2 Replies Latest reply: Jun 13, 2012 1:56 PM by robrod RSS

    IPS Signatures

      Can somebody help me to get brief information on the below signatures.

       

      DCERPC: Frag Length Overly Long-0x47600a00

      TCP: ACK Host Sweep-0x40009c00

      NETBIOS-SS: Guest Login Succeeded-0x4070a500
      NETBIOS-SS: NULL Credentials Login-0x4070a400
      DCERPC: Spoolss Buffer Overflow-0x47603700

        • 1. IPS Signatures
          mirrorless

          for version 5 Check under \Network Security Manager\App\jboss-4.2.3\server\default\deploy\WebHelp\en\index.htm

           

          DCERPC: Frag Length Overly Long-0x47600a00

          Description

           

          The Frag Length indicates the DCERPC payload length within a packet.This alert indicates that a remote attacker may be attempting to send an unusually large DCERPC packet. This may be an attempt to create a denial of service or buffer overflow condition on the server.

           

          TCP: ACK Host Sweep-0x40009c00

          Description

           

          The number of TCP ACK packets with a set destination port from a given source IP to unique destination IPs addresses exceeds the set threshold.

           

          NETBIOS-SS: Guest Login Succeeded-0x4070a500

          Description

           

          This alert indicates successful guest login.

          NETBIOS-SS: NULL Credentials Login-0x4070a400

          Description

           

          This alert indicates an attempt to login with no login credentials.

          DCERPC: Spoolss Buffer Overflow-0x47603700

          Description

           

          This alert indicates an attempt to exploit a buffer-overflow vulnerability in Spoolss. Affected products include Novell Client Print Provider and Citrix presentation server print provider.

          • 2. Re: IPS Signatures
            robrod

            I'm going to make a wild guess and say that you see all of these from the same host. Is it a SCCM server or some other type of file sharing server?