cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
388
Views
8
Helpful
3
Replies

Signature 3323 RF Poison

community
Level 1
Level 1

I upgraded to 4.1-3-S61 and am now getting several rf poison signatures throught the internal network. Does anybody know what process might trigger this alert and how to filter it other than disabling the sig?

3 Replies 3

scothrel
Level 3
Level 3

We have had several cases of 3323 firing since S61. We made some changes to the SMB engine in order to cover the lastest Microsoft vulnerabilities. It appears that in doing so, the 3323 logic loosened up and is now false positive firing. We recommend disabling the signature and will work on having it fixed in the next signature update.

Scott C

I have been getting large amounts of events at the mgt station for the signature SMB:RFPoison Attack ID: 3323. Can you tell me if the problem that was addressed in this thread has been resolved? i am a 4.1-3s81 on the sensors

There is a fix in the upcoming 4.1.4 release