https://community.cisco.com/t5/network-security/snort-rules-triggering-on-incorrect-os-version/m-p/4803922#M1099092 <P>Hi,</P> <P>Snort actually uses a process called network discovery in order to identity operating systems and apps used <SPAN data-dobid="hdw">throughout </SPAN>the network. It does this by using 'signatures' (part of the VDB package) that are applied to traffic that it 'sees'. Thus this is a passive way of discovering hosts. It's just its best guess.</P> <P>You know that the source and destination are not win7 or 2008R2 because you can logon to that resource and manually check the OS version and all the details.</P> <P>Snort has to means of doing that.</P> <P>You can go to Analysis &gt; Hosts &gt; Hosts &gt; Table View and search for your specific IPs and check that Snort thinks of them.</P> <P>If needed you can manually edit the operating system for those particular hosts.</P> <P>&nbsp;</P> <P>If OS fingerprinting is wrong, it's normal for that IPS signature to have an Impact 1 attached, because the system considers the host to have the protocol running and the respective vulnerability mapped.</P> <P>&nbsp;</P> <P>BR,</P> <P>Octavian</P> <P><LI-WRAPPER></LI-WRAPPER></P> Wed, 29 Mar 2023 13:41:31 GMT Octavian Szolga 2023-03-29T13:41:31Z https://community.cisco.com/t5/network-security/snort-rules-triggering-on-incorrect-os-version/m-p/4803907#M1099090 <P>Our Firepower Threat Defense SNORT engine is triggering rules that don't match the actual traffic.</P><P>For example, rule&nbsp;<SPAN class="">1:16540:18 references CVE-2010-0477 which has the description:&nbsp;<SPAN>The SMB client in Microsoft Windows Server 2008 R2 and Windows 7 does not properly handle (1) SMBv1 and (2) SMBv2 response packets, which allows remote SMB servers and man-in-the-middle attackers to execute arbitrary code via a crafted packet that causes the client to read the entirety of the response, and then improperly interact with the Winsock Kernel (WSK), aka "SMB Client Message Size Vulnerability."</SPAN></SPAN></P><P><SPAN class="">However, the source device is Windows 10 and the destination is Windows Server 2019.</SPAN></P><P><SPAN class="">Can anyone tell me why this is happening?</SPAN></P><P>Firepower says it is an Impact 1 event, but it is not an affected OS version.<BR /><BR />Even the Microsoft Security bulletin does not include these OS as affected versions.<BR /><A href="https://learn.microsoft.com/en-us/security-updates/SecurityBulletins/2010/ms10-020?redirectedfrom=MSDN" target="_blank">https://learn.microsoft.com/en-us/security-updates/SecurityBulletins/2010/ms10-020?redirectedfrom=MSDN</A></P><P><BR />Any help will be greatly appreciated.</P> Wed, 29 Mar 2023 13:12:17 GMT https://community.cisco.com/t5/network-security/snort-rules-triggering-on-incorrect-os-version/m-p/4803907#M1099090 DannyDulin 2023-03-29T13:12:17Z https://community.cisco.com/t5/network-security/snort-rules-triggering-on-incorrect-os-version/m-p/4803922#M1099092 <P>Hi,</P> <P>Snort actually uses a process called network discovery in order to identity operating systems and apps used <SPAN data-dobid="hdw">throughout </SPAN>the network. It does this by using 'signatures' (part of the VDB package) that are applied to traffic that it 'sees'. Thus this is a passive way of discovering hosts. It's just its best guess.</P> <P>You know that the source and destination are not win7 or 2008R2 because you can logon to that resource and manually check the OS version and all the details.</P> <P>Snort has to means of doing that.</P> <P>You can go to Analysis &gt; Hosts &gt; Hosts &gt; Table View and search for your specific IPs and check that Snort thinks of them.</P> <P>If needed you can manually edit the operating system for those particular hosts.</P> <P>&nbsp;</P> <P>If OS fingerprinting is wrong, it's normal for that IPS signature to have an Impact 1 attached, because the system considers the host to have the protocol running and the respective vulnerability mapped.</P> <P>&nbsp;</P> <P>BR,</P> <P>Octavian</P> <P><LI-WRAPPER></LI-WRAPPER></P> Wed, 29 Mar 2023 13:41:31 GMT https://community.cisco.com/t5/network-security/snort-rules-triggering-on-incorrect-os-version/m-p/4803922#M1099092 Octavian Szolga 2023-03-29T13:41:31Z https://community.cisco.com/t5/network-security/snort-rules-triggering-on-incorrect-os-version/m-p/4803938#M1099094 <P>Octavian,</P><P>This is EXTREMELY helpful. Thank you!<BR /><BR />I guess this is why we would use NMAP scan as an initial remediation for a Snort Rule trigger.</P><P>&nbsp;</P> Wed, 29 Mar 2023 13:48:55 GMT https://community.cisco.com/t5/network-security/snort-rules-triggering-on-incorrect-os-version/m-p/4803938#M1099094 DannyDulin 2023-03-29T13:48:55Z