)), but a look at String.TCP showed that it does not have the Meta problem.

SC

9 REPLIES
Gold

Re: Help Understanding a NetWare Signature

By default, that sig (component of a META sig) does not have an action assigned. This is generally how the META sigs work, Most (none?) of the the component sigs actually have an action. You should probably remove whatever actions have been added.

New Member

Re: Help Understanding a NetWare Signature

Ahh, I see this now. I have an event action override set to cause an alert when the risk rating is over 80. It looks like the RR for each of these events is 85. Is this because the severity is set to medium, which causes the ASR to be increased in the RR calculation? I don't have any of the involved machines set in any TVR category.

I guess I'll just set a filter for it.

Gold

Re: Help Understanding a NetWare Signature

hmm...yeah, I don't use event action override. Personally, I can't imagine why a component of a META sig (that does not have an action by itself) would have such a high RR.

New Member

Re: Help Understanding a NetWare Signature

Yea, it's a little confusing. I'll have to see if I can find out why those event action overrides are enabled. Thanks for your help!

Cisco Employee

Re: Help Understanding a NetWare Signature

Nate, I didn't see what version you were running, but I looked up the signature 5644-2...it has an SFR of 60. TVR will default to 100 unless changed by the user. The "medium" results in an ASR of 75. For 6.0(5), that's a base RR of 45, (SFR*TVR*ASR)/10000. There are adding modifiers for a relevant OS (+10) and a modifier for the source being on the "watch list". The only things that can account for an adder of 30 would be the TVR being set to HIGH and some watchlist value (or just a large watchlist value). There might be bug hiding in there someplace (we did find one in Meta that was fixed in 5.1(8) and 6.0(5)), but a look at String.TCP showed that it does not have the Meta problem.

SC

New Member

Re: Help Understanding a NetWare Signature

We're running 6.1(1).

But I just discovered that the destination machine IS on the TVR mission critical list. I guess I missed it when I looked the first time around. Sorry about that! This would definitely explain the increased RR.

Thanks for you help!

Cisco Employee

Re: Help Understanding a NetWare Signature

Yep, that would do it. That causes the TVR to be 200, not 100.

Scott

Cisco Employee

Re: Help Understanding a NetWare Signature

mhellman wrote: "This is generally how the META sigs work, Most (none?) of the the component sigs actually have an action."

The correct answer is "Most". Occasionally a signature that has a value on its own may get included in a Meta.

SC

Gold

Re: Help Understanding a NetWare Signature

thanks for the follow up and clarification.

154
Views
0
Helpful
9
Replies