03-03-2009 10:13 PM - edited 03-10-2019 04:32 AM
What cause this signature to trigger?
I am not using any SQL services with host 172.19.107.55, scanned host for worm and never accessed this IP 203.161.77.136 from host.
any suggestion?
Event ID=1214348868918579818
Severity Level=3
Device Name=IDSM2CORE1
Receive Time=March 3, 2009 5:08:17 PM IST
Event UTC Time=March 3, 2009 11:42:52 AM UTC
Event Local Time=March 3, 2009 9:42:52 PM UTC
Sig ID=4704
Signature Name=MSSQL Resolution Service Heap Overflow
Subsig ID=0
Sig Details=MSSQL Resolution Service Heap Overflow
Sig Version=S161
Src Address=172.19.107.55
Src Port=0
Src Locality=OUT
Dst Address=203.161.77.136
Dst Port=0
Dst OS=unknown unknown (unknown)
Dst Locality=OUT
Summary Count=2
Interface=ge0_7
VLAN ID=25
Virtual Sensor=vs1
Actions=
Alarm Details=Regular Summary: 2 events this interval ;
Risk Rating=100 (TVR=high)
Threat Rating=100
Protocol=udp
03-09-2009 03:00 PM
Certain network traffic can trigger IPS signatures which use the regular expression feature of the ATOMIC.TCP signature engine which may cause the IOS IPS device to crash. This may cause a denial of service resulting in disruption network traffic. Signature 3123.0 (Netbus Pro Traffic) has been demonstrated to trigger this vulnerability. There is a workaround for this vulnerability.
03-10-2009 06:51 AM
A little history, 4704-0 released in s161, obsoletes 4702-0 and by default is shipped as disabled.
It's a pretty specific signature looking for a x08 byte with a long string that is sent to udp port 1434 which cause heap corruption. This is cve-2002-0649 as exploited by the slammer/sapphire worm.
Some more detail:
http://tools.cisco.com/security/center/viewAlert.x?alertId=4256
http://tools.cisco.com/security/center/viewAlert.x?alertId=5358
So the question that remains is if the host is not infected, what is it sending via udp port 1434 to 203.161.77.136 which appears to be some machine out of Australia (at least thats where a traceroute leads me). Whatever its sending, looks just like slammer/sapphire packets.
03-12-2009 09:43 PM
Hi Walter,
Thank you for your reply,
U r right this ip is somewhere in Australia only. There were alerts for other host to some different global IP's. I traced that IP through our proxy server logs, and it shows some of the advertisement link on some web page.
I scanned entire network with removal tool like FixSQLex, f-slammer
Bit confused about this I don't know what action I should take rather than blocking that port on firewall....
Dinesh
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: