topic Re: Event 3327 false positive? in Network Security

Event 3327 false positive?

stith — Sun, 10 Mar 2019 09:37:57 GMT

anyone else seeing false positives on event 3327 after installing sig S190?

Re: Event 3327 false positive?

a.arndt — Tue, 13 Sep 2005 15:08:36 GMT

Are you talking about IDS v4.1 or IPS v5.0?

Alex Arndt

Re: Event 3327 false positive?

craiwill — Tue, 13 Sep 2005 16:35:29 GMT

In addition to the version which subsignature is firing?

Re: Event 3327 false positive?

stith — Wed, 14 Sep 2005 13:06:29 GMT

V5.0

Re: Event 3327 false positive?

stith — Wed, 14 Sep 2005 13:07:34 GMT

drilling down I don't see the subsig indicated.

How do I determine that?

Re: Event 3327 false positive?

craiwill — Wed, 14 Sep 2005 13:56:34 GMT

It should be listed near the signature id; the exact location would depend on how you’re getting the alerts (management platform, cli, etc).

Re: Event 3327 false positive?

stith — Wed, 14 Sep 2005 14:37:54 GMT

subsig 6

I am using the Threat Analysis Console and you have to right click and show all columns to get the subsig. Sorry for the delay.

Re: Event 3327 false positive?

craiwill — Wed, 14 Sep 2005 14:49:27 GMT

There are no known benign triggers for this signature. If you can provide a traffic sample we should be able to determine if the activity is malicious. The easiest way to do this is to enable capture packet for this signature.

Re: Event 3327 false positive?

stith — Thu, 15 Sep 2005 17:15:13 GMT

Here are captures from etherpeek and in decode format. The destination is always a windows AD server. The source is always an external trusted host ie computers in remote offices using PIX 501's to a VPN3000.

Re: Event 3327 false positive?

craiwill — Thu, 15 Sep 2005 18:43:46 GMT

There is nothing in this traffic that would cause this signature to fire. Without a traffic sample I cannot say for sure if this is a false positive. There dozens of worms that use this vulnerability as a means of propagation so internal alerts are not necessairly benign. You may want to look for alerts from the 3328-* signatures, they should also fire on most attempts to exploit this vulnerability.

Re: Event 3327 false positive?

stith — Fri, 16 Sep 2005 13:26:45 GMT

Here's the entire conversation. No 3328's are firing.

Re: Event 3327 false positive?

matt_Travis — Fri, 16 Sep 2005 14:28:54 GMT

I believe I am also seeing false positives for this signature, here is a packet capture from 5.0 IDS

evIdsAlert: eventId=1119908756873907244 severity=high vendor=Cisco

originator:

hostId: WSB01

appName: sensorApp

appInstanceId: 6801

time: 2005/09/16 14:04:48 2005/09/16 07:04:48 MST

signature: description=Windows RPC DCOM Overflow id=3327 version=S188

subsigId: 6

sigDetails: \\\x3c400 chars>\

interfaceGroup:

vlan: 0

participants:

attacker:

addr: locality=INTERNAL 10.169.99.60

port: 2034

target:

addr: locality=WesternSecurity_Management 10.169.101.20

port: 445

context:

fromTarget:

000000 76 00 30 00 31 00 5C 00 48 00 50 00 20 00 4C 00 v.0.1.\.H.P. .L.

000010 61 00 73 00 65 00 72 00 4A 00 65 00 74 00 20 00 a.s.e.r.J.e.t. .

000020 39 00 30 00 30 00 30 00 20 00 50 00 43 00 4C 00 9.0.0.0. .P.C.L.

000030 20 00 36 00 2C 00 48 00 50 00 20 00 4C 00 61 00 .6.,.H.P. .L.a.

000040 73 00 65 00 72 00 4A 00 65 00 74 00 20 00 39 00 s.e.r.J.e.t. .9.

000050 30 00 30 00 30 00 20 00 50 00 43 00 4C 00 20 00 0.0.0. .P.C.L. .

000060 36 00 2C 00 54 00 69 00 65 00 72 00 72 00 61 00 6.,.T.i.e.r.r.a.

000070 20 00 42 00 75 00 65 00 6E 00 61 00 20 00 48 00 .B.u.e.n.a. .H.

000080 50 00 39 00 30 00 30 00 30 00 00 00 F0 00 00 00 P.9.0.0.0.......

000090 00 00 00 00 00 00 00 68 FF 53 4D 42 25 00 00 00 .......h.SMB%...

0000A0 00 98 07 C8 00 00 DC A1 9A 7B 6A 44 E3 88 00 00 .........{jD....

0000B0 07 B8 C0 03 00 60 82 0B 0A 00 00 30 00 00 00 00 .....`.....0....

0000C0 00 38 00 00 00 30 00 38 00 00 00 00 00 31 00 7C .8...0.8.....1.|

0000D0 05 00 02 03 10 00 00 00 30 00 00 00 1E 00 00 00 ........0.......

0000E0 18 00 00 00 00 00 00 00 00 00 00 00 62 1B 51 C7 ............b.Q.

0000F0 64 A4 55 47 A6 43 F4 DE 42 89 1C C1 00 00 00 00 d.UG.C..B.......

fromAttacker:

000000 20 20 20 30 39 2F 31 34 2F 30 35 1B 26 61 35 37 09/14/05.&a57

000010 48 1B 26 61 32 35 33 36 56 20 20 20 20 20 45 4E H.&a2536V EN

000020 44 50 4F 49 4E 54 20 4E 55 4D 42 45 52 3A 20 20 DPOINT NUMBER:

000030 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20

000040 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20

000050 20 20 20 20 20 20 39 31 33 20 20 20 53 45 51 55 913 SEQU

000060 45 4E 43 45 20 4E 55 4D 42 45 52 3A 20 20 20 20 ENCE NUMBER:

000070 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20

000080 20 20 20 31 31 37 37 20 20 20 45 58 54 52 41 43 1177 EXTRAC

000090 54 20 4E 55 4D 42 45 52 3A 20 20 20 20 20 20 20 T NUMBER:

0000A0 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20

0000B0 20 20 33 35 34 1B 26 61 00 00 00 80 FF 53 4D 42 354.&a.....SMB

0000C0 25 00 00 00 00 18 07 C8 00 00 E6 D6 37 64 86 27 %...........7d.'

0000D0 FC B7 00 00 07 B8 C0 03 00 60 02 0C 10 00 00 2C .........`.....,

0000E0 00 00 00 70 0E 00 00 00 00 00 00 00 00 00 00 00 ...p............

0000F0 00 54 00 2C 00 54 00 02 00 26 00 02 00 3D 00 10 .T.,.T...&...=..

riskRatingValue: 65

interface: fe0_1

protocol: tcp

Re: Event 3327 false positive?

craiwill — Fri, 16 Sep 2005 14:39:08 GMT

Thank you for bringing this to our attention. This is indeed a false positive. We research this signature for modification in an upcoming signature update. In the meantime you can either filter out trusted hosts or create a metasignature using this signature as a component to reduce the chance of false positives.

Tune signature 3327-6 and remove the produce alert action.

Create a custom signature as follows:

Engine Meta

Component list:

3327-6

3328-0

Meta-reset-interval = 2

Severity high

Summarize

Met-key = Axxx – 1 unique victim

Component-list-in order = false

Event action: produce alert

This signature will only fire when signatures 3327-6 and 3328-0 fire. Since 3327-6 would have no event action of its own you would not see alerts from it.

Note that this signature does not have as high fidelity as the original 3327-6, that being said signature 3327-0 detects almost all public exploits for this vulnerability.

Re: Event 3327 false positive?

stith — Fri, 16 Sep 2005 16:28:50 GMT

Thank you for sticking with me and getting this resolved. Thank you also for the work arounds.