07-14-2010 07:11 AM - edited 03-10-2019 05:03 AM
I am getting several of these from diffrent PC's on the network. This is a brand new deployment of an IPS in our core 6500. I need to know where to start tracking down what this is and if its a flase positive. I changed the attaker IP for this post but they are coming from internal IP's on our network. I am also getting several from the same PC.
Event ID | 1278964938060722812 |
Severity | high |
Host ID | isdm6500 |
Application Name | sensorApp |
Event Time | 07/14/2010 08:23:37 |
Sensor Local Time | 07/14/2010 13:23:37 |
Signature ID | 13003 |
Signature Sub-ID | 1 |
Signature Name | AD - External TCP Scanner |
Signature Version | S262 |
Signature Details | Worm Attack |
Interface Group | vs0 |
VLAN ID | 0 |
Interface | ge0_7 |
Attacker IP | 1.1.1.1 |
Protocol | tcp |
Attacker Port | |
Attacker Locality | OUT |
Target IP | 0.0.0.0 |
Target Port | 80 |
Target Locality | Unknown |
Target OS | |
Actions | denyPacketRequestedNotPerformed |
Risk Rating | TVR=medium |
Risk Rating Value | 100 |
Threat Rating | 100 |
Reputation | |
Context Data | |
Packet Data | |
Event Summary | 0 |
Initial Alert | |
Summary Type | |
Final Alert | |
Event Status | New |
Event Notes | |
07-14-2010 12:14 PM
Bill;
The best place to begin research for Cisco IPS signatures is our IntelliShield site:
You can look up any signature by ID by performing an Advanced Search.
For the signature you presented, the results can be found here:
http://tools.cisco.com/security/center/viewAlert.x?alertId=91
This signature fires for a host that crosses a threshold for non-established TCP connections or unacknowledged SYN packets sent to multiple addresses on an identical TCP port and may indicate worm-like scanning.
It would be beneficial to investigate the host listed as the attacker and determine if this is expected behavior or if the host is compromised.
Scott
07-27-2010 09:58 AM
This signatures are related with Anomaly detection. Which is a very nice feature is you are able to create a perfect KB during the learning mode.
http://www.cisco.com/en/US/docs/security/ips/6.0/configuration/guide/idm/dmAD.html#wp1049627
Cisco States.
We assume that during this phase no attack is being carried out. Anomaly detection creates an initial baseline, known as a knowledge base (KB), of the network traffic.
So if you are able to create a KB during a time that you know that there are no attacks at all go ahead if not you will be receiving a lot false positives.
Is that right?
07-27-2010 10:22 AM
It's not that you will be receiving false positives, but false
negatives. During the learning phase if an attack is active, the higher
traffic rate will be learned as the baseline. When traffic is tracked
by the AD engine, it will be compared to this baseline, and in turn not
fire a signature event since it potentially will not cross the learned
threshold.
If there is concern that the baseline was learned during an active
attack, it may be beneficial to remove the current KBs (initial cannot
be removed) and force the AD engine to learn during a period you feel is
more representative of normal traffic flow.
Scott
07-27-2010 10:26 AM
Yes you are right it's false negatives not positives.
Thanks.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide