03-01-2010 04:14 AM - edited 03-11-2019 10:15 AM
Dear Team,
We are continuously receiving following event on Cisco PIX firewall "Deny IP spoof from (0.0.0.0) to x.x.x.x on interface intfx" .
Request you to reply to the following queries:
1. Whether the event specified can be classified as an attack?
2. Whether relevant IPS signatures available for detecting such events in the IPS device?
3. Will these events get triggered without enabling IP verify reverse-path command on the firewall?
Thanks & Regards,
Arun.L
03-01-2010 08:31 AM
1. It could since this is not a valid ip source
2. There is 1104, but that is only for local-hosts. You can build your custom one as explained here http://www.cisco.com/en/US/docs/ios/12_2t/12_2t15/feature/guide/ft_fwIDS.html
3. If you have the IPS signature catch this packets on the IPS then yes, the reverse patch check will not be necessary on the ASA any more.
I hope it helps.
PK
03-01-2010 01:42 PM
You may collect captures and see which mac address is responsible for sending these packets and track it down and see what is wrong with it.
If it is on the inside you have good control over fixing the issue.
cap capin int inside match ip host 0.0.0.0 any
the match command will only work if you are running 7.2.4 and above on this PIX otherwise pls. use access-list to collect captures.
you can refer here: https://supportforums.cisco.com/docs/DOC-1222;jsessionid=A11197443F5D79D04565C4331EFA5806.node0
This above command will collect a capture file names capin for all packets sourced and destined to ip address 0.0.0.0 on the inside interface.
sh cap capin detail
will give you the mac address.
Then look at the arp table to see which device owns it and see if you can track it down.
-KS
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: