Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
962
Views
0
Helpful
3
Replies

Alert Destination IP's - N/A

liamwalk1971
Level 1
Level 1

‎05-03-2010 02:28 AM

Hi,

I have recently started seeing a lot of high category alerts with no destination IP or port information.  Event tyores include the following:

TCP Hijack
Microsoft Plug and Play Overflow
TCP Segment Overwrite

Does anyone know why this type of alert occurs?  It is impossible to check target systems when destination information is unavailable.

Many thanks


Liam

Labels:
0 Helpful
3 Replies 3

Scott Fringer
Cisco Employee
Cisco Employee

‎05-03-2010 03:44 AM

Liam;

  You can search for more information on various Cisco IPS signatures by visiting:

http://www.cisco.com/security

  Choose the 'Advanced Search' option and enter the signature ID.  This should help you better understand the specifics of the signatures that are firing.

  In regard to the missing data in the CS-MARS incidents, if the firing signatures are summary events, some details are consolidated to 0.0.0.0 for the IP address and 0 for the port information.  In these instances, CS-MARS cannot provide any further information since the raw event has no additional details.  Could you provide the raw message or one or two of these events for confirmation?

Scott

0 Helpful

liamwalk1971
Level 1
Level 1
In response to Scott Fringer

‎05-03-2010 05:45 AM

Hi Scott,

Thanks for the swift reply.

I checked the raw event details for a TCP Hijack alert

target: 
            addr:  0.0.0.0  locality="any" 
            port:  0 

Which seems to confirm your suspicions.  I'm just wondering what I can do with these event types - is this something I should be concerned about?

Many thanks

Liam

0 Helpful

Scott Fringer
Cisco Employee
Cisco Employee
In response to liamwalk1971

‎05-03-2010 05:58 AM

Liam;

  That is certainly indicative of a summarized signature event.  If you look further into the raw message, you should see indication that this is a summary event, as well as the initial trigger event ID.  You may be able to determine a single source from the initial event - but in most instances, these events are generated due to behavior of the attacker, and you would want to investigate the attacker/source of the event if it is located within your control.  If you really want to investigate each, and every occurrence of the attack, you could disable summarization on the signature in question (set the Summary Mode to 'Fire All').  This has the potential to generate a large number of events, and should not be used long-term.  For the specific TCP Hijack signature, there are benign triggers explained on our IntelliShield site:

http://tools.cisco.com/security/center/viewIpsSignature.x?signatureId=3250&signatureSubId=0&softwareVersion=6.0&releaseVersion=S394

  It is always good to be concerned over any incident that is reported prior to any investigation by yourself to understand the implications.  Upon determination of the underlying cause of the signature event, you may wish to continue getting alerts on the event, or you could create an event action filter on the IPS to stop alerting for specific IP addresses, or create a drop rule in the CS-MARS to only log the event to the database (or drop completely).

Scott

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents