Cisco 5525-X IPS 31939 Signature and peformance issues

rcianci · ‎11-20-2012

Hello,

I am running a Cisoc IPS (part of the 5525-X) and have two questions for anyone who can help :

1 - I am running into a lot of signature 31939 Samba Session Setup AndX Security Blob Length Denial Of Service messages - I am not familiar with this signature - anyone have any experience with it

- any countermeasures that I should look into;

- how can I tune this signature - too many are being triggered over the period of a day

- could this be a false positive - it is not only from 1 source

2 - performance related question - I often see the inspection load climb to 75% and above for sustained periods of time - any when I look at the firewall side I think I might be sending 200 Mbps - what is the performance of the IPS - performance limits - would there be any tuning to aid in the perfomance of the unit

Thank-you,

Robert Cianci

plyons · ‎01-17-2013

Yes, seeing floods of 31939/1 since upgrading to 5545-X. None before our upgrade. No Linux / SAMBA onsite. coming from numerous sources onsite, VPN users, etc.. Seeing all kinds of different SMB traffic trigger this alert.

Thanks, Phil

plyons · ‎02-08-2013

In case anyone is searching for this later. This is a bug. Working w/ TAC now. Seeing if disabling 20181.0 eliminates false positives on 31939. We'll see.

Thanks, Phil

Julio Carvajal · ‎02-08-2013

Do you have the bug ID Phil?

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

plyons · ‎02-08-2013

Try CSCue39065.

It doesn't show much as we are still testing to determine whether the workaround works - around.

And to reiterate, this is a workaround. Cause is still being researched.

Hope this helps,