Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
353
Views
0
Helpful
2
Replies

Action 1202, 1204 and 1208 from 83.0.0.0

Go to solution
meether
Level 1
Level 1

‎11-27-2003 06:48 AM - edited ‎03-09-2019 05:40 AM

Hi,

I have an IDS 4210 4.1. In the event viewer alarms 1202, 1204 and 1208 fires with 83.0.0.0 as source ip adress and 0.0.0.57 as destination

I don't understand why my IDS see this IP ?

Can someone could help me please ?

Thanks

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
marcabal
Cisco Employee
Cisco Employee

‎12-01-2003 02:18 PM

The 1202 alarm is for fragments where the datagram is too long

The 1204 alarm is for fragments where the first fragment of the datagram is missing.

The 1208 alarm is for fragments where the datagram is incomplete (one or more fragments are missing).

If you are seeing the 83.0.0.0 and 0.0.0.57 addresses for these alarms, then first determine if the sensor may actually be seeing these addresses on your network (somebody may be replaying packet traces with these addresses).

You can use the "iplog 0 83.0.0.0" and "iplog 0 0.0.0.57" to have the sensor iplog any packets to and from these addresses around the time that you are seeing these alarms.

Then use the "iplog-status" command to see if any packets are being logged for those ip logs.

If there are packets being logged for those addresses then there are packets with those addresses on your network.

Another thing to try would be to set Capture Packet to True for these signatures. On normal signatures the packet that triggered the alarm will be attached to the alarm.

In the case of these special signatures, I am not sure whether or not any packet will be attached, and if so which packet will be attached.

If a packet is attached then you can analyze the packet and determine what address was in the packet header.

If it turns out that these addresses are not on your network then you may be running into a sensor bug.

In version 3.1 sensors there was a bug for the following situation:

When the sensor generates the 1204 alarm, this means that the sensor did not see the first fragment for the datagram.

The first fragment is the one the sensor uses to fill in the Source IP Address, Destination IP Address, and ports in the alarm.

This information is in the other fragments as well, but the sensor still only pulls in the addresses from the first fragment (<-THIS IS REALLY WHAT THE BUG IS)

If in the case of the 1204 alarm, the first fragment is not seen, then the sensor will just fill in the field with random data.

This was fixed in later version of 3.1, but may have snuck back into version 4.0 or 4.1.

In which case 83.0.0.0 and 0.0.0.57 may just be the random data in those fields at the time that alert fired instead of the real IPs.

The 1204 signature woudl be the problem, and since the 1202 and 1208 are firing for the same datagram they will exhibit the same behaviour.

If you have verified that those addresses are not not on your network and believe that you may be running into a similar problem then please contact the TAC. They will work with development to verify what the problem is, and if necessary create a bug to track the problem.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
marcabal
Cisco Employee
Cisco Employee

‎12-01-2003 02:18 PM

The 1202 alarm is for fragments where the datagram is too long

The 1204 alarm is for fragments where the first fragment of the datagram is missing.

The 1208 alarm is for fragments where the datagram is incomplete (one or more fragments are missing).

If you are seeing the 83.0.0.0 and 0.0.0.57 addresses for these alarms, then first determine if the sensor may actually be seeing these addresses on your network (somebody may be replaying packet traces with these addresses).

You can use the "iplog 0 83.0.0.0" and "iplog 0 0.0.0.57" to have the sensor iplog any packets to and from these addresses around the time that you are seeing these alarms.

Then use the "iplog-status" command to see if any packets are being logged for those ip logs.

If there are packets being logged for those addresses then there are packets with those addresses on your network.

Another thing to try would be to set Capture Packet to True for these signatures. On normal signatures the packet that triggered the alarm will be attached to the alarm.

In the case of these special signatures, I am not sure whether or not any packet will be attached, and if so which packet will be attached.

If a packet is attached then you can analyze the packet and determine what address was in the packet header.

If it turns out that these addresses are not on your network then you may be running into a sensor bug.

In version 3.1 sensors there was a bug for the following situation:

When the sensor generates the 1204 alarm, this means that the sensor did not see the first fragment for the datagram.

The first fragment is the one the sensor uses to fill in the Source IP Address, Destination IP Address, and ports in the alarm.

This information is in the other fragments as well, but the sensor still only pulls in the addresses from the first fragment (<-THIS IS REALLY WHAT THE BUG IS)

If in the case of the 1204 alarm, the first fragment is not seen, then the sensor will just fill in the field with random data.

This was fixed in later version of 3.1, but may have snuck back into version 4.0 or 4.1.

In which case 83.0.0.0 and 0.0.0.57 may just be the random data in those fields at the time that alert fired instead of the real IPs.

The 1204 signature woudl be the problem, and since the 1202 and 1208 are firing for the same datagram they will exhibit the same behaviour.

If you have verified that those addresses are not not on your network and believe that you may be running into a similar problem then please contact the TAC. They will work with development to verify what the problem is, and if necessary create a bug to track the problem.

0 Helpful

Go to solution
meether
Level 1
Level 1
In response to marcabal

‎12-02-2003 09:49 AM

I use "iplog 0 83.0.0.0" and "iplog 0 0.0.0.57" .

Alarms were fired by a windows XP computer with NWLink client installed on. It did a "local master annoucement".

Thanks

Eric

0 Helpful
Customers Also Viewed These Support Documents