12-31-2008 07:31 AM - edited 03-10-2019 04:26 AM
I am getting a lot of edonkey traffic, has anyone seen this before
appInstanceId: 412
time: Dec 30, 2008 22:59:55 UTC offset=-300 timeZone=GMT-05:00
signature: description=UDP eDonkey Activity id=7202 version=S341 type=other created=20080128
subsigId: 0
sigDetails: UDP eDonkey Activity
marsCategory: Info/Misc
marsCategory: Info/UncommonTraffic/P2PFileShare
marsCategory: Info/UncommonTraffic/P2PFileShare/FileTransfer
interfaceGroup: vs0
vlan: 0
participants:
attacker:
addr: 10.100.2.117 locality=OUT
port: 58766
target:
addr: 172.25.2.2 locality=OUT
port: 53
os: idSource=learned type=windows-nt-2k-xp relevance=relevant
summary: 2 final=true initialAlert=1230553111638101867 summaryType=Regular
alertDetails: InterfaceAttributes: context="single_vf" physical="Unknown" backplane="GigabitEthernet0/1" ; Regular Summary: 2 events this interval ;
riskRatingValue: 53 targetValueRating=high attackRelevanceRating=relevant
threatRatingValue: 53
interface: GigabitEthernet0/1 context=single_vf physical=Unknown backplane=GigabitEthernet0/1
protocol: udp
Solved! Go to Solution.
12-31-2008 08:54 AM
Check out the following link
Summary - this signature is obsolete and regularly fires on DNS traffic (port 53).
I would disable signature 7202 in your IPS configuration.
12-31-2008 08:54 AM
Check out the following link
Summary - this signature is obsolete and regularly fires on DNS traffic (port 53).
I would disable signature 7202 in your IPS configuration.
12-31-2008 10:12 AM
I confirmed with packet captures that this fires on normal DNS traffic. I would disable it also or filter where applicable.
01-05-2009 09:36 AM
you can disable this sig in IDM.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: