Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started.

New Member

windows rpc race condition 3337.0

Hi,

IDSM2 on 6500 with 4.1(1)S213

I see a lot of signature 3337 events (Windows RPC race condition exploitation) being fired with destination IP address of my active directory server and on port 135. Source addresses are all on the inside.

How to tune this signature?

-- vasanth

  • Intrusion Prevention Systems/IDS
1 REPLY
Cisco Employee

Re: windows rpc race condition 3337.0

This signature relates to the Microsoft MS04-012 and addresses an RPC race condition. If your systems are patched, you can filter out your inside hosts.

Keep in mind that Windows Terminal Services Servers will also set this alert off due to the high amount of RPC traffic - if the servers are patched, you can filter them out as well.

282
Views
0
Helpful
1
Replies