Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1627
Views
0
Helpful
1
Replies

IPS Signature 5575- IDSM2

Silindile Dlamini
Level 1
Level 1

‎07-16-2012 01:50 AM - edited ‎03-10-2019 05:43 AM

Hi,

I am getting a lot of alerts on this signature; and I would like to know if there is anything I need to do on my side to resolve it.

Attacker IP is the DNS server and Victim is one of the servers.

event_id = 1341305878892548268

severity = informational

device_name = IPS1

app_name = sensorApp

receive_time = 07/13/2012 04:07:20

event_time = 07/13/2012 03:07:19

sensor_local_time = 07/13/2012 03:07:19

sig_id = 5575

sig_name = NBT NetBIOS Session Service Failed Login sig_details = attacker_ip = 10.10.X.XX victim_ip = 10.10.XX.XX victim_port = 49563 vlan = 111 virtual_sensor = vs0 actions = alert_details = risk_rating_num = 28(TVR=medium ARR=relevant) threat_rating = 28 protocol = tcp

Labels:
0 Helpful
1 Reply 1

nicksmi
Cisco Employee
Cisco Employee

‎07-20-2012 01:39 PM

Probably not.  The signature is informational and the following is from the benign triggers section:

"The default alarm level for this is low because this happens during normal network activity within a Windows network.  As an example, when mounting the C: drive from a Windows 95 system to a Windows NT system, numerous session setup failures can occur while browsing the file system."

It is retired by default due to its low fidelity.  It would require tuning based on your specific network traffic profile to be of greater use.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card