Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

S85 and Signature 3337

Extremely noisy, haven't done much analysis yet.

Anyone else seeing this generate lots of alerts? Most of them are between my VPN users and my Microsoft Exchange servers.

15 REPLIES
Community Member

Re: S85 and Signature 3337

Roger that, Exchange Server 5.5 and any user (remote or local) triggers it here. Thats a lot of false positives. Guess that means there'll be yet-another-update soon :(

Community Member

Re: S85 and Signature 3337

confirmed- i too see false postives for the same reasons as the rest of this thread

Community Member

Re: S85 and Signature 3337

Yea... When people started logging in this morning, in one hour, IDS generated 67,451 alerts for sig 3337.

Community Member

Re: S85 and Signature 3337

Do you have any more details you can provide? What destination ports, patterns of activity, network traces, etc...? I'd like try and tweak this signature a bit more, and need some input from you guys in the field. MSRPC usage and traffic can be quite arbitrary at times.

Community Member

Re: S85 and Signature 3337

Clients using Outlook 2000 connecting to an Exchange 5.5 Server on TCP ports 6042 and 6043 from a random port triggers it here.

Community Member

Re: S85 and Signature 3337

YES; all valid traffic between exchange servers trigger this signature.

Perhaps it needs more fine tunning.im going disable

to wait for correction

Re: S85 and Signature 3337

Client Outlook 98, Exchange server 2000 (service pack 3), thousands alarms on dest ports 1187,1189, 1567,5555.

Regards,

Milan

Community Member

Re: S85 and Signature 3337

Would it be possible for either of you to turn on packet capture or even better ipLogging of the signature? I have some guesses as to why this sig may be firing innappropriately, but if I had some sample of network traffic, I could nail it down.

Re: S85 and Signature 3337

There are also some alarms fired with the destination address of the Primary or secondary Domain Controller, destination port 1026.

Regards,

Milan

Community Member

Re: S85 and Signature 3337

We've addressed some of the false positives we've found with this sig. The fix will be in for S86 and is can be tracked with DDTS CSCee31185.

Re: S85 and Signature 3337

Hi,

the bug workaround says " Upgrade to signature update S86 or later."

But the S86-readme.txt says "No signatures have been tuned in this update."

There are also no caveats mentioned.

So has the bug been fixed in S86 or not?

May I remove my filters safely?

Regards,

Milan

Community Member

Re: S85 and Signature 3337

Based on the feedback I have recieved here, the signature has been tuned and altered abit. It should now have a much better fidelity. Please go ahead and re-enable it. It should not be nearly as noisy now. And post back if you can and let me know how it goes.

Community Member

Re: S85 and Signature 3337

Why didn't the release notes with S86 list 3337 as a tuned signature? Were any other signatures tuned?

Community Member

Re: S85 and Signature 3337

It should have been. We had a slight process problem in getting this one out the door. No other sigs were modified.

Re: S85 and Signature 3337

Yes, the signature seems to be fixed.

But how can we rely on a signature update system when there is no notice of signature modification in the readme file?

Regards,

Milan

193
Views
0
Helpful
15
Replies
CreatePlease to create content