Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

MARS "Win SMB Enum Shr DoS" & Rule to Ignore?

I am tuning some Unconfirmed False Positives (UFP). We have a fair number of the 'Windows SMB Enum Share DoS' events in the UFP list. They don't appear to be too frequent but there are some. I am thinking I'd like to have a rule that says "if there are less than 'x' occurences to a particular dest IP within 'y' minutes, ignore this" but it doesn't look like this can be done.

Any ideas? TIA

Paul

1 REPLY
Gold

Re: MARS "Win SMB Enum Shr DoS" & Rule to Ignore?

Research the vulnerability and the signature. This isn't a DOS in the sense the it detects a flood of traffic. It detects the exploit, which results in a DOS. These are very likely false positives, but you should verify. If they are false positives, given that this is a 5 year old vulnerability...I would recommend just disabled/retiring the sig.

167
Views
4
Helpful
1
Replies