Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

sig 3310/0 - how does it trigger?

I am new to Cisco IDS. IDSM2 version 5.0 (5) s215.0. I am trying to understand what makes the Win SMB Share DOS trigger. I am looking at my signature (attachment included) but don't see what makes this thing tick. On the other hand 3322/0 smb win share enum makes perfect sense with a defined operation and function. If a certain frequency of 3322's between the same src/dst trigger a 3310 where is that defined?

4 REPLIES
Cisco Employee

Re: sig 3310/0 - how does it trigger?

The majority of signatures are written where you are able to see all the details, there are a few (like 3310) that are hardcoded into a specific engine. 3310 triggers on a denial of service from sending specially crafted packets requesting the SMB NetShareEnum transaction. Traffic generated from the SMBdie exploit should set this alarm off.The vulnerability was from back in 2002, Microsoft's related advisory is MS02-045.

New Member

Re: sig 3310/0 - how does it trigger?

The AV report I read indicates usage on port 139. I am seeing these alerts pop up occasionally but steadily on port 445. I verified that these machines have up to date AV which should quarantine the exe if it was present. Are there any known false positives for this signature? What string is the signature designed to detect? I will search for this string in our normal traffic.

Cisco Employee

Re: sig 3310/0 - how does it trigger?

In Microsoft's more recent OS's (Win2K and newer) they started moving services that were traditionally on TCP port 139 to TCP port 445. The Cisco IPS therefore monitors both ports for Microsoft traffic, given that there is tremendous (I'd like to say 100%, but I don't have the data to back that up) overlap from 139 to 445. Microsoft doesn't really supply enough information for us to know with 100% confidence that it won't work on TCP port 445 under some configuration.

That said, this signature is not a string search, it is a protocol decode. Look for SMB Transact Requests with a MaxDataCount (logical)OR MaxParameterCount field of zero. For those requests, a ParameterOffset field of 0x00, 0x68, or 0xD7 will be present in SMBDIE packets.

Given the age of this vulnerability, there is a serious possibility that any trigger on TCP port 445 might be a false positive. I can't say that for sure, but if I didn't have any old or unpatched Win2K systems fielded, then I'd assume a false positive and tune it out. We'd be interested to know if you have a potential false positive that would let us tighted this signature up, or to at least document it. Packet traces are always welcome.

Scott Cothrell

Mgr. Software Development.

New Member

Re: sig 3310/0 - how does it trigger?

Thank you for the informative replies. I have captured a trace, triggered from the signature, and attached it per your request.

142
Views
0
Helpful
4
Replies
CreatePlease login to create content