https://community.cisco.com/t5/network-security/sudden-windows-dcom-overflow-flood/m-p/939778#M79642 <HTML><HEAD></HEAD><BODY><P>I had the same issue. Just disabled the new signature and wait for better days. as of the new signature sets 341 I see 3 new signatures already disabled. I guess with the next update these new that give us headache will be tuned also</P></BODY></HTML> Thu, 26 Jun 2008 06:25:32 GMT rnaydenov 2008-06-26T06:25:32Z https://community.cisco.com/t5/network-security/sudden-windows-dcom-overflow-flood/m-p/939777#M79640 <P>Today, ips-4250-sx (not-in-line) upgraded from v6.0(4)E1 to 6.0(5)E2. (S335) to (S339)</P><P></P><P>1st appearance &amp; flood of red alerts,</P><P>all internal sources and destinations:</P><P>1) Windows DCOM Overflow 0&amp;1 subsigs:</P><P> (1100src/100dst=86k total hits)</P><P>2) Netware LSASS CIFS.NLM Driver Overflow: (145src/140dst=2.5k total hits)</P><P>3) Print Spooler Service Overflow: (140src/75dst=2.4k total hits)</P><P>- hit accumulation in 7hrs since upgrade</P><P></P><P>Is there some signature tweaking to be done? or is it TAC time?</P><P></P><P>Anybody else experience this?</P><P></P><P>-thanks for any advise </P><P></P><P>Will</P><P></P><P></P><P></P> Sun, 10 Mar 2019 11:09:55 GMT https://community.cisco.com/t5/network-security/sudden-windows-dcom-overflow-flood/m-p/939777#M79640 wgorman 2019-03-10T11:09:55Z https://community.cisco.com/t5/network-security/sudden-windows-dcom-overflow-flood/m-p/939778#M79642 <HTML><HEAD></HEAD><BODY><P>I had the same issue. Just disabled the new signature and wait for better days. as of the new signature sets 341 I see 3 new signatures already disabled. I guess with the next update these new that give us headache will be tuned also</P></BODY></HTML> Thu, 26 Jun 2008 06:25:32 GMT https://community.cisco.com/t5/network-security/sudden-windows-dcom-overflow-flood/m-p/939778#M79642 rnaydenov 2008-06-26T06:25:32Z https://community.cisco.com/t5/network-security/sudden-windows-dcom-overflow-flood/m-p/939779#M79644 <HTML><HEAD></HEAD><BODY><P>Hi Will,</P><P></P><P>Yes same signatures are firing after S339 and Engine Update! I am quite sure that these are False positives because Windows DCOM BO fires against Domain Controller (I checked and they are healty). Moreover these sig.s started firing just after the update!</P><P>I think Cisco is going to tune S339 sig.s.</P><P></P><P>Anybody else experience this?</P><P></P><P>Marco</P></BODY></HTML> Thu, 26 Jun 2008 07:36:42 GMT https://community.cisco.com/t5/network-security/sudden-windows-dcom-overflow-flood/m-p/939779#M79644 soc_admin 2008-06-26T07:36:42Z https://community.cisco.com/t5/network-security/sudden-windows-dcom-overflow-flood/m-p/939780#M79647 <HTML><HEAD></HEAD><BODY><P>Hi Will,</P><P></P><P>The IPS team is aware of this issue and investigating. An upcoming sig update will address these sigs.</P><P></P><P>- Shiva</P></BODY></HTML> Thu, 26 Jun 2008 13:43:55 GMT https://community.cisco.com/t5/network-security/sudden-windows-dcom-overflow-flood/m-p/939780#M79647 shivapd 2008-06-26T13:43:55Z https://community.cisco.com/t5/network-security/sudden-windows-dcom-overflow-flood/m-p/939781#M79650 <HTML><HEAD></HEAD><BODY><P>Shiva,</P><P>What is your recommendation?</P><P>disable or not</P><P>What is the ETA for the sig update?</P><P></P><P>thanks.</P><P></P><P>-Will</P></BODY></HTML> Thu, 26 Jun 2008 14:24:33 GMT https://community.cisco.com/t5/network-security/sudden-windows-dcom-overflow-flood/m-p/939781#M79650 wgorman 2008-06-26T14:24:33Z https://community.cisco.com/t5/network-security/sudden-windows-dcom-overflow-flood/m-p/939782#M79651 <HTML><HEAD></HEAD><BODY><P>I got the same problem after upgrade to 5.1.7E2.</P></BODY></HTML> Fri, 27 Jun 2008 13:37:49 GMT https://community.cisco.com/t5/network-security/sudden-windows-dcom-overflow-flood/m-p/939782#M79651 andytmn 2008-06-27T13:37:49Z https://community.cisco.com/t5/network-security/sudden-windows-dcom-overflow-flood/m-p/939783#M79652 <HTML><HEAD></HEAD><BODY><P>We believe we've identified an engine issue that affects signatures 5588-0,1 and 6769-0. It looks like the easiest work around is to just add the parameter smb command: 37 to the signatures. Due to the nature of the issue detection should not be affected in a negative way. We plan to ship this change in a signature update next week.</P></BODY></HTML> Fri, 27 Jun 2008 18:12:42 GMT https://community.cisco.com/t5/network-security/sudden-windows-dcom-overflow-flood/m-p/939783#M79652 craiwill 2008-06-27T18:12:42Z https://community.cisco.com/t5/network-security/sudden-windows-dcom-overflow-flood/m-p/939784#M79653 <HTML><HEAD></HEAD><BODY><P>How about No.3 the Print Spooler Overflow. Sig 5565. Same workaround ? </P></BODY></HTML> Fri, 29 Aug 2008 12:12:32 GMT https://community.cisco.com/t5/network-security/sudden-windows-dcom-overflow-flood/m-p/939784#M79653 david.enenkel 2008-08-29T12:12:32Z https://community.cisco.com/t5/network-security/sudden-windows-dcom-overflow-flood/m-p/939785#M79654 <HTML><HEAD></HEAD><BODY><P>All of these were fixed in S342 I think:</P><P></P><P>The S342 signature update contains the following modified signature:</P><P>PLATFORM SIGID SIGNAME ENGINE SEVERITY ENABLED DDTS</P><P>5.x, 6.x 5565.4 Print Spooler Service Overflow SERVICE-SMB-ADVANCED High True CSCsq99671</P><P>5.x, 6.x 5588.0 Windows DCOM Overflow SERVICE-SMB-ADVANCED High True CSCsq99671</P><P>5.x, 6.x 5588.1 Windows DCOM Overflow SERVICE-SMB-ADVANCED High True CSCsq99671</P><P>5.x, 6.x 6769.0 Netware LSASS CIFS.NLM Driver Overflow SERVICE-SMB-ADVANCED High True CSCsq99671</P><P></P><P> regards</P><P></P><P>Farrukh</P></BODY></HTML> Fri, 29 Aug 2008 12:29:27 GMT https://community.cisco.com/t5/network-security/sudden-windows-dcom-overflow-flood/m-p/939785#M79654 Farrukh Haroon 2008-08-29T12:29:27Z