Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

Sig Name: Worm Activity - Brute Force

We are using the Cisco IPS 4215 and seeing this alert over and over.

Sig Name: Worm Activity - Brute Force
Sig ID: 16297
Severity: High
Risk Rating: 95
Sig Version: S392

Is this a false postive or something else?

2 REPLIES
Cisco Employee

Re: Sig Name: Worm Activity - Brute Force

It is not possible to determine from the information you provided.

You can learn more about a specific signature (and potential benign triggers) by visiting the Cisco IntelliShield site:

http://www.cisco.com/security

  For signature 16297/1, the following details are available:

http://tools.cisco.com/security/center/viewIpsSignature.x?signatureId=16297&signatureSubId=1&softwareVersion=6.0&releaseVersion=S392

  Signature 16297/1 is based on signature 16297/0:

http://tools.cisco.com/security/center/viewIpsSignature.x?signatureId=16297&signatureSubId=0&softwareVersion=6.0&releaseVersion=S392

  It would be best to look at the services running on the reported attacker, and determine if there is a legitimate reason for it to attempt a SMB logon to the victim system and cause 9 logon failures in a 30 second period.  Perhaps an automated service is still attempting to log into the victim system with outdated credentials.

Scott

Re: Sig Name: Worm Activity - Brute Force

Thanks for the great information, looks like subsig 0 is

not a big deal...

1628
Views
0
Helpful
2
Replies