How to determine is it SMB - Remote SAM server access , false positive?
How to determine is it SMB - Remote SAM server access , false positive?
5583-0 right?
I would say that there are different types of false positives. Do you mean, how do I determine if what what was seen actually represents an attempt to access the SAM database? I would start by looking at MySDN (or whatever Cisco is calling it these days...intellishield?). It's often not very up to date and missing information, but it's an easy thing to check. Here's the link for this sig:
https://intellishield.cisco.com/security/alertmanager/ipsSignature?signatureId=5583&signatureSubId=0
If you look at the benign triggers, you'll see that it suggests that this only matters if the source is external. It's up to you whether to research any further. If you really want to inspect the signature further, you'll have to add one of the "log packets" actions. This will save a network trace when it fires again and then you can open it up in Wireshark, which understands SMB and will probably decode it enough for you to verify whether it actually was an attempt to access the "Remote SAM server".
Similar Messages
-
Tuning SIG 5583 - SMB Remote SAM Service Access Attempt
We are running Active Directory and this sig is firing 30000+ times a day. I do not want to disable the sig as we would likt to watch for external IP's as the source or destination.
Trouble is I cannot get an event filter to work for this beast and I cannot filter it at the sig level since there is no source/destination IP settings in the sig itself (SMB Engine).
Here is the event filter definition:-
NAME: InsideSAM_SMB
signature-id-range: 5583,5579 default: 900-65535
subsignature-id-range: 0-255 default: 0-255
attacker-address-range: $Inside default: 0.0.0.0-255.255.255.255
victim-address-range: $Inside default: 0.0.0.0-255.255.255.255
attacker-port-range: 0-65535 <defaulted>
victim-port-range: 139,445 default: 0-65535
risk-rating-range: 1-100 default: 0-100
actions-to-remove: produce-alert|produce-verbose-alert default:
deny-attacker-percentage: 100 <defaulted>
filter-item-status: Enabled default: Enabled
stop-on-match: True default: False
user-comment: <defaulted>
os-relevance: not-relevant default: relevant|not-relevant|unknown
The $Inside variable is 10.0.0.0-10.255.255.255
basically our entire internal network.
The events I am being flooded with are single events and not summarized.
Here is an example of an alert:-
evIdsAlert: eventId=1192231627181681635 vendor=Cisco severity=informational
originator:
hostId: IDS
appName: sensorApp
appInstanceId: 571
time: 11 February 2008 15:59:52 UTC offset=0 timeZone=GMT00:00
signature: description=SMB Remote SAM Service Access Attempt id=5583 version=S262
subsigId: 0
sigDetails: SMB Remote SAM Service Access Attempt
marsCategory: Info/Misc/NetBios
interfaceGroup: int8
vlan: 36
participants:
attacker:
addr: 10.36.3.52 locality=Inside
port: 2956
target:
addr: 10.11.1.63 locality=Inside
port: 445
os: idSource=learned type=windows-nt-2k-xp relevance=relevant
riskRatingValue: 25 targetValueRating=medium
attackRelevanceRating=relevant
threatRatingValue: 25
interface: ge0_8
protocol: tcp
As you can see BOTH the source and destination are within the ranges specified in the filter but the event is still firing.You mean replace the $Inside with a specific range like 10.0.0.0-10.255.255.255.
Hmm. Nope. I have tried that and I have even tried specific IP addresses for the source/destination but still get alerts with exactly those two addresses getting through.
Filtering is working though as I have a filter active also for the 'DHCP offer' sig in that I have filtered out all our 'expected' DHCP sources, and SMTP filters for 'expected' SMTP sources.
Why can I not filter out SMB sources/ destinations such as Windows Servers and/or M$ Domain Controllers.
Come on Cisco, event filtering was so easy in IDS4, why complicate it so much in IPS6. -
How to disable SSLv3 and RC4 on Lync Server Access Edge?
We use Lync Server 2013.
How to disable SSLv3 and RC4 on Lync Server Access Edge?
This solution https://technet.microsoft.com/en-us/library/security/3009008.aspx doesn't workHi dizen,
To completely disable RC4, you can create the following registry key:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128]
"Enabled"=dword:00000000
For more details, please check out this KB.
http://support.microsoft.com/kb/2868725
Best regards,
Eric -
How to set up multiple JVMs on same server
I try to set at least 2 JVMS run on same server (2CPUS) but I do know how to set manual start server. I can't find the startup and stop scrits in oracle_home/apache/apache/bin directory. Who can help me to set this up?
my reply is good haina
<BLOCKQUOTE><font size="1" face="Verdana, Arial">quote:</font><HR>Originally posted by jianing shu ([email protected]):
I try to set at least 2 JVMS run on same server (2CPUS) but I do know how to set manual start server. I can't find the startup and stop scrits in oracle_home/apache/apache/bin directory. Who can help me to set this up? <HR></BLOCKQUOTE>
null -
How to rebuild BPEL process in remote Integration server?
Please advise kindly how to rebuild a remote wdsl... We have many BPEL processes in a remote Integration server and I need to rebuild one of them after some correction was done in its .xsl file.
When I right-click on the process name in the Jdeveloper list and chose "Rebuild", it is compiled without errors, but with the message as "Warning: The file http://.........wsdl is not part of the active project Project1.jpr, compiled class will be written to Project1.jpr output directory". (But I have no "Project1.jpr") How to get the compiled results to be deployed in the remote Integration server where needed?
Please help kindly...Dear PuneetRekhade, thank you for your expert comment.
Could you please advise on the following "...compiled class will be written to Project1.jpr output directory". (But I have no "Project1.jpr" as far as I know.) How to get the compiled results to be deployed in the remote Integration server where needed?"
Thank you so much in advance.. -
How to reduild BPEL process in remote Integration server?
Please advise kindly how to rebuild a remote wdsl... I have many BPEL processes in my remote Integration server and I need to rebuild one of them after some correction was done in its .xsl file.
When I right-click on the process name in the Jdeveloper list and chose "Rebuild", it is compiled ok, but with the message as "Warning: The file http://.........wsdl is not part of the active project Project1.jpr, compiled class will be written to Project1.jpr output directory". (But I have no "Project1.jpr") How to get the compiled results to be deployed in the remote Integration server where needed?
Please help kindly...Hi,
try the SOA forum. This here is for JDeveloper and ADF related questions
Frank -
How many connectors can be hosted on same server
We're looking into developing a connector for our CRM product by CRC. Can it be hosted on the same server as our Mobility connector, or do we need to deploy a 2nd DS server?
Thanks,
BillI would not put any other connectors on the same server as the Mobility/GroupWise connector. The Mobility connector requires a lot of dedicated server resources and adding another connector could really interfere with it and reduce Mobilities effectiveness and reliability. It would be better to have a second server for your CRM connector and any other connector you may want to play with.
-
How to determine hostname or IP addr. of server we loaded from?
Hi All,
Does anyone know of a reliable way of determining the IP
addr. or hostname of the server that the Flex app. was launched
from? My application needs to make a connection back to the server,
but the server could be at various IP addresses / host names.
Thanks,
FredThanks for my response, but my situation is that I develop my
apps on one machine and run the back end services on that same
machine in a testing environment. So when testing I want to connect
to localhost for debugging. But when deployed on the real server
the Flex app. should connect to servername, the real hostname of
the server it's deployed at. I can't yet figure out how to have
Flex determine the name of the host from which it was
launched. -
Does anyone know how to disable oplocks on SMB on Mavericks Server
Hi I have a Mavericks server, I have two PC clients (windows 7) that connect to it and both machines are having issues with READ only Microsoft office documents, I wanted to know how to turn off oplocks on the SMB protocol, it's been driving me mad for weeks
See also:
*[[/en-US/questions/865935]] -
How to install PI instance on the same server that has Solution Manager 4?
I am planning to install PI 7 on a windows 2003 server that has Solution manager 4 running on it already.
I am planning to install an additional Oracle instance and put PI on it.
What are the steps involved?
Please advise.
Thanks and regards,
BhaskarBarry,
I went throught this link when I firt tried MCOD. may be the mistake I did was that I tired installing two separate instances like Sol Man and XI into the same oracle database. it used to fail at the step of Creating table Spaces.
I tired this when I saw some docs on MCOD (I think from IBM).
May be the approach was wrong.
Let me try this new method of installing two different Oracle instances and put Solution manager on one and XI on the other.
I will update you some time today.
Thanks for the help so far.
Regards,
Bhaskar -
How to determine the load on the oracle server within a stored procedure?
Hi,
I have a subset of commands in my stored procedure that I would like to execute them only if there is not significant load on the database sever.
What would be the best way to measure the amount of load on my database server within a stored procedure?
Thank you,
AlanIt is not that easy.
This stored procedure is called by a job that runs every hour. Half of the stored procedure code are mission critical and must run by any means necessary! The second half must run right after the 1st one and is nice to do.
If I assign a lower priority it makes the situation worst, because then the job might take 3-4 hours and the same jobs run on top of each other over and over.
I just oversimplified the situation, The point is I prefer not to run the less important PLSQL code rather than assigning lower priority and stretch it over timeline. These hourly jobs are not Oracle jobs and cannot run on top of each other. Last time this happened and I had to kill 12 sessions! (12 jobs in 12 hour)
Trust me, estimating the load on the database server is the only solution.
When I say load on the server I mean the load resulted from other oracle sessions on the same database server. This server is a single instance Oracle 10g Enterprise on Solaris. All I need is just accessing to some meaningful counters.
Any help would be appreciated,
Alan -
How do you connect to a remote Livecycle server using Workbench?
I'm trying to use Workbench ES to connect to an instance of Livecycle Server that is on another machine. If I try to connect to it, it succeeds but upon opening a pdf or xdp (basically anything that opens Designer) it gives me an error, "No path to XDP file input".
I'm not sure if its a bug because, if I just change the Server Name in the "Connect To.." dialog to anything other than "localhost" while leaving the actual address the same, it will give me the exact same error. I can still edit processes but I'm unable to do anything that uses Designer.
Any help with this issue is greatly appriciatedI'm not sure, I think it was installed separate. I fixed the issue by reinstalling them seperately and applying the updates to workbench/designer. Everything works like it should now
-
How to Install R/3 and CRM on the same Server?
Hi All,
I would like to install R/3 and CRM on the same server (as the load is less). I know how to install them seperately.
I would like to have some instructions how to have them installed on the same server.
Thanks in advance.
Regards,
VijayAs Sunil explained - MCOD (or) you can think to have 2 differnt DB SID's as weel 2 different SAP SID's. By default 1st Installation takes Listener Name as LISTENER & port 1527 when you are doing second Oracle installation use another lister name as LISTENER002 & give port 1526 ( for example).
MCOD will be the best option to unplug from oracle instalation requirement but - think of future plans. even it can be any size business don't think to do MCOD with SAP Business System like R3 .
Becuase qwe may have different requirements from the Business / functionla Team for refreshing / building the development system with a copy of production system - don;t get confused there are Techniques for Refreshing a Development Instance with production system also.
Any how you have to take decission to go with MCOD (or) not . I also request SUNIL to comment on MCOD installations with R3 system .
But I beleive Sascha Version is wrong - i can have multiple application servers of differnet products on single Box if my OS supports.
as application servers will have 3 individual mount point which points to different system
<Central Instance>:/sapmnt/<SID>/global
<Central Instance>:/sapmnt/<SID>/prfoile
<Central Instance>:/sapmnt/<SID>/exe
each SID NFS mount point can point to different sever & i can multiple application server of differnt SAP Products on 1 BOX.
Trans directory is problem - but it does not require either for installation (or) for runningAS instance . -
How to Install XI and EP on Single server
Hi,
How to install XI and EP on same server. I tried to install XI then EP . After EP installed then iam not able to access XI j2ee engine . I think some where port conflicts . I gave system number for XI : 00 and EP : 02
Can any one help for this. Where did i made mistake.
Thanks
KristeneHi Kristene,
I have installed XI and EP on the same server (for test purposes) without any problems, so it should be possible. I installed them in a different order (first EP then XI), but I don't think that matters much.
The only real difference is that I kept the system number the same.
What do you mean exactly with not being able to access the XI j2ee engine? How did you try to access it?
Regards,
Martin -
How to determine the u2018equivalent position of the same organizationu2019?
Hi,
"Position change is a transfer from one position to an equivalent position within the same org reporting structure and under the same chief position"
How to determine the u2018equivalent position of the same organizationu2019?
Cheers.u can identity the position with help of the Holder
say for ex: A is the holder of the Position for Executive now the user performent an event called change of position so he changed to Manager (here we can find the chageing on the basis of some parameter so i have taken holder as Parameter as we dont know which has changed or wht has changed)
in this case we can use the report RHDESC20 se38
not an exact solution for ur question
will try to find some other way
Maybe you are looking for
-
My Thunderbird email is not responding. I have been unable to open it.
I tried rebooting my PC several times, but the result is the same. None of my mailboxes or address book can be utilized. The page is blank and says that Thunderbird is not responding. How can I get this to work again? All of my other programs are wor
-
Oracle discoverer with oracle AS
Is it oracle discoverer for web version must be install with oracle AS?
-
HI, Installed Reader 10.1.3 and the sendmail plug-in does not load. When trying to attach an email, reader goes in hang mode and I have to force quit. How can I load the plug-in? Thanks!
-
HT3680 guide to free up disk space
how can i free up my disk space coz it is full and safe to do it?
-
The best way to preview a video to add interactivity
Kind regards for all of you Im trying to add interaction to a video but Im losing a lot of time when Im trying to see where exactly in the video must be placed the click because Captivate allow me to see the preview but when I click on pause the vid