cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3846
Views
4
Helpful
23
Replies

Sig. 35646-0 SMB Transaction Parsing Vulnerability

deeznuts420
Level 1
Level 1

Hello all, I searched on this one and didn't get any hits so here it goes.  I began receiving a flood of warnings from my IPS saying that signature 35646-0 was being triggered.  All of the attackers and victims are internal and they all revolve around our internal websites and developers who work on them.  All the servers and workstations are coming up clean on AV scans and I don't see any other examples of this signature being triggered.  Does anyone have any experience with this particular signature/threat, or any ideas on how I can determine if it's hopefully just a false-positive and not infected machines?  Thanks all.

-Adam

23 Replies 23

ruppala
Level 1
Level 1

The signature team is actively looking into this and will release a sigupdate soon to address this.

Thanks for the update - when you have an ETA on those new sigs, we'd love to hear it.

We faced the same issue, in our case the victim was our Windows File server Running of a Windows Server 2008 standard edition. Both the clients and servers are up to date on the patching.

Due to the high alerts and limited time, we tuned the signature so it dropped the offending packets. Soon after we started to receive complaints from the users that they couldnt save files to the file server any more, after removing the drop action the problem was fixed.

Its clear that this is a false-positive, and hope its fixed with the next signature release.

The Cisco Support Engineer told us: "I would like to let you know that there are some modifications being made to this signature and pushed out in the next release cycle as most of the time it has been a false alarm."

ruppala
Level 1
Level 1

A higher fidelity version of signature 35646-0 is going through the release process and should be out shortly.

As of 1/21/12 I'm running on 621.0 and it appears that the messages have died down.  How does everyone else look?

Same experience here, last message was Saturday evening.

All looks good for me now too.  Thanks!

Damian Coverly
Level 1
Level 1

It appears to be resolved. I re-enabled the signature yesterday and have had no alerts so far.

Thanks everyone for their input and help in getting this resolved.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: