Alert Destination IP's - N/A

Unanswered Question
May 3rd, 2010

Hi,

I have recently started seeing a lot of high category alerts with no destination IP or port information.  Event tyores include the following:

TCP Hijack
Microsoft Plug and Play Overflow
TCP Segment Overwrite

Does anyone know why this type of alert occurs?  It is impossible to check target systems when destination information is unavailable.

Many thanks


Liam

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Scott Fringer Mon, 05/03/2010 - 03:44

Liam;

  You can search for more information on various Cisco IPS signatures by visiting:

http://www.cisco.com/security

  Choose the 'Advanced Search' option and enter the signature ID.  This should help you better understand the specifics of the signatures that are firing.

  In regard to the missing data in the CS-MARS incidents, if the firing signatures are summary events, some details are consolidated to 0.0.0.0 for the IP address and 0 for the port information.  In these instances, CS-MARS cannot provide any further information since the raw event has no additional details.  Could you provide the raw message or one or two of these events for confirmation?

Scott

liamwalk1971 Mon, 05/03/2010 - 05:45

Hi Scott,

Thanks for the swift reply.

I checked the raw event details for a TCP Hijack alert

target: 
            addr:  0.0.0.0  locality="any" 
            port:  0 

Which seems to confirm your suspicions.  I'm just wondering what I can do with these event types - is this something I should be concerned about?

Many thanks

Liam

Scott Fringer Mon, 05/03/2010 - 05:58

Liam;

  That is certainly indicative of a summarized signature event.  If you look further into the raw message, you should see indication that this is a summary event, as well as the initial trigger event ID.  You may be able to determine a single source from the initial event - but in most instances, these events are generated due to behavior of the attacker, and you would want to investigate the attacker/source of the event if it is located within your control.  If you really want to investigate each, and every occurrence of the attack, you could disable summarization on the signature in question (set the Summary Mode to 'Fire All').  This has the potential to generate a large number of events, and should not be used long-term.  For the specific TCP Hijack signature, there are benign triggers explained on our IntelliShield site:

http://tools.cisco.com/security/center/viewIpsSignature.x?signatureId=3250&signatureSubId=0&softwareVersion=6.0&releaseVersion=S394

  It is always good to be concerned over any incident that is reported prior to any investigation by yourself to understand the implications.  Upon determination of the underlying cause of the signature event, you may wish to continue getting alerts on the event, or you could create an event action filter on the IPS to stop alerting for specific IP addresses, or create a drop rule in the CS-MARS to only log the event to the database (or drop completely).

Scott

Actions

This Discussion