I am new to Cisco IDS. IDSM2 version 5.0 (5) s215.0. I am trying to understand what makes the Win SMB Share DOS trigger. I am looking at my signature (attachment included) but don't see what makes this thing tick. On the other hand 3322/0 smb win share enum makes perfect sense with a defined operation and function. If a certain frequency of 3322's between the same src/dst trigger a 3310 where is that defined?
The majority of signatures are written where you are able to see all the details, there are a few (like 3310) that are hardcoded into a specific engine. 3310 triggers on a denial of service from sending specially crafted packets requesting the SMB NetShareEnum transaction. Traffic generated from the SMBdie exploit should set this alarm off.The vulnerability was from back in 2002, Microsoft's related advisory is MS02-045.
The AV report I read indicates usage on port 139. I am seeing these alerts pop up occasionally but steadily on port 445. I verified that these machines have up to date AV which should quarantine the exe if it was present. Are there any known false positives for this signature? What string is the signature designed to detect? I will search for this string in our normal traffic.
In Microsoft's more recent OS's (Win2K and newer) they started moving services that were traditionally on TCP port 139 to TCP port 445. The Cisco IPS therefore monitors both ports for Microsoft traffic, given that there is tremendous (I'd like to say 100%, but I don't have the data to back that up) overlap from 139 to 445. Microsoft doesn't really supply enough information for us to know with 100% confidence that it won't work on TCP port 445 under some configuration.
That said, this signature is not a string search, it is a protocol decode. Look for SMB Transact Requests with a MaxDataCount (logical)OR MaxParameterCount field of zero. For those requests, a ParameterOffset field of 0x00, 0x68, or 0xD7 will be present in SMBDIE packets.
Given the age of this vulnerability, there is a serious possibility that any trigger on TCP port 445 might be a false positive. I can't say that for sure, but if I didn't have any old or unpatched Win2K systems fielded, then I'd assume a false positive and tune it out. We'd be interested to know if you have a potential false positive that would let us tighted this signature up, or to at least document it. Packet traces are always welcome.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :