cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
893
Views
0
Helpful
8
Replies

Sig 3334 Windows Workstation Service Overflow

asafayan
Level 4
Level 4

We are seeing a very large number of these signatures firing and I'm wondering if anyone has identified legitimate MS traffic as triggering this alert.....

8 Replies 8

craiwill
Cisco Employee
Cisco Employee

We have not identified any benign triggers associated with this signature. Could you provide a traffic sample of the questionable traffic?

Not applicable

I have performed a packet capture and identified the alerts as a false positive. How do I upload the capture?

jdal
Cisco Employee
Cisco Employee

You can upload your capture directly on Netpro. When you post an answer, you'll notice the "Add Attachments" link below the Post button.

We are seeing this as well. In our environment it's on a Unisys printer attached with an external HP Jetdirect server.

I have a log but cannot attach it here directly due to any information that is in it that may be confidential. I'd be happy to upload it directly via another avenue.

Sincerely,

Ron Russell

Cisco MUST do a better job of tuning their signatures. We implemented a Juniper IDP (inline and blocking) and I only rely on the Cisco IDSs for secondary / tertiary information b/c of this very reason. I spent about 1 full day chasing down the false positives on this one siganture. A hugh waste of my companies time and money and a another reminder that we made the right choice in implementing our Juniper IDP.

Contact me directly with any questions about our Juniper Intrusion Prevention and Detection appliance. It sits inline and filters our VPN, Internet and RAS segments coming into our network.

nhoover
Level 1
Level 1

I have identified a trend between multiple traces that are triggering the 3334 signature. It appears that RPC traffic to Lexmark printers are triggering this signature and creating false positives. If this is the case on your network you will be able to see the Lexmark information later in the stream if you enable ip logging. Please let me know if you are seeing the same type of traffic.

We are researching this signature for modification in a future update.

Review Cisco Networking for a $25 gift card