11-04-2004 02:11 PM - edited 03-10-2019 01:30 PM
We have been seeing millions of alerts on sig 3314 which appears to be legit traffic for print requests destined to our printserver running on a W2K server.
Although the traffic looks legit, we don't understand why we are seeing 250,000,000 alerts in a 2.5 hour period.
Anyone else seeing this same behavior?
11-05-2004 07:49 AM
In order to answer your question it would be helpful to know which platform and software version you are using. I also need to know which subsig is firing. There are known false positives associated with 3314 subsig 0. It is disabled by default and marked as deprecated since 3314 subsig 1 more accurately detects this overflow.
11-08-2004 06:13 AM
The sensor is an ids-4235-K9 running 4.1(4)S125. I looked and subsig 0 was enabled. I disabled subsig 0 and all has stopped. Must have been a previous signature update that enabled the subsig 0 my mistake.
Thanks!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide