04-19-2010 06:23 AM - edited 03-10-2019 04:57 AM
Hello,
I have a LAN IDSM in promiscusous mode wherre I'm seing too much of the below alerts, I've researched it and found out that it should be stopped! since it is a high severity alert!! however I guess summarization is preventing me from knowing the attacker and targets because of the 0.0.0.0 source and destination, right? IS this the case? and how can I solve it?
Should I disable summary for that specific signature? what's the best practice? Should it be stopped?
Regards
evIdsAlert: eventId=1262106216512606028 vendor=Cisco severity=high
originator:
hostId: LAN-IDSM2
appName: sensorApp
appInstanceId: 25921
time: Mar 03, 2010 07:38:23 UTC offset=60 timeZone=GMT+02:00
signature: description=UPnP LOCATION Overflow id=4058 version=S433 type=vulnerability created=20050603
subsigId: 2
sigDetails: LOCATION \x3c100+ Chars>
marsCategory: Penetrate/BufferOverflow/Misc
interfaceGroup: vs0
vlan: 120
participants:
attacker:
addr: 0.0.0.0 locality=OUT
port: 1900
ipv6Address: fe80::9d91:b37c:be42:5387 locality=OUT
target:
addr: 0.0.0.0 locality=OUT
port: 1900
ipv6Address: ff02::c locality=OUT
os: idSource=unknown type=unknown relevance=unknown
actions:
denyPacketRequestedNotPerformed: true
riskRatingValue: 90 targetValueRating=medium
threatRatingValue: 90
interface: ge0_7
protocol: udp
evIdsAlert: eventId=1262106216512606029 vendor=Cisco severity=high
originator:
hostId: LAN-IDSM2
appName: sensorApp
appInstanceId: 25921
time: Mar 03, 2010 07:38:38 UTC offset=60 timeZone=GMT+02:00
signature: description=UPnP LOCATION Overflow id=4058 version=S433 type=vulnerability created=20050603
subsigId: 2
sigDetails: LOCATION \x3c100+ Chars>
marsCategory: Penetrate/BufferOverflow/Misc
interfaceGroup: vs0
vlan: 120
participants:
attacker:
addr: 0.0.0.0 locality=OUT
port: 0
ipv6Address: fe80::9d91:b37c:be42:5387 locality=OUT
target:
addr: 0.0.0.0 locality=OUT
port: 0
ipv6Address: :: locality=OUT
os: idSource=unknown type=unknown relevance=unknown
summary: 24 final=true initialAlert=1262106216512606028 summaryType=Regular
alertDetails: Regular Summary: 24 events this interval ;
riskRatingValue: 90 targetValueRating=medium
threatRatingValue: 90
interface: ge0_7
protocol: udp
04-19-2010 06:33 AM
Best practise is to find out which Windows machines are affected and apply the patch accordingly, otherwise, the machine will be vulnerable to UPnP vulnerability as per the following:
http://tools.cisco.com/security/center/viewAlert.x?alertId=2986
04-19-2010 07:05 AM
I understand that I have to patch the machines but how can I know what are the machines that should be patches if I'm getting a source and destination ip addresse of 0.0.0.0 on the IPS
If I disable event summary for this specific sig, will I be able to see the source and destination ip addresses?
04-19-2010 02:41 PM
Yes, you are absolutely right. You would need to disable the "summarization" to see the source and destination IP.
04-22-2010 11:07 PM
Hello,
I removed summarization on a signature basis by forcing it to be fire all instead of summarize but still the source and destionation ip are 0.0.0.0
What could it be? the customer is very picky and asking about it
Please advise
Regards
04-24-2010 12:52 AM
Looking back at the event that you have attached earlier, the attacker is using IPv6 address:
ipv6Address: fe80::9d91:b37c:be42:5387
07-13-2010 02:24 PM
Hello all,
Can someone please pick up on the last comment made? I am seeing the exact same signature in my IDS output with the attacker having an IPv6 ip. How do I resolve the IPv6 to understand who is attacking me? From the fe80 I can tell it is a link local ip so the attacker must be from the inside?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide