Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Windows DCOM Overflow (Internal Servers)

We've just received these new appliances and I've been trying to make heads or tails of messages received about "attacks".

This is the message that I'm getting

Windows DCOM Overflow 5588/0 192.168.3.34 192.168.1.7 droppedPacket, deniedFlow, tcpOneWayResetSent 445 60 95

I have a DC and five Satellite Servers and there all on a VPN and they replicate. This is a constent "attack" that I'm getting. I've made filters to make sure that the Network IP's in question are exempt from this signature.

I also did a DCdiag on the Domain Controler. This is not the only signature that I get that my DC is "attacking" other IP's within the Network....Here's my device and versions..

IPS ver. 6.1(1) E2

Device Type: ASA-SSM 10

ASDM= ASA Ver. 8.0 (2)

Device Type: ASA5510

ASDM ver 6.0(2)

I know that it can't be anything that is making the Servers comprimised, but I'm trying to narrow this down. I really don't want to disable the signature for fear of allowing anything from the outside coming in. My gut feeling is that its a false positive anyone else have this issue?

Same issue with a sig firing of 3337/0 Windows RPC Race condition....This one is firing from my DC to my sattelite office servers....All are healthy btw.

2 REPLIES

Re: Windows DCOM Overflow (Internal Servers)

Download the latest signature update, AFAIR they just tuned this signature in the last release.

Regards

Farrukh

New Member

Re: Windows DCOM Overflow (Internal Servers)

looks like a true positive. try to check whether the source has been patch. if it haven't most likely it has been infected ,etc

182
Views
0
Helpful
2
Replies