cancel
Showing results for 
Search instead for 
Did you mean: 

NSP Signature

Jump to solution

The signature shows :

pktsearch-error-check-code == MS-EXCH-SYS-ATTN-DOS

 

While the PCAP shows an empty UDP packet. What is the source of this signature?? How is it generated?

1 Solution

Accepted Solutions
McAfee Employee fkazi04
McAfee Employee
Report Inappropriate Content
Message 4 of 8

Re: NSP Signature

Jump to solution

Would you please confirm the signature name that gives us more understanding?

Kindly enable full flow logging as per KB55743 and then collect evidence report to understand why the signature triggered. 

 

Regards,

Faizan

 

Was my reply helpful?

If you find this post useful, Please give it a Kudos! l Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

Regards,
Faizan

Was my reply helpful?
If you find this post useful, please give it a Kudos! l Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!
7 Replies
McAfee Employee fkazi04
McAfee Employee
Report Inappropriate Content
Message 2 of 8

Re: NSP Signature

Jump to solution

Hi,

Looking at the signature condition, it looks like DOS flooding over the SYN protocol. However, kindly provide the signature name to confirm exact behavior.

 

If the signature is listed within KB56050, packet capture will not be available. If you believe the alert to be a false positive, please gather full flow logging following KB55743 and raise a case with the Support Team.

 

Regards,

Faizan

Was my reply helpful?

If you find this post useful, Please give it a Kudos! l Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

Regards,
Faizan

Was my reply helpful?
If you find this post useful, please give it a Kudos! l Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!
Highlighted

Re: NSP Signature

Jump to solution

The issue is that I do not understand how that "exchange error" was detected by the IPS. It is not in the PCAP. there are a number of signatures that exhibit that behavior -> they just state that a certain error was reported but do dot reference the source and how they got that.  Very difficult to analyze the alert without that especially when the PCAP is clean.

Most signatures are regex and easy to match with PCAP. This is not.

McAfee Employee fkazi04
McAfee Employee
Report Inappropriate Content
Message 4 of 8

Re: NSP Signature

Jump to solution

Would you please confirm the signature name that gives us more understanding?

Kindly enable full flow logging as per KB55743 and then collect evidence report to understand why the signature triggered. 

 

Regards,

Faizan

 

Was my reply helpful?

If you find this post useful, Please give it a Kudos! l Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

Regards,
Faizan

Was my reply helpful?
If you find this post useful, please give it a Kudos! l Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

Re: NSP Signature

Jump to solution

Thank you, I shall try that. It will take sometime, probably a few days. Thank you for your help and patience.

Re: NSP Signature

Jump to solution

NOTE: I am not claiming that this is a false positive, just want to know HOW the NSP obtained the error code it is reporting :

pktsearch-error-check-code == MS-EXCH-SYS-ATTN-DOS ( unsigned )

I see no error code in the PCAP

Thank you

McAfee Employee fkazi04
McAfee Employee
Report Inappropriate Content
Message 7 of 8

Re: NSP Signature

Jump to solution

I understand your concern.

Please let me know the signature name and I will try to get more details on the signature criteria and update you. 

 

Regards,

Faizan

 

Regards,
Faizan

Was my reply helpful?
If you find this post useful, please give it a Kudos! l Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

Re: NSP Signature

Jump to solution

This reply is pointless. Please refer to a human. 

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community