Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1398
Views
0
Helpful
8
Replies

Sudden Windows DCOM Overflow flood

wgorman
Level 1
Level 1

‎06-25-2008 04:54 PM - edited ‎03-10-2019 04:09 AM

Today, ips-4250-sx (not-in-line) upgraded from v6.0(4)E1 to 6.0(5)E2. (S335) to (S339)

1st appearance & flood of red alerts,

all internal sources and destinations:

1) Windows DCOM Overflow 0&1 subsigs:

(1100src/100dst=86k total hits)

2) Netware LSASS CIFS.NLM Driver Overflow: (145src/140dst=2.5k total hits)

3) Print Spooler Service Overflow: (140src/75dst=2.4k total hits)

- hit accumulation in 7hrs since upgrade

Is there some signature tweaking to be done? or is it TAC time?

Anybody else experience this?

-thanks for any advise

Will

Labels:
0 Helpful
8 Replies 8

rnaydenov
Level 1
Level 1

‎06-25-2008 11:25 PM

I had the same issue. Just disabled the new signature and wait for better days. as of the new signature sets 341 I see 3 new signatures already disabled. I guess with the next update these new that give us headache will be tuned also

0 Helpful

soc_admin
Level 1
Level 1

‎06-26-2008 12:36 AM

Hi Will,

Yes same signatures are firing after S339 and Engine Update! I am quite sure that these are False positives because Windows DCOM BO fires against Domain Controller (I checked and they are healty). Moreover these sig.s started firing just after the update!

I think Cisco is going to tune S339 sig.s.

Anybody else experience this?

Marco

0 Helpful

shivapd
Cisco Employee
Cisco Employee

‎06-26-2008 06:43 AM

Hi Will,

The IPS team is aware of this issue and investigating. An upcoming sig update will address these sigs.

- Shiva

0 Helpful

wgorman
Level 1
Level 1
In response to shivapd

‎06-26-2008 07:24 AM

Shiva,

What is your recommendation?

disable or not

What is the ETA for the sig update?

thanks.

-Will

0 Helpful

andytmn
Level 1
Level 1

‎06-27-2008 06:37 AM

I got the same problem after upgrade to 5.1.7E2.

0 Helpful

craiwill
Cisco Employee
Cisco Employee
In response to andytmn

‎06-27-2008 11:12 AM

We believe we've identified an engine issue that affects signatures 5588-0,1 and 6769-0. It looks like the easiest work around is to just add the parameter smb command: 37 to the signatures. Due to the nature of the issue detection should not be affected in a negative way. We plan to ship this change in a signature update next week.

0 Helpful

david.enenkel
Level 1
Level 1
In response to craiwill

‎08-29-2008 05:12 AM

How about No.3 the Print Spooler Overflow. Sig 5565. Same workaround ?

0 Helpful

Farrukh Haroon
VIP Alumni
VIP Alumni
In response to david.enenkel

‎08-29-2008 05:29 AM

All of these were fixed in S342 I think:

The S342 signature update contains the following modified signature:

PLATFORM SIGID SIGNAME ENGINE SEVERITY ENABLED DDTS

5.x, 6.x 5565.4 Print Spooler Service Overflow SERVICE-SMB-ADVANCED High True CSCsq99671

5.x, 6.x 5588.0 Windows DCOM Overflow SERVICE-SMB-ADVANCED High True CSCsq99671

5.x, 6.x 5588.1 Windows DCOM Overflow SERVICE-SMB-ADVANCED High True CSCsq99671

5.x, 6.x 6769.0 Netware LSASS CIFS.NLM Driver Overflow SERVICE-SMB-ADVANCED High True CSCsq99671

regards

Farrukh

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card