Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
318
Views
0
Helpful
2
Replies

False Triggers for Sig 3314 - Windows Locator Service Overflow

8rpalmer
Level 1
Level 1

‎11-04-2004 02:11 PM - edited ‎03-10-2019 01:30 PM

We have been seeing millions of alerts on sig 3314 which appears to be legit traffic for print requests destined to our printserver running on a W2K server.

Although the traffic looks legit, we don't understand why we are seeing 250,000,000 alerts in a 2.5 hour period.

Anyone else seeing this same behavior?

Labels:
0 Helpful
2 Replies 2

craiwill
Cisco Employee
Cisco Employee

‎11-05-2004 07:49 AM

In order to answer your question it would be helpful to know which platform and software version you are using. I also need to know which subsig is firing. There are known false positives associated with 3314 subsig 0. It is disabled by default and marked as deprecated since 3314 subsig 1 more accurately detects this overflow.

0 Helpful

8rpalmer
Level 1
Level 1
In response to craiwill

‎11-08-2004 06:13 AM

The sensor is an ids-4235-K9 running 4.1(4)S125. I looked and subsig 0 was enabled. I disabled subsig 0 and all has stopped. Must have been a previous signature update that enabled the subsig 0 my mistake.

Thanks!

0 Helpful
Customers Also Viewed These Support Documents