Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
967
Views
0
Helpful
4
Replies

'Windows locator' sig 3314 explanation

og-ops-be
Level 1
Level 1

‎03-12-2003 08:30 PM - edited ‎03-09-2019 02:29 AM

Could you please give me some insight into how this signature works? I'd like to know what exactly makes it trigger so that my customer can look for that sort of traffic and hopefully take care of it.

Thank you.

Labels:
0 Helpful
4 Replies 4

pbaussmann
Level 1
Level 1

‎03-13-2003 03:24 PM

The following link explains the windows locator service overflow vulnerability.

http://www.cert.org/advisories/CA-2003-03.html

This will give you some idea as to what is triggering it.

0 Helpful

mcerha
Level 3
Level 3

‎03-13-2003 04:11 PM

Due to certain conditions, we're not able to disclose what exactly the signature is looking for, but I can make two suggestions. Filter this alarm so that it only fires for the domain controllers in the network as destinations. Normally, only domain controllers run the Locator service. Second, in an actual attack, you will see the request for the "\locator" named pipe prior to the attack being sent. I hope this helps.

0 Helpful

astuckey
Level 1
Level 1
In response to mcerha

‎03-17-2003 01:43 PM

This filtering recommendation is not in the NSDB. Can that be updated to include this information?

0 Helpful

mcerha
Level 3
Level 3
In response to astuckey

‎03-17-2003 03:48 PM

Yes, I will do it in the S43 sig update. Thanks.

0 Helpful
Customers Also Viewed These Support Documents