Our Domain Server 2008 ip address is 192.168.1.45. Some client PC buffer through port 137 overflow alert send email from CISCO IPS. How to decide this CIFS clientside buffer overflow?
Please see 2 emais?
emaillog1:
SUBJECT: Alert Summary for Server IPS Act
high 35125-1 "Microsoft Windows CIFS Clientside Buffer Overflow" 192.168.15.34/137 192.168.1.45/137 Total: 1
emaillog2:
SUBJECT: high 35125-1 Microsoft Windows CIFS Clientside Buffer Overflow (Server IPS Act)
event_id = 1399606270522140036
severity = high
device_name = Server IPS Act
app_name = sensorApp
receive_time = 06/24/2014 05:36:40
event_time = 06/23/2014 21:35:48
sensor_local_time = 06/24/2014 05:35:48
sig_id = 35125
subsig_id = 1
sig_name = Microsoft Windows CIFS Clientside Buffer Overflow sig_details = CVE-2011-0654 sig_version = S701 attacker_ip = 192.168.15.34 attacker_port = 137 attacker_locality = OUT victim_ip = 192.168.1.45 victim_port = 137 victim_os = learned windows-nt-2k-xp (relevant) victim_locality = OUT summary_count = 0 initial_alert_id = summary_type = is_final_alert = interface = PortChannel0/0 vlan = 0 virtual_sensor = vs0 context = actions = droppedPacket alert_details = InterfaceAttributes: context="single_vf" physical="Unknown" backplane="PortChannel0/0" ; risk_rating_num = 100(TVR=medium ARR=relevant) threat_rating = 65 reputation = protocol = udp