IPS upnp signature

k.abillama · ‎04-19-2010

Hello,

I have a LAN IDSM in promiscusous mode wherre I'm seing too much of the below alerts, I've researched it and found out that it should be stopped! since it is a high severity alert!! however I guess summarization is preventing me from knowing the attacker and targets because of the 0.0.0.0 source and destination, right? IS this the case? and how can I solve it?

Should I disable summary for that specific signature? what's the best practice? Should it be stopped?

Regards

evIdsAlert: eventId=1262106216512606028 vendor=Cisco severity=high
originator:
    hostId: LAN-IDSM2
    appName: sensorApp
    appInstanceId: 25921
time: Mar 03, 2010 07:38:23 UTC offset=60 timeZone=GMT+02:00
signature:   description=UPnP LOCATION Overflow id=4058 version=S433 type=vulnerability created=20050603
    subsigId: 2
    sigDetails: LOCATION \x3c100+ Chars>
    marsCategory: Penetrate/BufferOverflow/Misc
interfaceGroup: vs0
vlan: 120
participants:
    attacker:
      addr: 0.0.0.0 locality=OUT
      port: 1900
      ipv6Address: fe80::9d91:b37c:be42:5387 locality=OUT
    target:
      addr: 0.0.0.0 locality=OUT
      port: 1900
      ipv6Address: ff02::c locality=OUT
      os:   idSource=unknown type=unknown relevance=unknown
actions:
    denyPacketRequestedNotPerformed: true
riskRatingValue: 90 targetValueRating=medium
threatRatingValue: 90
interface: ge0_7
protocol: udp

evIdsAlert: eventId=1262106216512606029 vendor=Cisco severity=high
originator:
    hostId: LAN-IDSM2
    appName: sensorApp
    appInstanceId: 25921
time: Mar 03, 2010 07:38:38 UTC offset=60 timeZone=GMT+02:00
signature:   description=UPnP LOCATION Overflow id=4058 version=S433 type=vulnerability created=20050603
    subsigId: 2
    sigDetails: LOCATION \x3c100+ Chars>
    marsCategory: Penetrate/BufferOverflow/Misc
interfaceGroup: vs0
vlan: 120
participants:
    attacker:
      addr: 0.0.0.0 locality=OUT
      port: 0
      ipv6Address: fe80::9d91:b37c:be42:5387 locality=OUT
    target:
      addr: 0.0.0.0 locality=OUT
      port: 0
      ipv6Address: :: locality=OUT
      os:   idSource=unknown type=unknown relevance=unknown
summary: 24 final=true initialAlert=1262106216512606028 summaryType=Regular
alertDetails: Regular Summary: 24 events this interval ;
riskRatingValue: 90 targetValueRating=medium
threatRatingValue: 90
interface: ge0_7
protocol: udp

Jennifer Halim · ‎04-19-2010

Best practise is to find out which Windows machines are affected and apply the patch accordingly, otherwise, the machine will be vulnerable to UPnP vulnerability as per the following:

http://tools.cisco.com/security/center/viewAlert.x?alertId=2986

k.abillama · ‎04-19-2010

I understand that I have to patch the machines but how can I know what are the machines that should be patches if I'm getting a source and destination ip addresse of 0.0.0.0 on the IPS

If I disable event summary for this specific sig, will I be able to see the source and destination ip addresses?

Jennifer Halim · ‎04-19-2010

Yes, you are absolutely right. You would need to disable the "summarization" to see the source and destination IP.

k.abillama · ‎04-22-2010

Hello,

I removed summarization on a signature basis by forcing it to be fire all instead of summarize but still the source and destionation ip are 0.0.0.0

What could it be? the customer is very picky and asking about it

Please advise

Regards

Jennifer Halim · ‎04-24-2010

Looking back at the event that you have attached earlier, the attacker is using IPv6 address:

ipv6Address: fe80::9d91:b37c:be42:5387

racquel.mays · ‎07-13-2010

Hello all,

Can someone please pick up on the last comment made? I am seeing the exact same signature in my IDS output with the attacker having an IPv6 ip. How do I resolve the IPv6 to understand who is attacking me? From the fe80 I can tell it is a link local ip so the attacker must be from the inside?