Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
435
Views
0
Helpful
1
Replies

ASN.1 Attack - 3336

bfl1
Level 1
Level 1

‎04-16-2004 06:24 AM - edited ‎03-09-2019 07:05 AM

My IDS alerted to Sig 3336. I scanned the source and destination for this vulnerability and every backdoor ISS Scanner has and both show clean.

Here is the contex buffer - does this look like an actual attack? Thanks.

Decoded Alarm Context(Signature Name='Windows ASN.1 Bit String NTLMv2 Integer Overflow' Event ID='1061746676113511598' Device Name='Sensor12' Event UTC Time='1082119844203755000'):

From attacker: n f 6) m X ~ {?RxE T s c 5 0g qC= 'x t c 42 |y[n m ] bf6& {[ cN '{ f- 6 c 3udL J- = u oe) P!" B PU * b YD = r Bz 0#Y B4 J l O 4S0 9 '@ @ ] P ?]D Dz T #

From victim: 0@N / % SMB 0 N / SMB/ 0 N / % SMB 0 O / SMB/ 0@O / % SMB 0 O

Labels:
0 Helpful
1 Reply 1

mcerha
Level 3
Level 3

‎04-16-2004 08:21 AM

Unfortunately, the context buffer you provided will not allow me to diagnose whether this is a false positive or not. If the alarm is still firing, please enable IP logging for signature 3336 (make sure to set CapturePacket to true). Send the logs to mcerha@cisco.com. This is the best way for us to determine if it's a real attack or not.

0 Helpful
Customers Also Viewed These Support Documents