Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ASN.1 Attack - 3336

My IDS alerted to Sig 3336. I scanned the source and destination for this vulnerability and every backdoor ISS Scanner has and both show clean.

Here is the contex buffer - does this look like an actual attack? Thanks.

Decoded Alarm Context(Signature Name='Windows ASN.1 Bit String NTLMv2 Integer Overflow' Event ID='1061746676113511598' Device Name='Sensor12' Event UTC Time='1082119844203755000'):

From attacker: n f 6) m X ~ {?RxE T s c 5 0g qC= 'x t c 42 |y[n m ] bf6& {[ cN '{ f- 6 c 3udL J- = u oe) P!" B PU * b YD = r Bz 0#Y B4 J l O 4S0 9 '@ @ ] P ?]D Dz T #

From victim: 0@N / % SMB 0 N / SMB/ 0 N / % SMB 0 O / SMB/ 0@O / % SMB 0 O


Re: ASN.1 Attack - 3336

Unfortunately, the context buffer you provided will not allow me to diagnose whether this is a false positive or not. If the alarm is still firing, please enable IP logging for signature 3336 (make sure to set CapturePacket to true). Send the logs to This is the best way for us to determine if it's a real attack or not.