New IDSM2 installation here. Just got them to work last week so no real tuning done yet. They are running in promiscuous mode with software version 5.0(5sp2). We are using CN-MARS 4.1 to collect events.
I'm seeing a lot of RPC DCOM overflow events sourcing from systems that are likely not compromised. The interesting thing is that the destination of most of these RPC DCOM overflows are all going to the same system that I am very suspicious of. Am I reading these events incorrectly? Is the destination address for this event actually the attacker? I've already had one instance where the IDSM2s reported a SMB auth failure with the source and destination reversed.
Has anyone else run into these types of issues before?
Lastly, what type of normal traffic, if any, would trigger the Windows RPC DCOM Overflow signature?
There is not enough data from the alert context buffer to determine if this is a false positive. That being said, it would be very hard to imagine a situation that could cause this signature to false positive. I would suspect that this is a real attack.
Thanks craiwill. This looks like it will cut down on a lot of the "noise" for the RPC DCOM overflows. I created the custom sig and will deploy it later tonight. Thank you for your assistance. Much appreciated.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :