I'm experiencing the same

N3t W0rK3r · ‎03-11-2015

Last night at 6 pm I began receiving email alerts from one of our IPS regarding:

sig_id = 24059
subsig_id = 0
sig_name = SMB Server Null Pointer Overflow

I received almost 2000 alerst since then and after much digging around I discovered that Cisco released an updated signature in last night's IPS release S856 and this specific signature was updated (see link):

http://tools.cisco.com/security/center/viewBulletin.x?bId=672&year=2015#23447

My question is, what exactly changed with the signature to cause all these alerts all of a sudden, how should I best deal with this on my IPS?

I should mention that the attacker IP is variable (mainly users workstations) and the victim IPs are mainly servers (DCs).

Thanks in advance.

John

Terry Grant · ‎03-11-2015

Had the same issue reported today. We have a case open. This happend a few weeks ago during a signature update. The udpated signature was mis-configured and firing on legit traffic. Probably the same today also. We had to disable the signature to get back to normal operations. Terry

wgorman · ‎03-11-2015

I'm experiencing the same activity -- 1000's triggered alerts for ID sig. 24059/0. The source appears to be various workstations and the destinations\targets are the several Domain Controllers on the network.

Is this a false\positive situation?

-wg

mhanson2004 · ‎03-12-2015

I also have the same problem.

Where are you Cisco support? Do you monitor the forums? We are looking for answers.

Thank you.

Mike

shepp · ‎03-12-2015

Hello, please update to S857 released this morning for a fix to 24059-0. We rolled back the signature to its previous state.

What Changed in signature 24059 in Release S856 March 10 2015