Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

IDM alert monitoring

Hi,

Monitoring the IDM alerts show that one of the internal clients attacking outside IP addresses. Couls someone shed light on the above dynamics.

Thanks.

Said

evIdsAlert: eventId=1216735955474843112 vendor=Cisco severity=informational

originator:

hostId: ips

appName: sensorApp

appInstanceId: 406

time: Jul 29, 2008 12:50:48 UTC offset=0 timeZone=UTC

signature: description=TCP SYN Host Sweep id=3030 version=S2

subsigId: 0

marsCategory: Probe/SpecificPorts

interfaceGroup: vs0

vlan: 0

participants:

attacker:

addr: 192.168.1.207 locality=OUT

port: 4580

target:

addr: 66.150.11.50 locality=OUT

os: idSource=unknown type=unknown relevance=relevant

target:

addr: 68.180.219.138 locality=OUT

os: idSource=learned type=bsd relevance=relevant

target:

addr: 74.201.95.4 locality=OUT

os: idSource=unknown type=unknown relevance=relevant

target:

addr: 72.247.169.161 locality=OUT

os: idSource=unknown type=unknown relevance=relevant

target:

addr: 207.230.151.254 locality=OUT

os: idSource=unknown type=unknown relevance=relevant

target:

addr: 216.252.124.207 locality=OUT

os: idSource=learned type=bsd relevance=relevant

target:

addr: 67.228.69.100 locality=OUT

os: idSource=unknown type=unknown relevance=relevant

target:

addr: 208.43.2.146 locality=OUT

os: idSource=unknown type=unknown relevance=relevant

target:

addr: 66.196.126.101 locality=OUT

os: idSource=unknown type=unknown relevance=relevant

target:

addr: 69.22.167.239 locality=OUT

os: idSource=unknown type=unknown relevance=relevant

target:

addr: 216.73.87.152 locality=OUT

os: idSource=unknown type=unknown relevance=relevant

target:

addr: 12.130.60.4 locality=OUT

os: idSource=unknown type=unknown relevance=relevant

target:

addr: 66.94.234.72 locality=OUT

os: idSource=unknown type=unknown relevance=relevant

target:

addr: 216.145.50.247 locality=OUT

os: idSource=unknown type=unknown relevance=relevant

target:

addr: 216.252.125.76 locality=OUT

os: idSource=learned type=bsd relevance=relevant

target:

addr: 209.131.37.77 locality=OUT

os: idSource=learned type=bsd relevance=relevant

alertDetails: InterfaceAttributes: context="Unknown" physical="Unknown" backplane="GigabitEthernet0/1" ;

riskRatingValue: 31 targetValueRating=medium attackRelevanceRating=relevant

threatRatingValue: 31

interface: GigabitEthernet0/1 context=Unknown physical=Unknown backplane=GigabitEthernet0/1

protocol: tcp

5 REPLIES
Silver

Re: IDM alert monitoring

A host sweep does not equal an attack. We don't have the destination port here so this could simply be outbound web traffic from a proxy server or outbound mail traffic from your mail server. Perform a packet display on the sensor to see what connections the above IP is making (look at the destination port) and also look for other events with this same source.

Community Member

Re: IDM alert monitoring

Hi,

I had the exact same issue going on at my location, and there were two causes.

One was that we had a bluecoat proxy, which uses multiple ports to refresh its website cache, and for new requests.

The other cause was a machine that was infested with spyware.

If it is a users machine, I would suggest downloading the Sysinternals Suite from Microsoft, and doing a PSLOGGEDON \\ to see who is using that machine.

Jason

Community Member

Re: IDM alert monitoring

Jason,

Thanks.

Said

Community Member

Re: IDM alert monitoring

Jason,

I downloaded and unzipped Sysinternals Suite. Wwhere do I type in PSLOGGEDON \\ ?

Community Member

Re: IDM alert monitoring

I ran a spyware program on machines that "attcked" outside IPs There were mo spyware found.

269
Views
5
Helpful
5
Replies
CreatePlease to create content