Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2005
Views
0
Helpful
2
Replies

Sig Name: Worm Activity - Brute Force

FIS-Global FIS-ProNet
Level 1
Level 1

‎06-28-2010 03:50 PM - edited ‎03-10-2019 05:02 AM

We are using the Cisco IPS 4215 and seeing this alert over and over.

Sig Name: Worm Activity - Brute Force
Sig ID: 16297
Severity: High
Risk Rating: 95
Sig Version: S392

Is this a false postive or something else?

Labels:
0 Helpful
2 Replies 2

Scott Fringer
Cisco Employee
Cisco Employee

‎06-29-2010 03:45 AM

It is not possible to determine from the information you provided.

You can learn more about a specific signature (and potential benign triggers) by visiting the Cisco IntelliShield site:

http://www.cisco.com/security

  For signature 16297/1, the following details are available:

http://tools.cisco.com/security/center/viewIpsSignature.x?signatureId=16297&signatureSubId=1&softwareVersion=6.0&releaseVersion=S392

  Signature 16297/1 is based on signature 16297/0:

http://tools.cisco.com/security/center/viewIpsSignature.x?signatureId=16297&signatureSubId=0&softwareVersion=6.0&releaseVersion=S392

  It would be best to look at the services running on the reported attacker, and determine if there is a legitimate reason for it to attempt a SMB logon to the victim system and cause 9 logon failures in a 30 second period.  Perhaps an automated service is still attempting to log into the victim system with outdated credentials.

Scott

0 Helpful

FIS-Global FIS-ProNet
Level 1
Level 1

‎07-02-2010 09:47 AM

Thanks for the great information, looks like subsig 0 is

not a big deal...

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card