Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

IPS Signature 5575- IDSM2

Hi,

I am getting a lot of alerts on this signature; and I would like to know if there is anything I need to do on my side to resolve it.

Attacker IP is the DNS server and Victim is one of the servers.

event_id = 1341305878892548268

severity = informational

device_name = IPS1

app_name = sensorApp

receive_time = 07/13/2012 04:07:20

event_time = 07/13/2012 03:07:19

sensor_local_time = 07/13/2012 03:07:19

sig_id = 5575

sig_name = NBT NetBIOS Session Service Failed Login sig_details = attacker_ip = 10.10.X.XX victim_ip = 10.10.XX.XX victim_port = 49563 vlan = 111 virtual_sensor = vs0 actions = alert_details = risk_rating_num = 28(TVR=medium ARR=relevant) threat_rating = 28 protocol = tcp

Everyone's tags (4)
1 REPLY
Cisco Employee

IPS Signature 5575- IDSM2

Probably not.  The signature is informational and the following is from the benign triggers section:

"The default alarm level for this is low because this happens during normal network activity within a Windows network.  As an example, when mounting the C: drive from a Windows 95 system to a Windows NT system, numerous session setup failures can occur while browsing the file system."

It is retired by default due to its low fidelity.  It would require tuning based on your specific network traffic profile to be of greater use.

1082
Views
0
Helpful
1
Replies
CreatePlease to create content