cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
651
Views
0
Helpful
3
Replies

Alerts in the IPS

rmwhite59
Level 1
Level 1

I am getting a lot of edonkey traffic, has anyone seen this before

appInstanceId: 412

time: Dec 30, 2008 22:59:55 UTC offset=-300 timeZone=GMT-05:00

signature: description=UDP eDonkey Activity id=7202 version=S341 type=other created=20080128

subsigId: 0

sigDetails: UDP eDonkey Activity

marsCategory: Info/Misc

marsCategory: Info/UncommonTraffic/P2PFileShare

marsCategory: Info/UncommonTraffic/P2PFileShare/FileTransfer

interfaceGroup: vs0

vlan: 0

participants:

attacker:

addr: 10.100.2.117 locality=OUT

port: 58766

target:

addr: 172.25.2.2 locality=OUT

port: 53

os: idSource=learned type=windows-nt-2k-xp relevance=relevant

summary: 2 final=true initialAlert=1230553111638101867 summaryType=Regular

alertDetails: InterfaceAttributes: context="single_vf" physical="Unknown" backplane="GigabitEthernet0/1" ; Regular Summary: 2 events this interval ;

riskRatingValue: 53 targetValueRating=high attackRelevanceRating=relevant

threatRatingValue: 53

interface: GigabitEthernet0/1 context=single_vf physical=Unknown backplane=GigabitEthernet0/1

protocol: udp

1 Accepted Solution

Accepted Solutions

rmeans
Level 3
Level 3

Check out the following link

http://tools.cisco.com/security/center/viewIpsSignature.x?signatureId=7202&signatureSubId=0&softwareVersion=6.0&releaseVersion=S341

Summary - this signature is obsolete and regularly fires on DNS traffic (port 53).

I would disable signature 7202 in your IPS configuration.

View solution in original post

3 Replies 3

rmeans
Level 3
Level 3

Check out the following link

http://tools.cisco.com/security/center/viewIpsSignature.x?signatureId=7202&signatureSubId=0&softwareVersion=6.0&releaseVersion=S341

Summary - this signature is obsolete and regularly fires on DNS traffic (port 53).

I would disable signature 7202 in your IPS configuration.

I confirmed with packet captures that this fires on normal DNS traffic. I would disable it also or filter where applicable.

you can disable this sig in IDM.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: