Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
530
Views
5
Helpful
7
Replies

CSMARS reporting ICMP traffic between hosts and Exchange Server

jrojas
Level 1
Level 1

‎02-13-2008 06:41 AM - edited ‎03-10-2019 03:59 AM

We recently added a CSMARS box to our infrastructure so it could correlate and report on our 4260's alerts. I've noticed that CSMARS is reporting on ICMP's from multiple hosts within our network sending ICMP packets to our Exchange server. The total amounts of packets are between 15 and 30 and then the ICMP's from the specific clients stop.

I know that Windows XP clients will send ICMP traffic to domain controllers in order to test connectivity and I'm wondering if we're seeing the same occurrence with our Exchange clients.

Thanks,

Javier

Labels:
0 Helpful
7 Replies 7

mhellman
Level 7
Level 7

‎02-13-2008 07:43 AM

It's probably normal, but it would help if you could get a trace and actually identify the ICMP type and code.

0 Helpful

jrojas
Level 1
Level 1
In response to mhellman

‎02-13-2008 08:49 AM

Thansk, I figured it was normal traffic. By trace do you mean a Etherreal capture?

Jav

0 Helpful

mhellman
Level 7
Level 7
In response to jrojas

‎02-13-2008 09:31 AM

yes, a network trace. I assume the events in MARS are firewall events and not IDS alarms?

0 Helpful

jrojas
Level 1
Level 1
In response to mhellman

‎02-13-2008 09:33 AM

Actually the reporting device is our 4260 IPS sensor. The probelm is that we have over 4000 hosts on our wan.

0 Helpful

mhellman
Level 7
Level 7
In response to jrojas

‎02-13-2008 10:13 AM

okay, that's good. It means you can get a trace on the sensor if you need to. so what signature is firing exactly? certain ICMP messages are quite normal on the network.

0 Helpful

jrojas
Level 1
Level 1
In response to mhellman

‎02-13-2008 12:48 PM

Hi, the signature that is firing is ICMP Flood

Signature ID: 2152/0. According to Cisco's site this signature should not fire under normal circumstances. However, when we first setup the IPS sensor it would deny all vpn users' access to our exchange server as the Win Nuke signature kept firing. Of course this was a false positive.

However, once I tweaked the CSMARS rule a bit the noise calmed down and it reported on two hosts that were trying to send ICMP floods to Google.

0 Helpful

mhellman
Level 7
Level 7
In response to jrojas

‎02-14-2008 07:19 AM

The flood signatures need to be tuned for your network. That specific signature fires when it detects more than 25 ICMP echo request (ping) packets per second being sent to a single host. In a larger network, this could fire on all sorts of apps.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card