11-20-2012 10:26 AM - edited 03-10-2019 05:49 AM
Hello,
I am running a Cisoc IPS (part of the 5525-X) and have two questions for anyone who can help :
1 - I am running into a lot of signature 31939 Samba Session Setup AndX Security Blob Length Denial Of Service messages - I am not familiar with this signature - anyone have any experience with it
- any countermeasures that I should look into;
- how can I tune this signature - too many are being triggered over the period of a day
- could this be a false positive - it is not only from 1 source
2 - performance related question - I often see the inspection load climb to 75% and above for sustained periods of time - any when I look at the firewall side I think I might be sending 200 Mbps - what is the performance of the IPS - performance limits - would there be any tuning to aid in the perfomance of the unit
Thank-you,
Robert Cianci
01-17-2013 07:37 AM
Yes, seeing floods of 31939/1 since upgrading to 5545-X. None before our upgrade. No Linux / SAMBA onsite. coming from numerous sources onsite, VPN users, etc.. Seeing all kinds of different SMB traffic trigger this alert.
Thanks, Phil
02-08-2013 06:49 AM
In case anyone is searching for this later. This is a bug. Working w/ TAC now. Seeing if disabling 20181.0 eliminates false positives on 31939. We'll see.
Thanks, Phil
02-08-2013 09:32 AM
Do you have the bug ID Phil?
Regards
02-08-2013 11:12 AM
Try CSCue39065.
It doesn't show much as we are still testing to determine whether the workaround works - around.
And to reiterate, this is a workaround. Cause is still being researched.
Hope this helps,
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide