11-20-2012 10:26 AM - edited 03-10-2019 05:49 AM
Hello,
I am running a Cisoc IPS (part of the 5525-X) and have two questions for anyone who can help :
1 - I am running into a lot of signature 31939 Samba Session Setup AndX Security Blob Length Denial Of Service messages - I am not familiar with this signature - anyone have any experience with it
- any countermeasures that I should look into;
- how can I tune this signature - too many are being triggered over the period of a day
- could this be a false positive - it is not only from 1 source
2 - performance related question - I often see the inspection load climb to 75% and above for sustained periods of time - any when I look at the firewall side I think I might be sending 200 Mbps - what is the performance of the IPS - performance limits - would there be any tuning to aid in the perfomance of the unit
Thank-you,
Robert Cianci
01-17-2013 07:37 AM
Yes, seeing floods of 31939/1 since upgrading to 5545-X. None before our upgrade. No Linux / SAMBA onsite. coming from numerous sources onsite, VPN users, etc.. Seeing all kinds of different SMB traffic trigger this alert.
Thanks, Phil
02-08-2013 06:49 AM
In case anyone is searching for this later. This is a bug. Working w/ TAC now. Seeing if disabling 20181.0 eliminates false positives on 31939. We'll see.
Thanks, Phil
02-08-2013 09:32 AM
Do you have the bug ID Phil?
Regards
02-08-2013 11:12 AM
Try CSCue39065.
It doesn't show much as we are still testing to determine whether the workaround works - around.
And to reiterate, this is a workaround. Cause is still being researched.
Hope this helps,
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: