https://community.cisco.com/t5/network-security/windows-rpc-dcom-overflow-sub-id-8/m-p/1243067#M77895 <HTML><HEAD></HEAD><BODY><P>hi,</P><P> yes, i'm referring to 3327. I do not think we have tuned it as we have hundreds of IPS deployed.Do you mind if i send you the payload to have a look? </P><P></P><P></P></BODY></HTML> Tue, 03 Feb 2009 02:06:32 GMT yuliang13 2009-02-03T02:06:32Z https://community.cisco.com/t5/network-security/windows-rpc-dcom-overflow-sub-id-8/m-p/1243065#M77892 <P>hi,</P><P> lately i've been hammered badly by this signature. the funny thing is the destination ports are highports ,etc 1025,5000,etc (non netbios) . i noticed this signature has been firing frequently since ms08-067. anyone having the same experience ? is this a true positive? </P><P></P><P>thanks in advnce </P> Sun, 10 Mar 2019 11:28:10 GMT https://community.cisco.com/t5/network-security/windows-rpc-dcom-overflow-sub-id-8/m-p/1243065#M77892 yuliang13 2019-03-10T11:28:10Z https://community.cisco.com/t5/network-security/windows-rpc-dcom-overflow-sub-id-8/m-p/1243066#M77894 <HTML><HEAD></HEAD><BODY><P>If you are referring to sig 3327 subsig 8, it doesn't have any event-action associated with it by default. By any chance, have you tuned the sig or added an Event Action Override that might be applied to it?</P></BODY></HTML> Mon, 26 Jan 2009 22:21:58 GMT https://community.cisco.com/t5/network-security/windows-rpc-dcom-overflow-sub-id-8/m-p/1243066#M77894 rupadras 2009-01-26T22:21:58Z https://community.cisco.com/t5/network-security/windows-rpc-dcom-overflow-sub-id-8/m-p/1243067#M77895 <HTML><HEAD></HEAD><BODY><P>hi,</P><P> yes, i'm referring to 3327. I do not think we have tuned it as we have hundreds of IPS deployed.Do you mind if i send you the payload to have a look? </P><P></P><P></P></BODY></HTML> Tue, 03 Feb 2009 02:06:32 GMT https://community.cisco.com/t5/network-security/windows-rpc-dcom-overflow-sub-id-8/m-p/1243067#M77895 yuliang13 2009-02-03T02:06:32Z https://community.cisco.com/t5/network-security/windows-rpc-dcom-overflow-sub-id-8/m-p/1243068#M77896 <HTML><HEAD></HEAD><BODY><P></P><P>if there are no event-action associated to it, does this means the signature is actually not important ? </P></BODY></HTML> Mon, 16 Feb 2009 06:53:03 GMT https://community.cisco.com/t5/network-security/windows-rpc-dcom-overflow-sub-id-8/m-p/1243068#M77896 yuliang13 2009-02-16T06:53:03Z https://community.cisco.com/t5/network-security/windows-rpc-dcom-overflow-sub-id-8/m-p/1243069#M77898 <HTML><HEAD></HEAD><BODY><P>cisco IPS seems very ineffective as an IPS </P></BODY></HTML> Tue, 03 Mar 2009 10:12:45 GMT https://community.cisco.com/t5/network-security/windows-rpc-dcom-overflow-sub-id-8/m-p/1243069#M77898 yuliang13 2009-03-03T10:12:45Z https://community.cisco.com/t5/network-security/windows-rpc-dcom-overflow-sub-id-8/m-p/1243070#M77900 <HTML><HEAD></HEAD><BODY><P>Signature 3327-8 is a meta component and thus only part of a signature. It does not have any event actions by default as the main signature is the one that'll produce an alert once the required components have been triggered by an attack. </P><P>A component going off may not be of significance, which is why they are set not not produce alert by default. If you've changed this setting, and are now annoyed by the alerts, I suggest turning it back to default.</P><P></P><P>Martin Zeiser</P><P>IPS Signature Team </P></BODY></HTML> Tue, 03 Mar 2009 11:14:06 GMT https://community.cisco.com/t5/network-security/windows-rpc-dcom-overflow-sub-id-8/m-p/1243070#M77900 mzeiser 2009-03-03T11:14:06Z https://community.cisco.com/t5/network-security/windows-rpc-dcom-overflow-sub-id-8/m-p/1243071#M77901 <HTML><HEAD></HEAD><BODY><P></P><P>Hi martin,</P><P>thanks for the reply. I've tried RPC DCOM exploit over this signature. only the subsig 8 was triggered upon the exploit attempt. Do you think this signature is important ? </P></BODY></HTML> Tue, 03 Mar 2009 11:32:33 GMT https://community.cisco.com/t5/network-security/windows-rpc-dcom-overflow-sub-id-8/m-p/1243071#M77901 yuliang13 2009-03-03T11:32:33Z https://community.cisco.com/t5/network-security/windows-rpc-dcom-overflow-sub-id-8/m-p/1243072#M77902 <HTML><HEAD></HEAD><BODY><P>This signature is relevant to cve-2003-0352, which is the vulnerability the Blaster worm abused. I'm sure there's still a bunch of old machines out there infected by this worm and scanning the Internet for victims.</P></BODY></HTML> Tue, 03 Mar 2009 12:04:14 GMT https://community.cisco.com/t5/network-security/windows-rpc-dcom-overflow-sub-id-8/m-p/1243072#M77902 mzeiser 2009-03-03T12:04:14Z https://community.cisco.com/t5/network-security/windows-rpc-dcom-overflow-sub-id-8/m-p/1243073#M77903 <HTML><HEAD></HEAD><BODY><P></P><P>hi, </P><P>yes it's related to that. i'm using the exploit for that vulnerability and it triggered signature 8 only. i think this means sub id 8 should be quite important right? </P><P></P><P></P></BODY></HTML> Tue, 03 Mar 2009 15:46:43 GMT https://community.cisco.com/t5/network-security/windows-rpc-dcom-overflow-sub-id-8/m-p/1243073#M77903 yuliang13 2009-03-03T15:46:43Z