Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
661
Views
0
Helpful
3
Replies

Alerts in the IPS

Go to solution
rmwhite59
Level 1
Level 1

‎12-31-2008 07:31 AM - edited ‎03-10-2019 04:26 AM

I am getting a lot of edonkey traffic, has anyone seen this before

appInstanceId: 412

time: Dec 30, 2008 22:59:55 UTC offset=-300 timeZone=GMT-05:00

signature: description=UDP eDonkey Activity id=7202 version=S341 type=other created=20080128

subsigId: 0

sigDetails: UDP eDonkey Activity

marsCategory: Info/Misc

marsCategory: Info/UncommonTraffic/P2PFileShare

marsCategory: Info/UncommonTraffic/P2PFileShare/FileTransfer

interfaceGroup: vs0

vlan: 0

participants:

attacker:

addr: 10.100.2.117 locality=OUT

port: 58766

target:

addr: 172.25.2.2 locality=OUT

port: 53

os: idSource=learned type=windows-nt-2k-xp relevance=relevant

summary: 2 final=true initialAlert=1230553111638101867 summaryType=Regular

alertDetails: InterfaceAttributes: context="single_vf" physical="Unknown" backplane="GigabitEthernet0/1" ; Regular Summary: 2 events this interval ;

riskRatingValue: 53 targetValueRating=high attackRelevanceRating=relevant

threatRatingValue: 53

interface: GigabitEthernet0/1 context=single_vf physical=Unknown backplane=GigabitEthernet0/1

protocol: udp

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
rmeans
Level 3
Level 3

‎12-31-2008 08:54 AM

Check out the following link

http://tools.cisco.com/security/center/viewIpsSignature.x?signatureId=7202&signatureSubId=0&softwareVersion=6.0&releaseVersion=S341

Summary - this signature is obsolete and regularly fires on DNS traffic (port 53).

I would disable signature 7202 in your IPS configuration.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
rmeans
Level 3
Level 3

‎12-31-2008 08:54 AM

Check out the following link

http://tools.cisco.com/security/center/viewIpsSignature.x?signatureId=7202&signatureSubId=0&softwareVersion=6.0&releaseVersion=S341

Summary - this signature is obsolete and regularly fires on DNS traffic (port 53).

I would disable signature 7202 in your IPS configuration.

0 Helpful

Go to solution
jnommensen
Level 1
Level 1
In response to rmeans

‎12-31-2008 10:12 AM

I confirmed with packet captures that this fires on normal DNS traffic. I would disable it also or filter where applicable.

0 Helpful

Go to solution
john_peter
Level 1
Level 1
In response to jnommensen

‎01-05-2009 09:36 AM

you can disable this sig in IDM.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card