Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Confliker / Kido

I want to detect infected host for further isolation and curing.

I do not see any worms, but I am sure that the network is infected, every 30 min. we are curing a host with kidokiler.

I see a lot of these messages:

%IPS-4-SIGNATURE: Sig:6063 Subsig:0 Sev:25 DNS Incremental Zone Transfer [192.168.20.7:1154 -> 192.168.11.200:53] VRF:NONE RiskRating:25

Why?

I have done this:

ip ips config location flash:ips/ retries 1

ip ips notify SDEE

ip ips name km4ips

ip ips signature-category

category all

retired true

category ios_ips advanced

retired false

category viruses/worms/trojans

retired true

category attack code_execution

retired true

category viruses/worms/trojans all-viruses/worms/trojans

retired false

!

interface FastEthernet0/1

description LAN

ip address 192.168.20.254 255.255.255.0

ip flow ingress

ip flow egress

ip nat inside

ip ips km4ips in

ip ips km4ips out

ip virtual-reassembly

h323-gateway voip interface

h323-gateway voip id MYRO ipaddr 192.168.99.254 1719

h323-gateway voip h323-id vor@km4.ru

h323-gateway voip tech-prefix 1#

2 REPLIES
Bronze

Re: Confliker / Kido

It may be due to many authentications due to IEV.

The reason for this...

1. IEV configured with an IOS-IPS device.

2. IEV configured to get latest events.

3. IEV logs in to router through https connection every n seconds to get latest events.

4. Each access causes a login attempt log in the accounting section of ACS.

This is expected behavior.

http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_configuration_example09186a00801c0e3c.shtml#tips

New Member

Re: Confliker / Kido

Thank you for your reply.

I do not have any IEV, I have configured IOS IPS using CLI.

I am new to IOS IPS, could you please advice me how can I block Conflicker. What I have done:

I have found signatures related to Conflicker worm and manually "enable and unretire" them... but they are not triggered..other signatures are triggered, Conflicker related signatures - not. How can I solve it?

194
Views
0
Helpful
2
Replies
CreatePlease login to create content