cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
771
Views
0
Helpful
8
Replies

LMS 3.0 - icmp to external (public) IP address

mssnider
Level 1
Level 1

Our security group is reporting Ping_sweep events from our LMS 3.0, Unix - Solaris 10, system to the DOD = 30.1.*.*

I am unable to locate this IP address range within the LMS application. Is there a way to figure out if LMS is actuallying pinging this IP address range? If so, and I do find it, how can I stop it?

I did just add this range to the Excluded devices file, but I didn't think it would help much...

Thanks,

1 Accepted Solution

Accepted Solutions

First, make sure UTMajorAcquisition is not running. Then, edit NMSROOT/campus/etc/cwsi/ut.properties, and check for a property:

UT.ExcludePingSweep

If it's not there, add it to the end of the file with the value:

UT.ExcludePingSweep=30.1.101.0-255.255.255.0:30.1.102.0-255.255.255.0:30.1.103.0-255.255.255.0:30.1.104.0-255.255.255.0

If such a property already exists, then append the value above to the end of the existing value after first appending a colon (':').

Once that property is in place, start a new UT acquisition, and see if the firewall records a sweep. If not, let LMS run for a while, and see if the sweep shows up again.

View solution in original post

8 Replies 8

Joe Clarke
Cisco Employee
Cisco Employee

Exactly what version of Common Services do you have? Depending on the sversion, you may have Discovery configured for ping sweeps. There is also a ping sweep capability in User Tracking. Go to Campus Manager > Admin > User Tracking > Acquisition > Ping Sweep to disable certain subnets.

LMS 3.0.1

Common Services 3.1.1

The server in question (OKCWSI) is the Slave server in a Master/Slave configuration.

I've double checked and the Common Services discovery is disabled = there is no discovery schedule configured for it at all. Maybe there is a better way to disable discovery?

User Tracking was enabled though, however, 30.1.X.X was not listed in the 'Exclude subnets from Ping Sweep' section. The only IP's in this list are our internal 10 nets and our public 161 * 167 networks. There are no 30 networks at all.

I'm not even sure how or why CiscoWorks would know about this subnet. We don't have an piece of this public address space at all.

I checked our firewall logs and I have verified that OKCWSI is doing a sweep of this network.

I'm stumped...

Thanks,

What does the sweep pattern look like?

Here is an excerpt:

<191>Oct 02 2009 10:00:46: %ASA-7-609001: Built local-host outside:30.1.104.1

<190>Oct 02 2009 10:00:46: %ASA-6-302020: Built outbound ICMP connection for faddr 30.1.104.1/0 gaddr 161.235.222.10/0 laddr OKCWSI/0

161.235.222.10 is the static translated IP for OKCWSI.

It starts with ICMP to 30.1.104.1 and goes through 30.1.104.254. It also scanned 30.1.101, 30.1.102 & 30.1.103. I assume it does more, but I was only looking at two hours of worth of firewall logs.

Post the NMSROOT/conf/csdiscovery/CSDiscovery-config.xml and NMSROOT/campus/etc/cwsi/RouterData.xml files.

I'm attaching the files you requested.

Thanks,

First, make sure UTMajorAcquisition is not running. Then, edit NMSROOT/campus/etc/cwsi/ut.properties, and check for a property:

UT.ExcludePingSweep

If it's not there, add it to the end of the file with the value:

UT.ExcludePingSweep=30.1.101.0-255.255.255.0:30.1.102.0-255.255.255.0:30.1.103.0-255.255.255.0:30.1.104.0-255.255.255.0

If such a property already exists, then append the value above to the end of the existing value after first appending a colon (':').

Once that property is in place, start a new UT acquisition, and see if the firewall records a sweep. If not, let LMS run for a while, and see if the sweep shows up again.

The mystery 30.1 network ended up being loopbacks on some of our Lab devices. I removed them from LMS and I'm waiting on our security group to see if the ping sweeps stopped. I assume they will.

Otherwise, I'll proceed with your above recommendation.

Thanks for all of the information.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco