Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Windows RPC DCOM Overflow sub id 8

hi,

lately i've been hammered badly by this signature. the funny thing is the destination ports are highports ,etc 1025,5000,etc (non netbios) . i noticed this signature has been firing frequently since ms08-067. anyone having the same experience ? is this a true positive?

thanks in advnce

8 REPLIES
Cisco Employee

Re: Windows RPC DCOM Overflow sub id 8

If you are referring to sig 3327 subsig 8, it doesn't have any event-action associated with it by default. By any chance, have you tuned the sig or added an Event Action Override that might be applied to it?

New Member

Re: Windows RPC DCOM Overflow sub id 8

hi,

yes, i'm referring to 3327. I do not think we have tuned it as we have hundreds of IPS deployed.Do you mind if i send you the payload to have a look?

New Member

Re: Windows RPC DCOM Overflow sub id 8

if there are no event-action associated to it, does this means the signature is actually not important ?

New Member

Re: Windows RPC DCOM Overflow sub id 8

cisco IPS seems very ineffective as an IPS

Cisco Employee

Re: Windows RPC DCOM Overflow sub id 8

Signature 3327-8 is a meta component and thus only part of a signature. It does not have any event actions by default as the main signature is the one that'll produce an alert once the required components have been triggered by an attack.

A component going off may not be of significance, which is why they are set not not produce alert by default. If you've changed this setting, and are now annoyed by the alerts, I suggest turning it back to default.

Martin Zeiser

IPS Signature Team

New Member

Re: Windows RPC DCOM Overflow sub id 8

Hi martin,

thanks for the reply. I've tried RPC DCOM exploit over this signature. only the subsig 8 was triggered upon the exploit attempt. Do you think this signature is important ?

Cisco Employee

Re: Windows RPC DCOM Overflow sub id 8

This signature is relevant to cve-2003-0352, which is the vulnerability the Blaster worm abused. I'm sure there's still a bunch of old machines out there infected by this worm and scanning the Internet for victims.

New Member

Re: Windows RPC DCOM Overflow sub id 8

hi,

yes it's related to that. i'm using the exploit for that vulnerability and it triggered signature 8 only. i think this means sub id 8 should be quite important right?

318
Views
0
Helpful
8
Replies