cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1356
Views
0
Helpful
1
Replies

IPS Signature 5575- IDSM2

Hi,

I am getting a lot of alerts on this signature; and I would like to know if there is anything I need to do on my side to resolve it.

Attacker IP is the DNS server and Victim is one of the servers.

event_id = 1341305878892548268

severity = informational

device_name = IPS1

app_name = sensorApp

receive_time = 07/13/2012 04:07:20

event_time = 07/13/2012 03:07:19

sensor_local_time = 07/13/2012 03:07:19

sig_id = 5575

sig_name = NBT NetBIOS Session Service Failed Login sig_details = attacker_ip = 10.10.X.XX victim_ip = 10.10.XX.XX victim_port = 49563 vlan = 111 virtual_sensor = vs0 actions = alert_details = risk_rating_num = 28(TVR=medium ARR=relevant) threat_rating = 28 protocol = tcp

1 Reply 1

nicksmi
Cisco Employee
Cisco Employee

Probably not.  The signature is informational and the following is from the benign triggers section:

"The default alarm level for this is low because this happens during normal network activity within a Windows network.  As an example, when mounting the C: drive from a Windows 95 system to a Windows NT system, numerous session setup failures can occur while browsing the file system."

It is retired by default due to its low fidelity.  It would require tuning based on your specific network traffic profile to be of greater use.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers