IPS upnp signature

Unanswered Question
Apr 19th, 2010

Hello,

I have a LAN IDSM in promiscusous mode wherre I'm seing too much of the below alerts, I've researched it and found out that it should be stopped! since it is a high severity alert!! however I guess summarization is preventing me from knowing the attacker and targets because of the 0.0.0.0 source and destination, right? IS  this the case? and how can I solve it?

Should I disable summary for that specific signature? what's the best practice? Should it be stopped?

Regards

evIdsAlert: eventId=1262106216512606028  vendor=Cisco  severity=high 
  originator:  
    hostId: LAN-IDSM2 
    appName: sensorApp 
    appInstanceId: 25921 
  time: Mar 03, 2010 07:38:23 UTC  offset=60  timeZone=GMT+02:00 
  signature:   description=UPnP LOCATION Overflow  id=4058  version=S433  type=vulnerability  created=20050603 
    subsigId: 2 
    sigDetails: LOCATION \x3c100+ Chars> 
    marsCategory: Penetrate/BufferOverflow/Misc 
  interfaceGroup: vs0 
  vlan: 120 
  participants:  
    attacker:  
      addr: 0.0.0.0  locality=OUT 
      port: 1900 
      ipv6Address: fe80::9d91:b37c:be42:5387  locality=OUT 
    target:  
      addr: 0.0.0.0  locality=OUT 
      port: 1900 
      ipv6Address: ff02::c  locality=OUT 
      os:   idSource=unknown  type=unknown  relevance=unknown 
  actions:  
    denyPacketRequestedNotPerformed: true 
  riskRatingValue: 90  targetValueRating=medium 
  threatRatingValue: 90 
  interface: ge0_7 
  protocol: udp

evIdsAlert: eventId=1262106216512606029  vendor=Cisco  severity=high 
  originator:  
    hostId: LAN-IDSM2 
    appName: sensorApp 
    appInstanceId: 25921 
  time: Mar 03, 2010 07:38:38 UTC  offset=60  timeZone=GMT+02:00 
  signature:   description=UPnP LOCATION Overflow  id=4058  version=S433  type=vulnerability  created=20050603 
    subsigId: 2 
    sigDetails: LOCATION \x3c100+ Chars> 
    marsCategory: Penetrate/BufferOverflow/Misc 
  interfaceGroup: vs0 
  vlan: 120 
  participants:  
    attacker:  
      addr: 0.0.0.0  locality=OUT 
      port: 0 
      ipv6Address: fe80::9d91:b37c:be42:5387  locality=OUT 
    target:  
      addr: 0.0.0.0  locality=OUT 
      port: 0 
      ipv6Address: ::  locality=OUT 
      os:   idSource=unknown  type=unknown  relevance=unknown 
  summary: 24  final=true  initialAlert=1262106216512606028  summaryType=Regular 
  alertDetails: Regular Summary: 24 events this interval ; 
  riskRatingValue: 90  targetValueRating=medium 
  threatRatingValue: 90 
  interface: ge0_7 
  protocol: udp

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
k.abillama Mon, 04/19/2010 - 07:05

I understand that I have to patch the machines but how can I know what are the machines that should be patches if I'm getting a source and destination ip addresse of 0.0.0.0 on the IPS

If I disable event summary for this specific sig, will I be able to see the source and destination ip addresses?

Jennifer Halim Mon, 04/19/2010 - 14:41

Yes, you are absolutely right. You would need to disable the "summarization" to see the source and destination IP.

k.abillama Thu, 04/22/2010 - 23:07

Hello,

I removed summarization on a signature basis by forcing it to be fire all instead of summarize but still the source and destionation ip are 0.0.0.0

What could it be? the customer is very picky and asking about it

Please advise

Regards

Jennifer Halim Sat, 04/24/2010 - 00:52

Looking back at the event that you have attached earlier, the attacker is using IPv6 address:

   ipv6Address: fe80::9d91:b37c:be42:5387

racquel.mays Tue, 07/13/2010 - 14:24

Hello all,

Can someone please pick up on the last comment made?  I am seeing the exact same signature in my IDS output with the attacker having an IPv6 ip.  How do I resolve the IPv6 to understand who is attacking me?  From the fe80 I can tell it is a link local ip so the attacker must be from the inside?

Actions

This Discussion