New IPS deployment. What do these alerts mean

Unanswered Question
Jul 14th, 2010
User Badges:

I am getting several of these from diffrent PC's on the network. This is a brand new deployment of an IPS in our core 6500. I need to know where to start tracking down what this is and if its a flase positive.  I changed the attaker IP for this post but they are coming from internal IP's on our network. I am also getting several from the same PC.





Event ID1278964938060722812
Severityhigh
Host IDisdm6500
Application NamesensorApp
Event Time07/14/2010 08:23:37
Sensor Local Time07/14/2010 13:23:37
Signature ID13003
Signature Sub-ID1
Signature NameAD - External TCP Scanner
Signature VersionS262
Signature DetailsWorm Attack
Interface Groupvs0
VLAN ID0
Interfacege0_7
Attacker IP1.1.1.1
Protocoltcp
Attacker Port
Attacker LocalityOUT
Target IP0.0.0.0
Target Port80
Target LocalityUnknown
Target OS
ActionsdenyPacketRequestedNotPerformed
Risk RatingTVR=medium
Risk Rating Value100
Threat Rating100
Reputation
Context Data
Packet Data
Event Summary0
Initial Alert
Summary Type
Final Alert
Event StatusNew
Event Notes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Scott Fringer Wed, 07/14/2010 - 12:14
User Badges:
  • Cisco Employee,

Bill;


  The best place to begin research for Cisco IPS signatures is our IntelliShield site:


http://www.cisco.com/security


  You can look up any signature by ID by performing an Advanced Search.


  For the signature you presented, the results can be found here:


http://tools.cisco.com/security/center/viewAlert.x?alertId=91


  This signature fires for a host that crosses a threshold for non-established TCP connections or unacknowledged SYN  packets sent to multiple addresses on an identical  TCP port and may indicate worm-like scanning.


  It would be beneficial to investigate the host listed as the attacker and determine if this is expected behavior or if the host is compromised.


Scott

Diego Armando C... Tue, 07/27/2010 - 09:58
User Badges:
  • Bronze, 100 points or more

This signatures are related with Anomaly detection. Which is a very nice feature is you are able to create a perfect KB during the learning mode.

http://www.cisco.com/en/US/docs/security/ips/6.0/configuration/guide/idm/dmAD.html#wp1049627


Cisco States.

We assume that during this phase no attack is being carried out. Anomaly detection creates an initial baseline, known as a knowledge base (KB), of the network traffic.


So if you are able to create a KB during a time that you know that there are no attacks at all go ahead if not you will be receiving a lot false positives.


Is that right?

Scott Fringer Tue, 07/27/2010 - 10:22
User Badges:
  • Cisco Employee,

It's not that you will be receiving false positives, but false

negatives. During the learning phase if an attack is active, the higher

traffic rate will be learned as the baseline. When traffic is tracked

by the AD engine, it will be compared to this baseline, and in turn not

fire a signature event since it potentially will not cross the learned

threshold.


If there is concern that the baseline was learned during an active

attack, it may be beneficial to remove the current KBs (initial cannot

be removed) and force the AD engine to learn during a period you feel is

more representative of normal traffic flow.


Scott

Diego Armando C... Tue, 07/27/2010 - 10:26
User Badges:
  • Bronze, 100 points or more

Yes you are right it's false negatives not positives.


Thanks.

Actions

This Discussion