Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

'Windows locator' sig 3314 explanation

Could you please give me some insight into how this signature works? I'd like to know what exactly makes it trigger so that my customer can look for that sort of traffic and hopefully take care of it.

Thank you.

4 REPLIES
New Member

Re: 'Windows locator' sig 3314 explanation

The following link explains the windows locator service overflow vulnerability.

http://www.cert.org/advisories/CA-2003-03.html

This will give you some idea as to what is triggering it.

Bronze

Re: 'Windows locator' sig 3314 explanation

Due to certain conditions, we're not able to disclose what exactly the signature is looking for, but I can make two suggestions. Filter this alarm so that it only fires for the domain controllers in the network as destinations. Normally, only domain controllers run the Locator service. Second, in an actual attack, you will see the request for the "\locator" named pipe prior to the attack being sent. I hope this helps.

New Member

Re: 'Windows locator' sig 3314 explanation

This filtering recommendation is not in the NSDB. Can that be updated to include this information?

Bronze

Re: 'Windows locator' sig 3314 explanation

Yes, I will do it in the S43 sig update. Thanks.

220
Views
0
Helpful
4
Replies
CreatePlease to create content