I am tuning some Unconfirmed False Positives (UFP). We have a fair number of the 'Windows SMB Enum Share DoS' events in the UFP list. They don't appear to be too frequent but there are some. I am thinking I'd like to have a rule that says "if there are less than 'x' occurences to a particular dest IP within 'y' minutes, ignore this" but it doesn't look like this can be done.
Research the vulnerability and the signature. This isn't a DOS in the sense the it detects a flood of traffic. It detects the exploit, which results in a DOS. These are very likely false positives, but you should verify. If they are false positives, given that this is a 5 year old vulnerability...I would recommend just disabled/retiring the sig.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...