cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
370
Views
0
Helpful
6
Replies

Windows RPC Dcom overflow

bizsnatch
Level 1
Level 1

Has anyone discovered any benign triggers for this signature yet? It's triggered a few times on my network and the machines are clean.

thanks,

biz

6 Replies 6

anthall
Level 1
Level 1

Which version are you running? Which signature is firing (subsig)?

ID: 3327 Sub ID: 0

Sensor Info:

Cisco Systems Intrusion Detection Sensor, Version 4.1(1)S57

lwierenga
Level 1
Level 1

Are these systems triggering the alarms servers, workstations or both? Load-balancing between servers may cause this alarm to fire. I have heard that SMS agent under certain circumstances will fire a false-positive. Need more information.

They are triggering from workstation to server. Only 3 at this point.

Could you set the sensor up to capture the trigger packet? When you get one that you beleive is a false positive we can then help extract that alarm and we will be able to analyze what is causing it.

You can contact Tony Hall at anthall@cisco.com when you have a suspect.

Sure will... thanks.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: