How to determine is it SMB - Remote SAM server access , false positive?

Similar Messages

• Tuning SIG 5583 - SMB Remote SAM Service Access Attempt

  We are running Active Directory and this sig is firing 30000+ times a day. I do not want to disable the sig as we would likt to watch for external IP's as the source or destination.
  Trouble is I cannot get an event filter to work for this beast and I cannot filter it at the sig level since there is no source/destination IP settings in the sig itself (SMB Engine).
  Here is the event filter definition:-
  NAME: InsideSAM_SMB
  signature-id-range: 5583,5579 default: 900-65535
  subsignature-id-range: 0-255 default: 0-255
  attacker-address-range: $Inside default: 0.0.0.0-255.255.255.255
  victim-address-range: $Inside default: 0.0.0.0-255.255.255.255
  attacker-port-range: 0-65535 <defaulted>
  victim-port-range: 139,445 default: 0-65535
  risk-rating-range: 1-100 default: 0-100
  actions-to-remove: produce-alert|produce-verbose-alert default:
  deny-attacker-percentage: 100 <defaulted>
  filter-item-status: Enabled default: Enabled
  stop-on-match: True default: False
  user-comment: <defaulted>
  os-relevance: not-relevant default: relevant|not-relevant|unknown
  The $Inside variable is 10.0.0.0-10.255.255.255
  basically our entire internal network.
  The events I am being flooded with are single events and not summarized.
  Here is an example of an alert:-
  evIdsAlert: eventId=1192231627181681635 vendor=Cisco severity=informational
  originator:
  hostId: IDS
  appName: sensorApp
  appInstanceId: 571
  time: 11 February 2008 15:59:52 UTC offset=0 timeZone=GMT00:00
  signature: description=SMB Remote SAM Service Access Attempt id=5583 version=S262
  subsigId: 0
  sigDetails: SMB Remote SAM Service Access Attempt
  marsCategory: Info/Misc/NetBios
  interfaceGroup: int8
  vlan: 36
  participants:
  attacker:
  addr: 10.36.3.52 locality=Inside
  port: 2956
  target:
  addr: 10.11.1.63 locality=Inside
  port: 445
  os: idSource=learned type=windows-nt-2k-xp relevance=relevant
  riskRatingValue: 25 targetValueRating=medium
  attackRelevanceRating=relevant
  threatRatingValue: 25
  interface: ge0_8
  protocol: tcp
  As you can see BOTH the source and destination are within the ranges specified in the filter but the event is still firing.

  You mean replace the $Inside with a specific range like 10.0.0.0-10.255.255.255.
  Hmm. Nope. I have tried that and I have even tried specific IP addresses for the source/destination but still get alerts with exactly those two addresses getting through.
  Filtering is working though as I have a filter active also for the 'DHCP offer' sig in that I have filtered out all our 'expected' DHCP sources, and SMTP filters for 'expected' SMTP sources.
  Why can I not filter out SMB sources/ destinations such as Windows Servers and/or M$ Domain Controllers.
  Come on Cisco, event filtering was so easy in IDS4, why complicate it so much in IPS6.

• How to disable SSLv3 and RC4 on Lync Server Access Edge?

  We use Lync Server 2013.
  How to disable SSLv3 and RC4 on Lync Server Access Edge?
  This solution https://technet.microsoft.com/en-us/library/security/3009008.aspx doesn't work

  Hi dizen,
  To completely disable RC4, you can create the following registry key:
  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128]
  "Enabled"=dword:00000000
  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128]
  "Enabled"=dword:00000000
  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128]
  "Enabled"=dword:00000000
  For more details, please check out this KB.
  http://support.microsoft.com/kb/2868725
  Best regards,
  Eric

• How to set up multiple JVMs on same server

  I try to set at least 2 JVMS run on same server (2CPUS) but I do know how to set manual start server. I can't find the startup and stop scrits in oracle_home/apache/apache/bin directory. Who can help me to set this up?

  my reply is good haina
  <BLOCKQUOTE><font size="1" face="Verdana, Arial">quote:</font><HR>Originally posted by jianing shu ([email protected]):
  I try to set at least 2 JVMS run on same server (2CPUS) but I do know how to set manual start server. I can't find the startup and stop scrits in oracle_home/apache/apache/bin directory. Who can help me to set this up? <HR></BLOCKQUOTE>
  null

• How to rebuild BPEL process in remote Integration server?

  Please advise kindly how to rebuild a remote wdsl... We have many BPEL processes in a remote Integration server and I need to rebuild one of them after some correction was done in its .xsl file.
  When I right-click on the process name in the Jdeveloper list and chose "Rebuild", it is compiled without errors, but with the message as "Warning: The file http://.........wsdl is not part of the active project Project1.jpr, compiled class will be written to Project1.jpr output directory". (But I have no "Project1.jpr") How to get the compiled results to be deployed in the remote Integration server where needed?
  Please help kindly...

  Dear PuneetRekhade, thank you for your expert comment.
  Could you please advise on the following "...compiled class will be written to Project1.jpr output directory". (But I have no "Project1.jpr" as far as I know.) How to get the compiled results to be deployed in the remote Integration server where needed?"
  Thank you so much in advance..

• How to reduild BPEL process in remote Integration server?

  Please advise kindly how to rebuild a remote wdsl... I have many BPEL processes in my remote Integration server and I need to rebuild one of them after some correction was done in its .xsl file.
  When I right-click on the process name in the Jdeveloper list and chose "Rebuild", it is compiled ok, but with the message as "Warning: The file http://.........wsdl is not part of the active project Project1.jpr, compiled class will be written to Project1.jpr output directory". (But I have no "Project1.jpr") How to get the compiled results to be deployed in the remote Integration server where needed?
  Please help kindly...

  Hi,
  try the SOA forum.  This here is for JDeveloper and ADF related questions
  Frank

• How many connectors can be hosted on same server

  We're looking into developing a connector for our CRM product by CRC. Can it be hosted on the same server as our Mobility connector, or do we need to deploy a 2nd DS server?
  Thanks,
  Bill

  I would not put any other connectors on the same server as the Mobility/GroupWise connector. The Mobility connector requires a lot of dedicated server resources and adding another connector could really interfere with it and reduce Mobilities effectiveness and reliability. It would be better to have a second server for your CRM connector and any other connector you may want to play with.

• How to determine hostname or IP addr. of server we loaded from?

  Hi All,
  Does anyone know of a reliable way of determining the IP
  addr. or hostname of the server that the Flex app. was launched
  from? My application needs to make a connection back to the server,
  but the server could be at various IP addresses / host names.
  Thanks,
  Fred

  Thanks for my response, but my situation is that I develop my
  apps on one machine and run the back end services on that same
  machine in a testing environment. So when testing I want to connect
  to localhost for debugging. But when deployed on the real server
  the Flex app. should connect to servername, the real hostname of
  the server it's deployed at. I can't yet figure out how to have
  Flex determine the name of the host from which it was
  launched.

• Does anyone know how to disable oplocks on SMB on Mavericks Server

  Hi I have a Mavericks server, I have two PC clients (windows 7) that connect to it and both machines are having issues with READ only Microsoft office documents, I wanted to know how to turn off oplocks on the SMB protocol, it's been driving me mad for weeks

  See also:
  *[[/en-US/questions/865935]]

• How to install PI instance on the same server that has Solution Manager 4?

  I am planning to install PI 7 on a windows 2003 server that has Solution manager 4 running on it already.
  I am planning to install an additional Oracle instance and put PI on it.
  What are the steps involved?
  Please advise.
  Thanks and regards,
  Bhaskar

  Barry,
  I went throught this link when I firt tried MCOD. may be the mistake I did was that I tired installing two separate instances like Sol Man and XI into the same oracle database. it used to fail at the step of Creating table Spaces.
  I tired this when I saw some docs on MCOD (I think from IBM).
  May be the approach was wrong.
  Let me try this new method of installing two different Oracle instances and put Solution manager on one and XI on the other.
  I will update you some time today.
  Thanks for the help so far.
  Regards,
  Bhaskar

• How to determine the load on the oracle server within a stored procedure?

  Hi,
  I have a subset of commands in my stored procedure that I would like to execute them only if there is not significant load on the database sever.
  What would be the best way to measure the amount of load on my database server within a stored procedure?
  Thank you,
  Alan

  It is not that easy.
  This stored procedure is called by a job that runs every hour. Half of the stored procedure code are mission critical and must run by any means necessary! The second half must run right after the 1st one and is nice to do.
  If I assign a lower priority it makes the situation worst, because then the job might take 3-4 hours and the same jobs run on top of each other over and over.
  I just oversimplified the situation, The point is I prefer not to run the less important PLSQL code rather than assigning lower priority and stretch it over timeline. These hourly jobs are not Oracle jobs and cannot run on top of each other. Last time this happened and I had to kill 12 sessions! (12 jobs in 12 hour)
  Trust me, estimating the load on the database server is the only solution.
  When I say load on the server I mean the load resulted from other oracle sessions on the same database server. This server is a single instance Oracle 10g Enterprise on Solaris. All I need is just accessing to some meaningful counters.
  Any help would be appreciated,
  Alan

• How do you connect to a remote Livecycle server using Workbench?

  I'm trying to use Workbench ES to connect to an instance of Livecycle Server that is on another machine. If I try to connect to it, it succeeds but upon opening a pdf or xdp (basically anything that opens Designer) it gives me an error, "No path to XDP file input".
  I'm not sure if its a bug because, if I just change the Server Name in the "Connect To.." dialog to anything other than "localhost" while leaving the actual address the same, it will give me the exact same error. I can still edit processes but I'm unable to do anything that uses Designer.
  Any help with this issue is greatly appriciated

  I'm not sure, I think it was installed separate. I fixed the issue by reinstalling them seperately and applying the updates to workbench/designer. Everything works like it should now

• How to Install R/3 and CRM on the same Server?

  Hi All,
  I would like to install R/3 and CRM on the same server (as the load is less). I know how to install them seperately.
  I would like to have some instructions how to have them installed on the same server.
  Thanks in advance.
  Regards,
  Vijay

  As Sunil explained - MCOD (or) you can think to have 2 differnt DB SID's as weel 2 different SAP SID's. By default 1st Installation takes Listener Name as LISTENER & port 1527 when you are doing second Oracle installation use another lister name as LISTENER002 & give port 1526 ( for example).
  MCOD will be the best option to unplug from oracle instalation requirement but - think of future plans. even it can be any size business don't think to do MCOD with SAP Business System like R3 .
  Becuase qwe may have different requirements from the Business / functionla Team for refreshing / building the development system with a copy of production system - don;t get confused there are Techniques for Refreshing a Development Instance with production system also.
  Any how you have to take decission to go with MCOD (or) not . I also request SUNIL to comment on MCOD installations  with R3 system .
  But  I beleive Sascha Version is wrong - i can have multiple application servers of differnet products on single Box if my OS supports.
  as application servers will have 3 individual mount point which points to different system
  <Central Instance>:/sapmnt/<SID>/global
  <Central Instance>:/sapmnt/<SID>/prfoile
  <Central Instance>:/sapmnt/<SID>/exe
  each SID  NFS mount point can point to different sever & i can multiple application server of differnt SAP Products on 1 BOX.
  Trans directory is problem - but it does not require either for installation (or) for runningAS instance .

• How to Install XI and EP on Single server

  Hi,
  How to install XI and EP on same server. I tried to install XI then EP . After EP installed then iam not able to access XI j2ee engine . I think some where port conflicts . I gave system number for XI : 00 and EP : 02
  Can any one help for this. Where did i made mistake.
  Thanks
  Kristene

  Hi Kristene,
  I have installed XI and EP on the same server (for test purposes) without any problems, so it should be possible. I installed them in a different order (first EP then XI), but I don't think that matters much.
  The only real difference is that I kept the system number the same.
  What do you mean exactly with not being able to access the XI j2ee engine? How did you try to access it?
  Regards,
  Martin

• How to determine the u2018equivalent position of the same organizationu2019?

  Hi,
  "Position change is a transfer from one position to an equivalent position within the same org reporting structure and under the same chief position"
  How to determine the u2018equivalent position of the same organizationu2019?
  Cheers.

  u can identity the position with help of the Holder
  say for ex: A is the holder of the Position for Executive now the user performent an event called change of position so he changed to Manager (here we can find the chageing on the basis of some parameter so i have taken holder as Parameter as we dont know which has changed or wht has changed)
  in this case we can use the report   RHDESC20  se38
  not an exact solution for ur question
  will try to find some other way