IPS 4240 ATTACK DETAILS

Unanswered Question
Feb 19th, 2007

Dear All,

The following is the attack detaisl i received from the customer. Before contact cisco i posted here for your answers.

"

Date= 2007/02/16

Time= 22:44:13 Arab Standard Time

SIGID= 5081:0

5326:0

SIGNAME= WWW WinNT cmd.exe Access

Root.exe access

Victime= 192.168.100.1

AttackerAddress= 214.139.200.1

Please how can i solve this issue .

swamy

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
edwakim Mon, 02/19/2007 - 08:12

Hi Swamy,

There are many things to think about. I may not cover everything in this message but I will try to cover some basic.

Is the victim host (192.168.100.1) a windows machine? If it is, is your IIS server patched so that it will not allow cmd.exe to work? Depending on the answer, you may not have to do anything. You may want to keep the alert to see what this Attacker will try to do next though.

If you want to stop/block the attack.

In your attack detail, you will find attacker ip (214.139.200.1) and victim ip address (192.168.100.1). I guess IPS is located behind a NAT/PAT device.

If you are using inline mode, then you can do various deny inline actions.

If you are using promiscuous mode, you can configure signature to request block. You need to setup router/cat6k/pix to put acl/shun. You can always put the shun/acl manually as well.

Hope this helps.

Edward

arumugasamy Wed, 02/21/2007 - 04:38

Edward,

Thanks for your info. I will contact the customer and dscuss those things.

Also i want to know the following on IPS in-line

setup.

1.IPS Connected behind the firewall pix 525 in in-line mode. Interface pair was created and 2 interfaces are made members of the pair. I assigned the pair to the engine.Here i did not do anything tuning on signatue configuration. All the sig are enabled as default. As soon as the ips placed in the network in in-line it stop thenetwork to go out when i put in bypass mode then working. PLease could you give the basic config to make the IPS working in in-line mode. Inside the network is the one with 3 networks (192.168.100.0, 101.0, 102.0)

ips inside interface sits in 192.168.100.0 network then other 2 networs are in 2 vlans of the core switch 4507R.IPS outside interface in line with pix firewall failover pair. Firewal pair outside connect to the internet router 3825 to the internet using ADSL.

I want to know how to choose the sigs those are only required for the internal networks also.

Waiting for your reply

Thanks in advance

swamy

Actions

This Discussion