ā03-11-2015 11:21 AM - edited ā03-10-2019 06:20 AM
Last night at 6 pm I began receiving email alerts from one of our IPS regarding:
sig_id = 24059
subsig_id = 0
sig_name = SMB Server Null Pointer Overflow
I received almost 2000 alerst since then and after much digging around I discovered that Cisco released an updated signature in last night's IPS release S856 and this specific signature was updated (see link):
http://tools.cisco.com/security/center/viewBulletin.x?bId=672&year=2015#23447
My question is, what exactly changed with the signature to cause all these alerts all of a sudden, how should I best deal with this on my IPS?
I should mention that the attacker IP is variable (mainly users workstations) and the victim IPs are mainly servers (DCs).
Thanks in advance.
John
ā03-11-2015 01:57 PM
Had the same issue reported today. We have a case open. This happend a few weeks ago during a signature update. The udpated signature was mis-configured and firing on legit traffic. Probably the same today also. We had to disable the signature to get back to normal operations. Terry
ā03-11-2015 03:49 PM
I'm experiencing the same activity -- 1000's triggered alerts for ID sig. 24059/0. The source appears to be various workstations and the destinations\targets are the several Domain Controllers on the network.
Is this a false\positive situation?
-wg
ā03-12-2015 04:11 PM
I also have the same problem.
Where are you Cisco support? Do you monitor the forums? We are looking for answers.
Thank you.
Mike
ā03-12-2015 07:09 PM
Hello, please update to S857 released this morning for a fix to 24059-0. We rolled back the signature to its previous state.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide