cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
573
Views
0
Helpful
1
Replies

windows rpc race condition 3337.0

yvasanthk
Level 1
Level 1

Hi,

IDSM2 on 6500 with 4.1(1)S213

I see a lot of signature 3337 events (Windows RPC race condition exploitation) being fired with destination IP address of my active directory server and on port 135. Source addresses are all on the inside.

How to tune this signature?

-- vasanth

1 Reply 1

wsulym
Cisco Employee
Cisco Employee

This signature relates to the Microsoft MS04-012 and addresses an RPC race condition. If your systems are patched, you can filter out your inside hosts.

Keep in mind that Windows Terminal Services Servers will also set this alert off due to the high amount of RPC traffic - if the servers are patched, you can filter them out as well.

Review Cisco Networking for a $25 gift card