The AV report I read indicates usage on port 139. I am seeing these alerts pop up occasionally but steadily on port 445. I verified that these machines have up to date AV which should quarantine the exe if it was present. Are there any known false positives for this signature? What string is the signature designed to detect? I will search for this string in our normal traffic.

In Microsoft's more recent OS's (Win2K and newer) they started moving services that were traditionally on TCP port 139 to TCP port 445. The Cisco IPS therefore monitors both ports for Microsoft traffic, given that there is tremendous (I'd like to say 100%, but I don't have the data to back that up) overlap from 139 to 445. Microsoft doesn't really supply enough information for us to know with 100% confidence that it won't work on TCP port 445 under some configuration.

That said, this signature is not a string search, it is a protocol decode. Look for SMB Transact Requests with a MaxDataCount (logical)OR MaxParameterCount field of zero. For those requests, a ParameterOffset field of 0x00, 0x68, or 0xD7 will be present in SMBDIE packets.

Given the age of this vulnerability, there is a serious possibility that any trigger on TCP port 445 might be a false positive. I can't say that for sure, but if I didn't have any old or unpatched Win2K systems fielded, then I'd assume a false positive and tune it out. We'd be interested to know if you have a potential false positive that would let us tighted this signature up, or to at least document it. Packet traces are always welcome.

Scott Cothrell

Mgr. Software Development.

Thank you for the informative replies. I have captured a trace, triggered from the signature, and attached it per your request.