07-03-2008 06:49 AM - edited 03-10-2019 04:10 AM
We've just received these new appliances and I've been trying to make heads or tails of messages received about "attacks".
This is the message that I'm getting
Windows DCOM Overflow 5588/0 192.168.3.34 192.168.1.7 droppedPacket, deniedFlow, tcpOneWayResetSent 445 60 95
I have a DC and five Satellite Servers and there all on a VPN and they replicate. This is a constent "attack" that I'm getting. I've made filters to make sure that the Network IP's in question are exempt from this signature.
I also did a DCdiag on the Domain Controler. This is not the only signature that I get that my DC is "attacking" other IP's within the Network....Here's my device and versions..
IPS ver. 6.1(1) E2
Device Type: ASA-SSM 10
ASDM= ASA Ver. 8.0 (2)
Device Type: ASA5510
ASDM ver 6.0(2)
I know that it can't be anything that is making the Servers comprimised, but I'm trying to narrow this down. I really don't want to disable the signature for fear of allowing anything from the outside coming in. My gut feeling is that its a false positive anyone else have this issue?
Same issue with a sig firing of 3337/0 Windows RPC Race condition....This one is firing from my DC to my sattelite office servers....All are healthy btw.
07-06-2008 03:28 AM
Download the latest signature update, AFAIR they just tuned this signature in the last release.
Regards
Farrukh
01-20-2009 10:21 PM
looks like a true positive. try to check whether the source has been patch. if it haven't most likely it has been infected ,etc
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide