02-13-2008 06:41 AM - edited 03-10-2019 03:59 AM
We recently added a CSMARS box to our infrastructure so it could correlate and report on our 4260's alerts. I've noticed that CSMARS is reporting on ICMP's from multiple hosts within our network sending ICMP packets to our Exchange server. The total amounts of packets are between 15 and 30 and then the ICMP's from the specific clients stop.
I know that Windows XP clients will send ICMP traffic to domain controllers in order to test connectivity and I'm wondering if we're seeing the same occurrence with our Exchange clients.
Thanks,
Javier
02-13-2008 07:43 AM
It's probably normal, but it would help if you could get a trace and actually identify the ICMP type and code.
02-13-2008 08:49 AM
Thansk, I figured it was normal traffic. By trace do you mean a Etherreal capture?
Jav
02-13-2008 09:31 AM
yes, a network trace. I assume the events in MARS are firewall events and not IDS alarms?
02-13-2008 09:33 AM
Actually the reporting device is our 4260 IPS sensor. The probelm is that we have over 4000 hosts on our wan.
02-13-2008 10:13 AM
okay, that's good. It means you can get a trace on the sensor if you need to. so what signature is firing exactly? certain ICMP messages are quite normal on the network.
02-13-2008 12:48 PM
Hi, the signature that is firing is ICMP Flood
Signature ID: 2152/0. According to Cisco's site this signature should not fire under normal circumstances. However, when we first setup the IPS sensor it would deny all vpn users' access to our exchange server as the Win Nuke signature kept firing. Of course this was a false positive.
However, once I tweaked the CSMARS rule a bit the noise calmed down and it reported on two hosts that were trying to send ICMP floods to Google.
02-14-2008 07:19 AM
The flood signatures need to be tuned for your network. That specific signature fires when it detects more than 25 ICMP echo request (ping) packets per second being sent to a single host. In a larger network, this could fire on all sorts of apps.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: