I'm seeing lots of SMB Authorization Failure events being reported to MARS from IPS signature 5606/0. I strongly suspect that these events are false but I don't know a lot about SMB. The Event Type Details in MARS states "This signature detects when three or more consecutive failed Windows NT (or Samba) user authentication within a single SMB session..." However, the Event Count parameter of 5606/0 is set to the default of 1. Should this be bumped up to 3 or am I smoking dope? Should I be looking at other areas of the signature definition?
The documenation wasn't updated when we updated the SMB engine, so its not working on the "three strikes" principal. The current functionality is to alarm on the first instance and then go into summary mode. You can have it alarm after 3 instances by bumping the event count to 3. You can cut down some of the noise by adjusting that value.
Additionally, the event tracking key is currently AaBb, which means that it will track the events on a full Quad (Src IP/port & Dst IP/port). In this case the Dst IP/port are always the same (your server), so if an attacker uses a tool that uses the same port over and over, you'll only get the one alarm then summaries later. If its parallel in its operation and uses multiple ports, you'll get an alarm per SrcIP/port. Generally I'd keep the summarization key in step with the event key for this signature. I'm not suggesting that it needs to change or anything, just letting you know what it does.
Generally this alarm will fire every time someone fat fingers their window's password or attempts to access a protected share that they don't have permissions on. I will recommend this signature to the signature team for a review of its settings in a future update.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :