IPS Attack

Unanswered Question
Jul 8th, 2008
User Badges:

I have IPS 4255 with IOS 5.x,it is monitoring My internet zone traffic. In my event viewer i m seeing few IPs are consider as attack towards my global IP addresses that are not being used in my network. These IPs are spare global IP for future use.


Attack type is MSSQL Resolution Service Stack Overflow


Signature ID: 4703/0


I have global ip address x.x.x.x/24 and only first 10 ip addresses i m using, rest are not being used anywhere.


Why i m getting attack on these ip addresses and how to prevent it.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3.6 (13 ratings)
Loading.
mhellman Tue, 07/08/2008 - 07:26
User Badges:
  • Blue, 1500 points or more

It's a worm and it's UDP (SQLSlammer). You can't prevent it without an ACL/firewall before your IDS/IPS. If you're not vulnerable (and you wouldn't be unless you have MSSQL in your DMZ), just turn that signature off.

rhermes Tue, 07/08/2008 - 07:27
User Badges:
  • Gold, 750 points or more

Is your sensor behind your firewall?

wasiimcisco Wed, 07/09/2008 - 08:31
User Badges:

Thanks for the reply, My IPS is front of firewall, and it is monitoring traffic only that comes from Internet.


rhermes Wed, 07/09/2008 - 11:22
User Badges:
  • Gold, 750 points or more

Although you will get a rich, constant stream of events from your sensor on the outside of yoru firewall, performing analysis like this on events that will (or should) be blocked by your firewall is usualy not a usefull expendure of your time and effort.

TradeSecrets Fri, 07/11/2008 - 06:42
User Badges:
  • Bronze, 100 points or more

Hi there,


Use a /28 this will give you only 6 extra address's. Using a /24 leaves 246 extra, which is way to many.


If your network is flat, creating more sub nets will add security to your network.


Let me know if that helps.

~TS

attmidsteam Fri, 07/11/2008 - 08:51
User Badges:
  • Silver, 250 points or more

>Use a /28 this will give you only 6 extra address's. Using a /24 leaves 246 extra, which is way to many.

>If your network is flat, creating more sub nets will add security to your network.


That made no sense and didn't provide any assistance to wasiimcisco' issue.



wasiimcisco: Since your sensor is outside of the firewall and sig 4703 is UDP based, you will see many sweeps of this signature. If you are sure that you don't have UDP 1434 open on your firewall (and I really hope you don't) then you can simply create an event-action-filter for 0.0.0.0-255.255.255.255 to your public range (/24) with 'stop on match'. I would recommend placing the sensor behind your firewall and then you won't have to worry about tuning for traffic that won't make it past your firewall policy.

TradeSecrets Fri, 07/11/2008 - 09:23
User Badges:
  • Bronze, 100 points or more

How do I remove stars, I want to take yours away. Another Cisco person without a clue

attmidsteam Fri, 07/11/2008 - 09:38
User Badges:
  • Silver, 250 points or more

haha, I don't represent Cisco in any way. If you would like to provide useful information on this forum, I'm sure all would appreciate it but all you've done is trolled every thread and said that IPS is better than IDS.


BTW, # of posts here doesn't mean much so you don't have to reply to every thread. You get points when other forum members believe you have provided useful information.


For the record I am a senior analyst at a large MSSP where we manage hundreds of IDS/IPS sensors; write signatures, tune policies, conduct in-depth investigations, etc with multiple vendors. We have many Cisco devices which is why I post on NetPro occasionally even though the signal to noise ratio here is not as high as I would hope.


TradeSecrets Fri, 07/11/2008 - 10:50
User Badges:
  • Bronze, 100 points or more

A. There is a lot of Fat in the IT security industry of people without a clue. Your title means nothing to me.


B. All I do is tune NIPS / HIPS


C. I don't care about points. I am just sharing information to secure America


D. Shared security services is like pissing in the wind anyone who uses your service is a fool.

Actions

This Discussion