cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
972
Views
5
Helpful
4
Replies

Cisco 5525-X IPS 31939 Signature and peformance issues

rcianci
Level 1
Level 1

Hello,

I am running a Cisoc IPS (part of the 5525-X) and have two questions for anyone who can help :

1 - I am running into a lot of signature 31939 Samba Session Setup AndX Security Blob Length Denial Of Service messages - I am not familiar with this signature - anyone have any experience with it

  - any countermeasures that I should look into;

  - how can I tune this signature - too many are being triggered over the period of a day

  - could this be a false positive - it is not only from 1 source

2 - performance related question - I often see the inspection load climb to 75% and above for sustained periods of time - any when I look at the firewall side I think I might be sending 200 Mbps - what is the performance of the IPS - performance limits - would there be any tuning to aid in the perfomance of the unit

Thank-you,

Robert Cianci

4 Replies 4

plyons
Level 1
Level 1

Yes, seeing floods of 31939/1 since upgrading to 5545-X.  None before our upgrade.  No Linux / SAMBA onsite.  coming from numerous sources onsite, VPN users, etc..  Seeing all kinds of different SMB traffic trigger this alert.

Thanks, Phil

In case anyone is searching for this later.  This is a bug. Working w/ TAC now.  Seeing if disabling 20181.0 eliminates false positives on 31939.  We'll see.

Thanks, Phil

Do you have the bug ID Phil?

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Try CSCue39065.

It doesn't show much as we are still testing to determine whether the workaround works - around.

And to reiterate, this is a workaround.  Cause is still being researched.

Hope this helps,

Review Cisco Networking for a $25 gift card