I upgraded to 4.1-3-S61 and am now getting several rf poison signatures throught the internal network. Does anybody know what process might trigger this alert and how to filter it other than disabling the sig?
We have had several cases of 3323 firing since S61. We made some changes to the SMB engine in order to cover the lastest Microsoft vulnerabilities. It appears that in doing so, the 3323 logic loosened up and is now false positive firing. We recommend disabling the signature and will work on having it fixed in the next signature update.
I have been getting large amounts of events at the mgt station for the signature SMB:RFPoison Attack ID: 3323. Can you tell me if the problem that was addressed in this thread has been resolved? i am a 4.1-3s81 on the sensors
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...