09-12-2008 05:55 AM - edited 03-10-2019 04:17 AM
How to determine is it SMB - Remote SAM server access , false positive?
09-13-2008 12:32 AM
You know it by looking at the source/destination IPs. An IPS is no magic device, its just a 'tool' to enforce your security policy. If those IPs are allowed to access SAM remotely, then its aceeptable (i.e. IPS False Positive), if they are not allowed, its NOT OK (True Positive).
Regards
Farrukh
09-16-2008 09:11 AM
5583-0 right?
I would say that there are different types of false positives. Do you mean, how do I determine if what what was seen actually represents an attempt to access the SAM database? I would start by looking at MySDN (or whatever Cisco is calling it these days...intellishield?). It's often not very up to date and missing information, but it's an easy thing to check. Here's the link for this sig:
https://intellishield.cisco.com/security/alertmanager/ipsSignature?signatureId=5583&signatureSubId=0
If you look at the benign triggers, you'll see that it suggests that this only matters if the source is external. It's up to you whether to research any further. If you really want to inspect the signature further, you'll have to add one of the "log packets" actions. This will save a network trace when it fires again and then you can open it up in Wireshark, which understands SMB and will probably decode it enough for you to verify whether it actually was an attempt to access the "Remote SAM server".
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide