https://community.cisco.com/t5/network-security/windows-rpc-dcom-overflow-events/m-p/477444#M98856 <HTML><HEAD></HEAD><BODY><P>The subsig ID is 6</P><P></P><P>Windows RPC DCOM Overflow 3327.6</P><P></P><P>Thanks,</P><P>Ryan</P></BODY></HTML> Tue, 24 Jan 2006 01:11:36 GMT rsumidacisco 2006-01-24T01:11:36Z https://community.cisco.com/t5/network-security/windows-rpc-dcom-overflow-events/m-p/477441#M98851 <P>New IDSM2 installation here. Just got them to work last week so no real tuning done yet. They are running in promiscuous mode with software version 5.0(5sp2). We are using CN-MARS 4.1 to collect events.</P><P></P><P>I'm seeing a lot of RPC DCOM overflow events sourcing from systems that are likely not compromised. The interesting thing is that the destination of most of these RPC DCOM overflows are all going to the same system that I am very suspicious of. Am I reading these events incorrectly? Is the destination address for this event actually the attacker? I've already had one instance where the IDSM2s reported a SMB auth failure with the source and destination reversed.</P><P></P><P>Has anyone else run into these types of issues before?</P><P></P><P>Lastly, what type of &#147;normal&#148; traffic, if any, would trigger the Windows RPC DCOM Overflow signature?</P><P></P><P>Thank you,</P><P>Ryan Sumida</P> Sun, 10 Mar 2019 09:51:23 GMT https://community.cisco.com/t5/network-security/windows-rpc-dcom-overflow-events/m-p/477441#M98851 rsumidacisco 2019-03-10T09:51:23Z https://community.cisco.com/t5/network-security/windows-rpc-dcom-overflow-events/m-p/477442#M98852 <HTML><HEAD></HEAD><BODY><P>Which sub-signature id is firing?</P></BODY></HTML> Mon, 23 Jan 2006 22:04:47 GMT https://community.cisco.com/t5/network-security/windows-rpc-dcom-overflow-events/m-p/477442#M98852 craiwill 2006-01-23T22:04:47Z https://community.cisco.com/t5/network-security/windows-rpc-dcom-overflow-events/m-p/477443#M98854 <HTML><HEAD></HEAD><BODY><P>Hi Craiwill,</P><P>How do I find the subsig? The MARS raw event message shows</P><P>TCP Windows RPC DCOM Overflow,NR-3327/6,Port List:139,Risk Rating:65,VLAN:256,Context:AAAAeP9TTUIyAAAAABgHyAAAAAAAAAAAAAAAAAc40AQAMESyDzQAAAACAEAA AAAAAAAAAAAAADQARAAAAAAAAQAFADcAAAAA7QMAAAAA:</P><P></P><P>I'll do some searching around on the IDSM2s but where do I look to find which one is being firing?</P><P></P><P>Thanks,</P><P>Ryan</P></BODY></HTML> Tue, 24 Jan 2006 00:47:55 GMT https://community.cisco.com/t5/network-security/windows-rpc-dcom-overflow-events/m-p/477443#M98854 rsumidacisco 2006-01-24T00:47:55Z https://community.cisco.com/t5/network-security/windows-rpc-dcom-overflow-events/m-p/477444#M98856 <HTML><HEAD></HEAD><BODY><P>The subsig ID is 6</P><P></P><P>Windows RPC DCOM Overflow 3327.6</P><P></P><P>Thanks,</P><P>Ryan</P></BODY></HTML> Tue, 24 Jan 2006 01:11:36 GMT https://community.cisco.com/t5/network-security/windows-rpc-dcom-overflow-events/m-p/477444#M98856 rsumidacisco 2006-01-24T01:11:36Z https://community.cisco.com/t5/network-security/windows-rpc-dcom-overflow-events/m-p/477445#M98857 <HTML><HEAD></HEAD><BODY><P>This may be a false positive. You can either filter out trusted hosts or create a metasignature using this signature as a component to reduce the chance of false positives. </P><P></P><P>For example:</P><P></P><P>Tune signature 3327-6 and remove the produce alert action. </P><P></P><P>Create a custom signature as follows: </P><P></P><P>Engine Meta </P><P>Component list: </P><P>3327-6 </P><P>3328-0 </P><P></P><P>Meta-reset-interval = 2 </P><P>Severity high </P><P>Summarize </P><P>Met-key = Axxx &#150; 1 unique victim </P><P>Component-list-in order = false </P><P>Event action: produce alert </P><P></P><P></P><P>This signature will only fire when signatures 3327-6 and 3328-0 fire. Since 3327-6 would have no event action of its own you would not see alerts from it. </P><P></P><P>Note that this signature does not have as high fidelity as the original 3327-6, that being said signature 3327-0 detects almost all public exploits for this vulnerability. </P><P></P></BODY></HTML> Tue, 24 Jan 2006 15:16:42 GMT https://community.cisco.com/t5/network-security/windows-rpc-dcom-overflow-events/m-p/477445#M98857 craiwill 2006-01-24T15:16:42Z https://community.cisco.com/t5/network-security/windows-rpc-dcom-overflow-events/m-p/477446#M98858 <HTML><HEAD></HEAD><BODY><P>I get a lot of what I think are false but it is not subsig 6. Looks like mine is subsig 0</P><P></P><P>Any thoughts?</P><P></P><P>Details</P><P></P><P>Sig Name: Windows RPC DCOM Overflow</P><P>Sig ID: 3327</P><P>Severity: High</P><P>Risk Rating: 100</P><P>Sig Version: S188</P><P>Attack Type: Code Execution</P><P>OS Family: Windows</P><P>OS: General Windows</P><P>Protocol: tcp</P><P>Protocol Details: <N></N></P><P>Service: MSRPC</P><P></P><P>Attacker Address: xxx.xxx.xxx.xxx</P><P>Attacker Port: 1438</P><P>Attacker Loc: PubIN</P><P>Attacker Unreliable: False</P><P>Victim Address: 172.16.8.10</P><P>Victim Port: 445</P><P>Victim Loc: PrivIN</P><P></P><P>Local Date: Thu, Jan 26, 2006</P><P>Local Time: 02:57:22 PM</P><P>Time Offset: -300</P><P>Time Zone: EST</P><P></P><P>Response</P><P></P><P>IP Logs: False</P><P>Trig Pkt Created: False</P><P>Connection Block Requested: False</P><P>Host Block Requested: False</P><P>Deny Packet: False</P><P>Deny Flow: False</P><P>Deny Attacker: False</P><P>Would've Denied Packet: False</P><P>Would've Denied Flow: False</P><P>Would've Denied Attacker: False</P><P>TCP Reset: False</P><P>Resolved: False</P><P></P><P>Reporting Chain</P><P></P><P>Sensor Name: IDS-C5829</P><P>Orig App Name: sensorApp</P><P>Orig App Addr: 172.17.201.2</P><P>Orig SecMon Addr: <N></N></P><P>Original SecMon ID: 0</P><P>Downstream SecMon ID: 0</P><P></P><P>Context</P><P></P><P>Attacker Context: )SMBC9 h&amp;@)SMBe| h)@)SMB{!fdj i'@)SMBOF.w Si(@SMB% ^S ihThT&amp;*@y</P><P>Victim Context: ]D</P><P>&gt; g#SMBi&gt;</P><P> h#SMBB'H Sh#SMBd%</P><P>,t h#SMB}c`g h#SMB1C i#SMBot</P><P> Si</P><P></P></BODY></HTML> Thu, 26 Jan 2006 21:14:53 GMT https://community.cisco.com/t5/network-security/windows-rpc-dcom-overflow-events/m-p/477446#M98858 jcosgrove 2006-01-26T21:14:53Z https://community.cisco.com/t5/network-security/windows-rpc-dcom-overflow-events/m-p/477447#M98859 <HTML><HEAD></HEAD><BODY><P>There is not enough data from the alert context buffer to determine if this is a false positive. That being said, it would be very hard to imagine a situation that could cause this signature to false positive. I would suspect that this is a real attack.</P></BODY></HTML> Thu, 26 Jan 2006 22:08:32 GMT https://community.cisco.com/t5/network-security/windows-rpc-dcom-overflow-events/m-p/477447#M98859 craiwill 2006-01-26T22:08:32Z https://community.cisco.com/t5/network-security/windows-rpc-dcom-overflow-events/m-p/477448#M98860 <HTML><HEAD></HEAD><BODY><P>Thanks craiwill. This looks like it will cut down on a lot of the "noise" for the RPC DCOM overflows. I created the custom sig and will deploy it later tonight. Thank you for your assistance. Much appreciated.</P><P></P><P>Ryan Sumida</P></BODY></HTML> Fri, 27 Jan 2006 22:00:13 GMT https://community.cisco.com/t5/network-security/windows-rpc-dcom-overflow-events/m-p/477448#M98860 rsumidacisco 2006-01-27T22:00:13Z