Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
324
Views
4
Helpful
1
Replies

MARS "Win SMB Enum Shr DoS" & Rule to Ignore?

PAUL TRIVINO
Level 3
Level 3

‎05-24-2007 02:14 PM - edited ‎03-09-2019 06:03 PM

I am tuning some Unconfirmed False Positives (UFP). We have a fair number of the 'Windows SMB Enum Share DoS' events in the UFP list. They don't appear to be too frequent but there are some. I am thinking I'd like to have a rule that says "if there are less than 'x' occurences to a particular dest IP within 'y' minutes, ignore this" but it doesn't look like this can be done.

Any ideas? TIA

Paul

Labels:
0 Helpful
1 Reply 1

mhellman
Level 7
Level 7

‎05-25-2007 04:50 AM

Research the vulnerability and the signature. This isn't a DOS in the sense the it detects a flood of traffic. It detects the exploit, which results in a DOS. These are very likely false positives, but you should verify. If they are false positives, given that this is a 5 year old vulnerability...I would recommend just disabled/retiring the sig.

Customers Also Viewed These Support Documents