Current Position:Home > Tuning SIG 5583 - SMB Remote SAM Service Access Attempt

Tuning SIG 5583 - SMB Remote SAM Service Access Attempt

Update:11-30Source: network consolidation
Advertisement
We are running Active Directory and this sig is firing 30000+ times a day. I do not want to disable the sig as we would likt to watch for external IP's as the source or destination.
Trouble is I cannot get an event filter to work for this beast and I cannot filter it at the sig level since there is no source/destination IP settings in the sig itself (SMB Engine).
Here is the event filter definition:-
NAME: InsideSAM_SMB
signature-id-range: 5583,5579 default: 900-65535
subsignature-id-range: 0-255 default: 0-255
attacker-address-range: $Inside default: 0.0.0.0-255.255.255.255
victim-address-range: $Inside default: 0.0.0.0-255.255.255.255
attacker-port-range: 0-65535 <defaulted>
victim-port-range: 139,445 default: 0-65535
risk-rating-range: 1-100 default: 0-100
actions-to-remove: produce-alert|produce-verbose-alert default:
deny-attacker-percentage: 100 <defaulted>
filter-item-status: Enabled default: Enabled
stop-on-match: True default: False
user-comment: <defaulted>
os-relevance: not-relevant default: relevant|not-relevant|unknown
The $Inside variable is 10.0.0.0-10.255.255.255
basically our entire internal network.
The events I am being flooded with are single events and not summarized.
Here is an example of an alert:-
evIdsAlert: eventId=1192231627181681635 vendor=Cisco severity=informational
originator:
hostId: IDS
appName: sensorApp
appInstanceId: 571
time: 11 February 2008 15:59:52 UTC offset=0 timeZone=GMT00:00
signature: description=SMB Remote SAM Service Access Attempt id=5583 version=S262
subsigId: 0
sigDetails: SMB Remote SAM Service Access Attempt
marsCategory: Info/Misc/NetBios
interfaceGroup: int8
vlan: 36
participants:
attacker:
addr: 10.36.3.52 locality=Inside
port: 2956
target:
addr: 10.11.1.63 locality=Inside
port: 445
os: idSource=learned type=windows-nt-2k-xp relevance=relevant
riskRatingValue: 25 targetValueRating=medium
attackRelevanceRating=relevant
threatRatingValue: 25
interface: ge0_8
protocol: tcp
As you can see BOTH the source and destination are within the ranges specified in the filter but the event is still firing.

The Best Answer

Advertisement
You mean replace the $Inside with a specific range like 10.0.0.0-10.255.255.255.
Hmm. Nope. I have tried that and I have even tried specific IP addresses for the source/destination but still get alerts with exactly those two addresses getting through.
Filtering is working though as I have a filter active also for the 'DHCP offer' sig in that I have filtered out all our 'expected' DHCP sources, and SMTP filters for 'expected' SMTP sources.
Why can I not filter out SMB sources/ destinations such as Windows Servers and/or M$ Domain Controllers.
Come on Cisco, event filtering was so easy in IDS4, why complicate it so much in IPS6.