False Positive? Or should I be worried?

Bittowolf · ‎05-14-2009

We use an ASA 5510 as our firewall with a IDS security module. Upon running reports this morning I came across this and I am baffled.

Please see attached document.

What I want to know is why is it picking up an IP addy of 0.0.0.0 that's hitting our outside IP address of our state agency. Is this something I need to be concerned about?

rhermes · ‎05-14-2009

Bittwolf

First thing I want to do is commend you on wanting to investigate your events. This is the reason why we have sensors. So few people ever put in the effort to look into what is getting hit and why.

The 0.0.0.0 address is a summary address. You'll see those frequently on flood and sweep signatures to summerize the list of attackers or victims.

You didn't mention what interfaces you ASA module is inspecting (you want to inspect on the inside of the firewall if you want to analize events). I'd have to assume that your outside firewall interface is getting hit with a lot of ICMP traffic (somthing above the threshold of the sig that's firing). You might be curious what ICMP type is hitting your firewall, this could be an indicator of some other undiscovered network problem and not necessarily an attack.

Bittowolf · ‎05-14-2009

Oh cool thanks! =)

I monitor the inside of our network that's where most of the reports come from. Occasionally I will get something from the outside trying to get in. Here's the weird thing though. I don't get any ICMP sigs firing from an outside IP to the inside. More recent is this case I made in the OP. Or ouside IP's hitting our email or proxy server.

So your saying that if its NOT a security issue and maybe a network issue then I may be getting this as a false positive?

rhermes · ‎05-14-2009

You sensor will reports events for a varity of possible reasons. Some are actual security events that require investigation, at least to the extent to discover if sucessful. Others can be network issues (which I suspect these may be) that should be addressed and fixed if possible. And then there's the garden variey of false positives that are really non-events that shound be tuned down (or disabled). Discivering which catagory your events fall in requires you to dig into the events ansd see what's going on. Fortunately Cisco provides a good packet capture action you can enable on a per-signature basis. Review these pcaps in your favorite protocal analyzer to see who is doing what to whom.

Bittowolf · ‎05-14-2009

Okie Dokie...I use wireshark so I'll do more investigation into this. I'll post results for info for other peeps.

rhermes · ‎05-14-2009

You sensor will reports events for a varity of possible reasons. Some are actual security events that require investigation, at least to the extent to discover if sucessful. Others can be network issues (which I suspect these may be) that should be addressed and fixed if possible. And then there's the garden variey of false positives that are really non-events that shound be tuned down (or disabled). Discivering which catagory your events fall in requires you to dig into the events ansd see what's going on. Fortunately Cisco provides a good packet capture action you can enable on a per-signature basis. Review these pcaps in your favorite protocal analyzer to see who is doing what to whom.