Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

CSA - Network Shield Rule Triggering for IGMP Packets

Hi,

Any ideas, why this Network Shield Rule (For Malicious Packet) is getting triggered for these IGMP Packets ?

TESTMODE: A packet with malicious content was detected. Reason: Malicious packet. IGMP: 10.1.2.136->224.0.0.22 type 0x22. The operation would have been denied.

TESTMODE: A packet with malicious content was detected. Reason: Malicious packet. IGMP: 10.1.2.144->224.0.0.1 type 0x11. The operation would have been denied.

As far I researched 0x11 (Query) and 0x22 (v3Report) are Valid IGMP Packets.

Thanks,

Naman

2 REPLIES
Blue

Re: CSA - Network Shield Rule Triggering for IGMP Packets

I think these are benign (I'm assuming this is a NAT'd adapter?) and are legit multicast traffic. Since the rule is set to deny and log, you are getting the messages.

If they weren't going to a multicast address (in this case igmp.mcast.net), you might get concerned.

Tom

750
Views
3
Helpful
2
Replies