Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Sudden Windows DCOM Overflow flood

Today, ips-4250-sx (not-in-line) upgraded from v6.0(4)E1 to 6.0(5)E2. (S335) to (S339)

1st appearance & flood of red alerts,

all internal sources and destinations:

1) Windows DCOM Overflow 0&1 subsigs:

(1100src/100dst=86k total hits)

2) Netware LSASS CIFS.NLM Driver Overflow: (145src/140dst=2.5k total hits)

3) Print Spooler Service Overflow: (140src/75dst=2.4k total hits)

- hit accumulation in 7hrs since upgrade

Is there some signature tweaking to be done? or is it TAC time?

Anybody else experience this?

-thanks for any advise

Will

8 REPLIES
New Member

Re: Sudden Windows DCOM Overflow flood

I had the same issue. Just disabled the new signature and wait for better days. as of the new signature sets 341 I see 3 new signatures already disabled. I guess with the next update these new that give us headache will be tuned also

New Member

Re: Sudden Windows DCOM Overflow flood

Hi Will,

Yes same signatures are firing after S339 and Engine Update! I am quite sure that these are False positives because Windows DCOM BO fires against Domain Controller (I checked and they are healty). Moreover these sig.s started firing just after the update!

I think Cisco is going to tune S339 sig.s.

Anybody else experience this?

Marco

Cisco Employee

Re: Sudden Windows DCOM Overflow flood

Hi Will,

The IPS team is aware of this issue and investigating. An upcoming sig update will address these sigs.

- Shiva

New Member

Re: Sudden Windows DCOM Overflow flood

Shiva,

What is your recommendation?

disable or not

What is the ETA for the sig update?

thanks.

-Will

New Member

Re: Sudden Windows DCOM Overflow flood

I got the same problem after upgrade to 5.1.7E2.

Cisco Employee

Re: Sudden Windows DCOM Overflow flood

We believe we've identified an engine issue that affects signatures 5588-0,1 and 6769-0. It looks like the easiest work around is to just add the parameter smb command: 37 to the signatures. Due to the nature of the issue detection should not be affected in a negative way. We plan to ship this change in a signature update next week.

New Member

Re: Sudden Windows DCOM Overflow flood

How about No.3 the Print Spooler Overflow. Sig 5565. Same workaround ?

Re: Sudden Windows DCOM Overflow flood

All of these were fixed in S342 I think:

The S342 signature update contains the following modified signature:

PLATFORM SIGID SIGNAME ENGINE SEVERITY ENABLED DDTS

5.x, 6.x 5565.4 Print Spooler Service Overflow SERVICE-SMB-ADVANCED High True CSCsq99671

5.x, 6.x 5588.0 Windows DCOM Overflow SERVICE-SMB-ADVANCED High True CSCsq99671

5.x, 6.x 5588.1 Windows DCOM Overflow SERVICE-SMB-ADVANCED High True CSCsq99671

5.x, 6.x 6769.0 Netware LSASS CIFS.NLM Driver Overflow SERVICE-SMB-ADVANCED High True CSCsq99671

regards

Farrukh

215
Views
0
Helpful
8
Replies