https://community.cisco.com/t5/network-security/sig-3334-windows-workstation-service-overflow/m-p/504050#M99335 <HTML><HEAD></HEAD><BODY><P>We are researching this signature for modification in a future update.</P></BODY></HTML> Tue, 31 May 2005 11:20:29 GMT craiwill 2005-05-31T11:20:29Z https://community.cisco.com/t5/network-security/sig-3334-windows-workstation-service-overflow/m-p/504044#M99328 <P>We are seeing a very large number of these signatures firing and I'm wondering if anyone has identified legitimate MS traffic as triggering this alert.....</P> Sun, 10 Mar 2019 09:28:13 GMT https://community.cisco.com/t5/network-security/sig-3334-windows-workstation-service-overflow/m-p/504044#M99328 asafayan 2019-03-10T09:28:13Z https://community.cisco.com/t5/network-security/sig-3334-windows-workstation-service-overflow/m-p/504045#M99330 <HTML><HEAD></HEAD><BODY><P>We have not identified any benign triggers associated with this signature. Could you provide a traffic sample of the questionable traffic?</P></BODY></HTML> Fri, 27 May 2005 12:04:25 GMT https://community.cisco.com/t5/network-security/sig-3334-windows-workstation-service-overflow/m-p/504045#M99330 craiwill 2005-05-27T12:04:25Z https://community.cisco.com/t5/network-security/sig-3334-windows-workstation-service-overflow/m-p/504046#M99331 <HTML><HEAD></HEAD><BODY><P></P></BODY></HTML> Fri, 27 May 2005 12:40:03 GMT https://community.cisco.com/t5/network-security/sig-3334-windows-workstation-service-overflow/m-p/504046#M99331 2005-05-27T12:40:03Z https://community.cisco.com/t5/network-security/sig-3334-windows-workstation-service-overflow/m-p/504047#M99332 <HTML><HEAD></HEAD><BODY><P>I have performed a packet capture and identified the alerts as a false positive. How do I upload the capture?</P></BODY></HTML> Fri, 27 May 2005 22:39:49 GMT https://community.cisco.com/t5/network-security/sig-3334-windows-workstation-service-overflow/m-p/504047#M99332 asafayan 2005-05-27T22:39:49Z https://community.cisco.com/t5/network-security/sig-3334-windows-workstation-service-overflow/m-p/504048#M99333 <HTML><HEAD></HEAD><BODY><P>I have identified a trend between multiple traces that are triggering the 3334 signature. It appears that RPC traffic to Lexmark printers are triggering this signature and creating false positives. If this is the case on your network you will be able to see the Lexmark information later in the stream if you enable ip logging. Please let me know if you are seeing the same type of traffic. </P></BODY></HTML> Mon, 30 May 2005 06:45:17 GMT https://community.cisco.com/t5/network-security/sig-3334-windows-workstation-service-overflow/m-p/504048#M99333 nhoover 2005-05-30T06:45:17Z https://community.cisco.com/t5/network-security/sig-3334-windows-workstation-service-overflow/m-p/504049#M99334 <HTML><HEAD></HEAD><BODY><P>You can upload your capture directly on Netpro. When you post an answer, you'll notice the "Add Attachments" link below the Post button.</P><P></P></BODY></HTML> Tue, 31 May 2005 06:01:40 GMT https://community.cisco.com/t5/network-security/sig-3334-windows-workstation-service-overflow/m-p/504049#M99334 jdal 2005-05-31T06:01:40Z https://community.cisco.com/t5/network-security/sig-3334-windows-workstation-service-overflow/m-p/504050#M99335 <HTML><HEAD></HEAD><BODY><P>We are researching this signature for modification in a future update.</P></BODY></HTML> Tue, 31 May 2005 11:20:29 GMT https://community.cisco.com/t5/network-security/sig-3334-windows-workstation-service-overflow/m-p/504050#M99335 craiwill 2005-05-31T11:20:29Z https://community.cisco.com/t5/network-security/sig-3334-windows-workstation-service-overflow/m-p/504051#M99336 <HTML><HEAD></HEAD><BODY><P>We are seeing this as well. In our environment it's on a Unisys printer attached with an external HP Jetdirect server.</P><P></P><P>I have a log but cannot attach it here directly due to any information that is in it that may be confidential. I'd be happy to upload it directly via another avenue.</P><P></P><P>Sincerely,</P><P>Ron Russell</P></BODY></HTML> Wed, 01 Jun 2005 15:40:59 GMT https://community.cisco.com/t5/network-security/sig-3334-windows-workstation-service-overflow/m-p/504051#M99336 rrussell 2005-06-01T15:40:59Z https://community.cisco.com/t5/network-security/sig-3334-windows-workstation-service-overflow/m-p/504052#M99340 <HTML><HEAD></HEAD><BODY><P>Cisco MUST do a better job of tuning their signatures. We implemented a Juniper IDP (inline and blocking) and I only rely on the Cisco IDSs for secondary / tertiary information b/c of this very reason. I spent about 1 full day chasing down the false positives on this one siganture. A hugh waste of my companies time and money and a another reminder that we made the right choice in implementing our Juniper IDP. </P><P></P><P>Contact me directly with any questions about our Juniper Intrusion Prevention and Detection appliance. It sits inline and filters our VPN, Internet and RAS segments coming into our network.</P></BODY></HTML> Wed, 01 Jun 2005 17:35:57 GMT https://community.cisco.com/t5/network-security/sig-3334-windows-workstation-service-overflow/m-p/504052#M99340 asafayan 2005-06-01T17:35:57Z