Alerts in the IPS

Answered Question
Dec 31st, 2008
User Badges:

I am getting a lot of edonkey traffic, has anyone seen this before



appInstanceId: 412

time: Dec 30, 2008 22:59:55 UTC offset=-300 timeZone=GMT-05:00

signature: description=UDP eDonkey Activity id=7202 version=S341 type=other created=20080128

subsigId: 0

sigDetails: UDP eDonkey Activity

marsCategory: Info/Misc

marsCategory: Info/UncommonTraffic/P2PFileShare

marsCategory: Info/UncommonTraffic/P2PFileShare/FileTransfer

interfaceGroup: vs0

vlan: 0

participants:

attacker:

addr: 10.100.2.117 locality=OUT

port: 58766

target:

addr: 172.25.2.2 locality=OUT

port: 53

os: idSource=learned type=windows-nt-2k-xp relevance=relevant

summary: 2 final=true initialAlert=1230553111638101867 summaryType=Regular

alertDetails: InterfaceAttributes: context="single_vf" physical="Unknown" backplane="GigabitEthernet0/1" ; Regular Summary: 2 events this interval ;

riskRatingValue: 53 targetValueRating=high attackRelevanceRating=relevant

threatRatingValue: 53

interface: GigabitEthernet0/1 context=single_vf physical=Unknown backplane=GigabitEthernet0/1

protocol: udp

Correct Answer by rmeans about 8 years 4 months ago

Check out the following link


http://tools.cisco.com/security/center/viewIpsSignature.x?signatureId=7202&signatureSubId=0&softwareVersion=6.0&releaseVersion=S341


Summary - this signature is obsolete and regularly fires on DNS traffic (port 53).


I would disable signature 7202 in your IPS configuration.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
jnommensen Wed, 12/31/2008 - 10:12
User Badges:

I confirmed with packet captures that this fires on normal DNS traffic. I would disable it also or filter where applicable.

Actions

This Discussion