Hello all, I searched on this one and didn't get any hits so here it goes. I began receiving a flood of warnings from my IPS saying that signature 35646-0 was being triggered. All of the attackers and victims are internal and they all revolve around our internal websites and developers who work on them. All the servers and workstations are coming up clean on AV scans and I don't see any other examples of this signature being triggered. Does anyone have any experience with this particular signature/threat, or any ideas on how I can determine if it's hopefully just a false-positive and not infected machines? Thanks all.
I have the same issue however, I've narrowed mine down to synchronization software I'm using between a server at my DC and my local network. When I turn the sync app off the alerts stop. I've been running this process for years so this alert came out of the blue and I thought it was an attack at first.
When did yours start? Mine started on Friday afternoon so I'm assuming it is something to do with a signature update pushed out then.
Could anyone else shed any light on this?
If you know what signature pack was applied on that Friday, you can look in the release notes to see if that signature has been added (new signatures are usually the noisiest) or changed. You can also edit the signature to grab a packet capture of the traffic and see if it is doing what the signature is warning you about.
Hey Damian, mine began on Thursday, 1/5/12 around 3:00 PM EST. So far, I've narrowed it down to SMB traffic between our web servers, and the web programmers/designers. I have also noticed a few DCs of ours as victims as well, I would assume that was due to SYSVOL access for GP updates, etc by the clients. I do find it interesting that we're showing similar symptoms though.
@rhermes, I actually have our IPS setup to forward me a copy of the offending packet and sure enough I can see the code/text/patterns that are triggering the sig however, it appears to be encrypted and therefore doesn't really shine any light on what could be causing it.
To me, this is a great example of how Cisco is horrible at releasing up-to-date signatures. This signature is for a vulnerability that is approaching a year old now (Microsoft released a security bulletin on April 12st 2011 (1)), and was just released by Cisco last week(2).
If you're like everyone else, your servers should already be patched and this really a non-issue (for impact anyway). But now I'm getting 200 alerts every 10 minutes because Cisco in their infinite wisdom decided to finally release a sig for this.
Being that Cisco hasn't disclosed, or allowed me to see, the regex setting for this STRING-TCP sig, I have no way of knowing what this signature is even alerting on. For all I know, they are looking for "[sS][mM][Bb]" in a packet with a dst port of 139 or 445, which would make this sig total crap. Now I have to go through and figure out what is causing this signature to fire, make sure it's not malicious, and then either tune this sig, or more than likely disable it.
FYI - I've got about 8 packet captures of this, 5 of which have full SMB sessions. I'll be opening a ticket with Cisco tomorrow to figure out why this signature is firing so often, I'm sure there are some benign triggers. I'll keep you guys updated.
We are also being affected by this one (just came on here to see if there were any answers!) so would definitely be interested in any updates you get - thanks.
I'll provide a quick update on my ticket. Ticket is open and pcaps have been provided. I specially asked the following questions after getting a disappointing inital response.
Based on the provided packet captures and the volume of alerts, this signature appears to be susceptible to false positives in windows environments. This is not depicted on the following link, which clearly states “There are no known benign triggers.” and “There are no suggested filters.”
I"m still waiting for a response on that. If there are any other questions anyone has, feel free to let me know and i'll add them to the ticket.
Thanks for the update Brandon - I think those 3 questions you asked should give us a good idea on how to proceed, assuming Cisco can answer them with some authority
Same with us, looks like they started on 01/05/2012 and have been firing ever since on a daily basis. Anxiously awaiting an answer. Thanks
Unfortunately there hasn't been much progress made on my ticket. I've requested that the ticket be escalated to signature developers. Hopefully some more progress we made on the ticket soon I will keep you all updated.
While I haven't heard anything regarding the ticket, I did just get a notification of S621, which includes the updated sig.
We faced the same issue, in our case the victim was our Windows File server Running of a Windows Server 2008 standard edition. Both the clients and servers are up to date on the patching.
Due to the high alerts and limited time, we tuned the signature so it dropped the offending packets. Soon after we started to receive complaints from the users that they couldnt save files to the file server any more, after removing the drop action the problem was fixed.
Its clear that this is a false-positive, and hope its fixed with the next signature release.
The Cisco Support Engineer told us: "I would like to let you know that there are some modifications being made to this signature and pushed out in the next release cycle as most of the time it has been a false alarm."
A higher fidelity version of signature 35646-0 is going through the release process and should be out shortly.
As of 1/21/12 I'm running on 621.0 and it appears that the messages have died down. How does everyone else look?
It appears to be resolved. I re-enabled the signature yesterday and have had no alerts so far.
Thanks everyone for their input and help in getting this resolved.