IPS NETBIOS SMB username brute force attempt still buggy with signature 18.148
Hi,
I am still getting IPS NETBIOS SMB username brute force attempt alerts with ips signature version 18.148 on all my devices.
https://techsearch.watchguard.com/KB?type=Known Issues&SFDCID=kA16S000000XeM6SAK&lang=en_US
2021-05-20 14:40:55 Deny 1.2.3.4 10.227.253.252 microsoft-ds/tcp 65514 445 NetGroup Internal network IPS detected 583 126 (Watchguard SSO to client-IN-00) proc_id="firewall" rc="301" msg_id="3000-0150" tcp_info="offset 5 A 3162796631 win 1040" signature_name="NETBIOS SMB username brute force attempt" signature_cat="Exploits" signature_id="1052848" severity="3" sig_vers="18.148" Traffic
2021-05-20 14:43:26 NetGroup-HA2 Deny 1.2.3.4 172.17.4.9 microsoft-ds/tcp 65533 445 Internal Network Islevdalvej IPS detected 575 127 (Watchguard SSO agent to client-OUT-00) proc_id="firewall" rc="301" msg_id="3000-0150" tcp_info="offset 5 A 1607414334 win 65281" signature_name="NETBIOS SMB username brute force attempt" signature_cat="Exploits" signature_id="1052848" severity="3" sig_vers="18.148" src_user="admin-rv@kaufmann.local" Traffic
Regards
Robert
Comments
And if i look closer, i see, it´s a new false positive and not the same signature id. This is on traffic from the Watchguard Authentication Server to the SSO client.
/Robert
Hello Robert,
We'll get a new Known Issue logged for it and investigate closer. If you could elaborate on your SSO environment then that would be appreciated. SSO Client, ELM .... any client commonalities ?
Ralph
@Ralph
There is some logic to this. The IPS alert is triggered when the destination host is a Synology NAS, and only a Synology device, and only when the source traffic is from the WG Authentication Server(s). All other SSO traffic to Windows SSO clients do not trigger this alert and normal SMB traffic to the same Synology devices do not trigger this alert as well.
Maybe the alert in fact is valid and it´s a bug with Authentication gateway version 12.7 causing SMB username brute force attempt?
I have made SSO exclusions for the network intervals where the Synology devices is located, but this seems not to be working else i would not see this traffic to these devices.
Thanks. Rule 1052848 was removed for re-tuning in signature releases v18.151 and v4.1158 which just went live this morning.
This is also documented in the following Known Issue article
https://techsearch.watchguard.com/KB?type=Known Issues&SFDCID=kA16S000000XeQwSAK&lang=en_US