Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
372
Views
0
Helpful
2
Replies

IPS 4240 ATTACK DETAILS

arumugasamy
Level 1
Level 1

‎02-19-2007 07:52 AM - edited ‎03-10-2019 03:28 AM

Dear All,

The following is the attack detaisl i received from the customer. Before contact cisco i posted here for your answers.

"

Date= 2007/02/16

Time= 22:44:13 Arab Standard Time

SIGID= 5081:0

5326:0

SIGNAME= WWW WinNT cmd.exe Access

Root.exe access

Victime= 192.168.100.1

AttackerAddress= 214.139.200.1

Please how can i solve this issue .

swamy

Labels:
0 Helpful
2 Replies 2

edwakim
Cisco Employee
Cisco Employee

‎02-19-2007 08:12 AM

Hi Swamy,

There are many things to think about. I may not cover everything in this message but I will try to cover some basic.

Is the victim host (192.168.100.1) a windows machine? If it is, is your IIS server patched so that it will not allow cmd.exe to work? Depending on the answer, you may not have to do anything. You may want to keep the alert to see what this Attacker will try to do next though.

If you want to stop/block the attack.

In your attack detail, you will find attacker ip (214.139.200.1) and victim ip address (192.168.100.1). I guess IPS is located behind a NAT/PAT device.

If you are using inline mode, then you can do various deny inline actions.

If you are using promiscuous mode, you can configure signature to request block. You need to setup router/cat6k/pix to put acl/shun. You can always put the shun/acl manually as well.

Hope this helps.

Edward

0 Helpful

arumugasamy
Level 1
Level 1
In response to edwakim

‎02-21-2007 04:38 AM

Edward,

Thanks for your info. I will contact the customer and dscuss those things.

Also i want to know the following on IPS in-line

setup.

1.IPS Connected behind the firewall pix 525 in in-line mode. Interface pair was created and 2 interfaces are made members of the pair. I assigned the pair to the engine.Here i did not do anything tuning on signatue configuration. All the sig are enabled as default. As soon as the ips placed in the network in in-line it stop thenetwork to go out when i put in bypass mode then working. PLease could you give the basic config to make the IPS working in in-line mode. Inside the network is the one with 3 networks (192.168.100.0, 101.0, 102.0)

ips inside interface sits in 192.168.100.0 network then other 2 networs are in 2 vlans of the core switch 4507R.IPS outside interface in line with pix firewall failover pair. Firewal pair outside connect to the internet router 3825 to the internet using ADSL.

I want to know how to choose the sigs those are only required for the internal networks also.

Waiting for your reply

Thanks in advance

swamy

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card