03-03-2011 05:53 AM - edited 03-10-2019 05:17 AM
Hi,
Can any one have any idea on why we are seeing huge number of "Windows Account Locked" alert in Cisco IPS device towards only one Windows server.
We checked whether Windows server is generating any malicious traffic by scanning the server but nothing is found
Feb 23 2011 20:05:47 | Windows Account Locked | Cisco Intrusion Prevention System | ||
Feb 23 2011 20:05:32 | Windows Account Locked | Cisco Intrusion Prevention System | ||
Feb 23 2011 20:04:47 | Windows Account Locked | Cisco Intrusion Prevention System | ||
Feb 23 2011 20:04:32 | Windows Account Locked | Cisco Intrusion Prevention System | ||
Feb 23 2011 20:03:47 | Windows Account Locked | Cisco Intrusion Prevention System | ||
Feb 23 2011 20:03:32 | Windows Account Locked | Cisco Intrusion Prevention System | ||
Feb 23 2011 20:02:47 | Windows Account Locked | Cisco Intrusion Prevention System | ||
Feb 23 2011 20:02:32 | Windows Account Locked | Cisco Intrusion Prevention System |
03-03-2011 07:13 PM
do you have the signature ID?
03-03-2011 10:27 PM
How are you seeing the events ? What are you using to check the events ? IDM, IME ? Send a screenshot the exact event. In the event details, there would be a signature id. That signature id will tell us what the signature is designed to match on.
Sid Chandrachud
Cisco TAC - Security team
03-04-2011 12:48 AM
Hi,
Thanks for your response. When i lookup up further, Ciscp IPS vulnerability reference page :http://tools.cisco.com/security/center/viewIpsSignature.x?
Signature ID : signatureId=5605
Target Port =445.
Regards
Papdheen M
03-05-2011 11:16 AM
Mustafa,
Here are the signature details:
This signature detects a Windows SMB user account that has been locked on the Windows server due to multiple failed logon attempts, via the "STATUS_ACCOUNT_LOCKED_OUT" message returned to the client.
This signature severity is set by default to 'informational'
Hence all the signature is doing is leeting you know some users were locked out due to multiple logon attempts.
The event details will also reveal victim ip which might be the machine on which the logon attempts were tried.
Let me know if this addresses your concern.
- Sid
03-13-2011 03:51 AM
Dear Sid,
Thanks for your response. Actually attacker IP is a database server joined in domain and attacker username is showing as empty"
Server is running with latest AV signature.
Attacker IP - Database server(server itsefl)
Destination- Active Direcotry server
Destination Port - 445
More information will be helpful to isolate the problem.
Regards
Papdheen M
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide