02-19-2007 07:52 AM - edited 03-10-2019 03:28 AM
Dear All,
The following is the attack detaisl i received from the customer. Before contact cisco i posted here for your answers.
"
Date= 2007/02/16
Time= 22:44:13 Arab Standard Time
SIGID= 5081:0
5326:0
SIGNAME= WWW WinNT cmd.exe Access
Root.exe access
Victime= 192.168.100.1
AttackerAddress= 214.139.200.1
Please how can i solve this issue .
swamy
02-19-2007 08:12 AM
Hi Swamy,
There are many things to think about. I may not cover everything in this message but I will try to cover some basic.
Is the victim host (192.168.100.1) a windows machine? If it is, is your IIS server patched so that it will not allow cmd.exe to work? Depending on the answer, you may not have to do anything. You may want to keep the alert to see what this Attacker will try to do next though.
If you want to stop/block the attack.
In your attack detail, you will find attacker ip (214.139.200.1) and victim ip address (192.168.100.1). I guess IPS is located behind a NAT/PAT device.
If you are using inline mode, then you can do various deny inline actions.
If you are using promiscuous mode, you can configure signature to request block. You need to setup router/cat6k/pix to put acl/shun. You can always put the shun/acl manually as well.
Hope this helps.
Edward
02-21-2007 04:38 AM
Edward,
Thanks for your info. I will contact the customer and dscuss those things.
Also i want to know the following on IPS in-line
setup.
1.IPS Connected behind the firewall pix 525 in in-line mode. Interface pair was created and 2 interfaces are made members of the pair. I assigned the pair to the engine.Here i did not do anything tuning on signatue configuration. All the sig are enabled as default. As soon as the ips placed in the network in in-line it stop thenetwork to go out when i put in bypass mode then working. PLease could you give the basic config to make the IPS working in in-line mode. Inside the network is the one with 3 networks (192.168.100.0, 101.0, 102.0)
ips inside interface sits in 192.168.100.0 network then other 2 networs are in 2 vlans of the core switch 4507R.IPS outside interface in line with pix firewall failover pair. Firewal pair outside connect to the internet router 3825 to the internet using ADSL.
I want to know how to choose the sigs those are only required for the internal networks also.
Waiting for your reply
Thanks in advance
swamy
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide