Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

Sig Name: Worm Activity - Brute Force

We are using the Cisco IPS 4215 and seeing this alert over and over.

Sig Name: Worm Activity - Brute Force
Sig ID: 16297
Severity: High
Risk Rating: 95
Sig Version: S392

Is this a false postive or something else?

Cisco Employee

Re: Sig Name: Worm Activity - Brute Force

It is not possible to determine from the information you provided.

You can learn more about a specific signature (and potential benign triggers) by visiting the Cisco IntelliShield site:

  For signature 16297/1, the following details are available:

  Signature 16297/1 is based on signature 16297/0:

  It would be best to look at the services running on the reported attacker, and determine if there is a legitimate reason for it to attempt a SMB logon to the victim system and cause 9 logon failures in a 30 second period.  Perhaps an automated service is still attempting to log into the victim system with outdated credentials.


Re: Sig Name: Worm Activity - Brute Force

Thanks for the great information, looks like subsig 0 is

not a big deal...