cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

1388
Views
0
Helpful
5
Replies
mustafa.papdheen
Beginner

Seeing continous "Windows Account Locked" alert in Cisco IPS

Hi,

Can any one have any idea on why we are seeing huge number of "Windows Account Locked" alert in Cisco IPS device towards only one Windows server.

We checked whether Windows server is generating any malicious traffic by scanning the server but nothing is found

Feb 23 2011 20:05:47

Windows Account Locked

Cisco Intrusion Prevention System

Feb 23 2011 20:05:32

Windows Account Locked

Cisco Intrusion Prevention System

Feb 23 2011 20:04:47

Windows Account Locked

Cisco Intrusion Prevention System

Feb 23 2011 20:04:32

Windows Account Locked

Cisco Intrusion Prevention System

Feb 23 2011 20:03:47

Windows Account Locked

Cisco Intrusion Prevention System

Feb 23 2011 20:03:32

Windows Account Locked

Cisco Intrusion Prevention System

Feb 23 2011 20:02:47

Windows Account Locked

Cisco Intrusion Prevention System

Feb 23 2011 20:02:32

Windows Account Locked

Cisco Intrusion Prevention System

5 REPLIES 5
PAUL GILBERT ARIAS
Contributor

do you have the signature ID?

How are you seeing the events ? What are you using to check the events ?  IDM, IME ?  Send a screenshot the exact event. In the event details, there would be a signature id.  That signature id will tell us what the signature is designed to match on. 

Sid Chandrachud

Cisco TAC - Security team

Hi,

Thanks for your response. When i lookup up further, Ciscp IPS vulnerability reference page :http://tools.cisco.com/security/center/viewIpsSignature.x?

Signature ID : signatureId=5605

Target Port =445.

Regards

Papdheen M

Mustafa,

Here are the signature details:

http://tools.cisco.com/security/center/viewIpsSignature.x?signatureId=5605&signatureSubId=0&softwareVersion=6.0&releaseVersion=S262

This signature detects a Windows SMB user account  that has been locked on the Windows server due to multiple failed logon  attempts, via the "STATUS_ACCOUNT_LOCKED_OUT" message returned to the  client.

This signature severity is set by default to 'informational'

Hence all the signature is doing is leeting you know some users were locked out due to multiple logon attempts.

The event details will also reveal victim ip which might be the machine on which the logon attempts were tried.

Let me know if this addresses your concern.

- Sid

Dear Sid,

Thanks for your response. Actually attacker IP is a database server joined in domain and attacker username is showing as empty"

Server is running with latest AV signature.

Attacker IP - Database server(server itsefl)

Destination- Active Direcotry server

Destination Port - 445

More information will be helpful to isolate the problem.

Regards

Papdheen M

Create
Recognize Your Peers
Content for Community-Ad