08-11-2010 09:38 AM - edited 03-10-2019 05:05 AM
I am getting several of these from different workstations on my network. I need to find out if this is really a worm outbreak behavior or indeed a false positive. I changed the attacker IP for this post but they are coming from internal IP's on my network.
Attacker Address | Attacker Port | Target Address | Target Port |
10.0.0.1 | 0.0.0.0 | 443 | |
10.0.0.1 | 0.0.0.0 | 443 | |
10.0.0.1 | 0.0.0.0 | 443 | |
10.0.0.1 | 0.0.0.0 | 443 | |
10.0.0.1 | 0.0.0.0 | 443 | |
10.0.0.1 | 0.0.0.0 | 443 | |
10.0.0.2 | 0.0.0.0 | 443 | |
10.0.0.2 | 0.0.0.0 | 443 | |
10.0.0.2 | 0.0.0.0 | 443 | |
10.0.0.2 | 0.0.0.0 | 443 | |
10.0.0.3 | 0.0.0.0 | 80 | |
10.0.0.3 | 0.0.0.0 | 80 | |
10.0.0.4 | 0.0.0.0 | 443 | |
10.0.0.4 | 0.0.0.0 | 443 | |
10.0.0.4 | 0.0.0.0 | 443 | |
10.0.0.4 | 0.0.0.0 | 443 | |
10.0.0.4 | 0.0.0.0 | 443 | |
10.0.0.4 | 0.0.0.0 | 443 | |
10.0.0.4 | 0.0.0.0 | 443 | |
10.0.0.4 | 0.0.0.0 | 443 | |
10.0.0.5 | 0.0.0.0 | 80 | |
10.0.0.5 | 0.0.0.0 | 80 | |
10.0.0.5 | 0.0.0.0 | 80 | |
10.0.0.5 | 0.0.0.0 | 80 | |
10.0.0.6 | 0.0.0.0 | 80 | |
10.0.0.6 | 0.0.0.0 | 80 | |
10.0.0.7 | 0.0.0.0 | 443 | |
10.0.0.7 | 0.0.0.0 | 443 | |
10.0.0.7 | 0.0.0.0 | 443 | |
10.0.0.7 | 0.0.0.0 | 443 | |
10.0.0.8 | 0.0.0.0 | 443 | |
10.0.0.8 | 0.0.0.0 | 443 | |
10.0.0.8 | 0.0.0.0 | 443 | |
10.0.0.8 | 0.0.0.0 | 443 |
Is this really a behavior of a worm outbreak? Or could it be that the "attackers" are establishing web/ssl connection to targets which is unknown or not tagged as internal zone hence by default, the zone of the target is external. As a result, this signature was fired.
Seek advise/views from the domain experts here. TIA.
08-17-2010 03:55 AM
Joseison;
These signatures key on hosts that are sending TCP SYN requests to multiple destinations in a single zone and not receiving the expected SYN-ACK in return within a specified time. The number of scanned destinations in turn crosses the configured/learned scanner threshold. Therefore it is key that the sensor see both directions of traffic, or there is a risk of false positive detection.
It is not likely these sources are creating legitimate connections, as the AD engine looks for the lack of the SYN-ACK as an indicator of scanning. This could be caused by hosts that are performing network management/vulnerability assessment duties. Again, the one concern is if the sensor is not seeing the return traffic for legitimate connections, and in turn the missing connection response is collected and the sensor considers this a potential worm activity. Ultimately, you will need to investigate the sources of the alerts (if within your control) to see if they are performing full connections to the destinations (perhaps through the use of Wireshark on the reported hosts).
You can find out more about the functionality of the anomaly detection engine here:
http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/cli/cli_anomaly_detection.html
Scott
10-21-2010 11:58 PM
Scott,
I am also observing the same Signatures getting fired through my IPS to Dest ports 443 & 5222. I cross checked the source machines and they dont use any scanner applications. Need to know why the destination address are showing as 0.0.0.0 & and the interface name as sy0_0 which is not assigned to any of the interface.
Also can this be an worm activity from my internal zone?
Kiran
10-22-2010 05:47 AM
Kiran;
Yes, there is potential that these signature events indicate worm activity. The destination addresses are 0.0.0.0 as the sensor is only tracking the SYN activity from the hosts; it is not necessary to track the destination addresses. The hosts in question do not need to be restricted to using a scanning application to trigger this signature; it is simply a potential source for false positives. It is also the "scanning" software is a worm looking for potential hosts to infect.
It is also possible if the IPS is only seeing one direction of traffic (asymmetric traffic flows) and does not see the return SYN-ACK that these signatures will fire. In such an environment it is usually necessary to disable the anomaly detection engine or work to correct the asymmetric traffic flow.
Scott
10-22-2010 06:02 AM
Scott,
Thanks a ton for updating me. Can you also let me know why this signature information shows an interface name as something which is not configured in my network. This is confusing me a lot as other signatures carry the exact interface name that is assigned in the network
Kiran
10-22-2010 06:08 AM
Kiran;
The information is tracked across all interfaces, and therefore is not limited to a single interface. The system simply summarizes to a system interface based on the signature firing logic- the detection is specific to the source IP address only.
Scott
10-22-2010 10:52 PM
Scott,
Thanks a lot. Thanks for putting me right.
Kiran
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide