07-08-2008 03:30 AM - edited 03-10-2019 04:11 AM
I have IPS 4255 with IOS 5.x,it is monitoring My internet zone traffic. In my event viewer i m seeing few IPs are consider as attack towards my global IP addresses that are not being used in my network. These IPs are spare global IP for future use.
Attack type is MSSQL Resolution Service Stack Overflow
Signature ID: 4703/0
I have global ip address x.x.x.x/24 and only first 10 ip addresses i m using, rest are not being used anywhere.
Why i m getting attack on these ip addresses and how to prevent it.
07-08-2008 07:26 AM
It's a worm and it's UDP (SQLSlammer). You can't prevent it without an ACL/firewall before your IDS/IPS. If you're not vulnerable (and you wouldn't be unless you have MSSQL in your DMZ), just turn that signature off.
07-08-2008 07:27 AM
Is your sensor behind your firewall?
07-09-2008 08:31 AM
Thanks for the reply, My IPS is front of firewall, and it is monitoring traffic only that comes from Internet.
07-09-2008 11:22 AM
Although you will get a rich, constant stream of events from your sensor on the outside of yoru firewall, performing analysis like this on events that will (or should) be blocked by your firewall is usualy not a usefull expendure of your time and effort.
07-11-2008 06:42 AM
Hi there,
Use a /28 this will give you only 6 extra address's. Using a /24 leaves 246 extra, which is way to many.
If your network is flat, creating more sub nets will add security to your network.
Let me know if that helps.
~TS
07-11-2008 08:51 AM
>Use a /28 this will give you only 6 extra address's. Using a /24 leaves 246 extra, which is way to many.
>If your network is flat, creating more sub nets will add security to your network.
That made no sense and didn't provide any assistance to wasiimcisco' issue.
wasiimcisco: Since your sensor is outside of the firewall and sig 4703 is UDP based, you will see many sweeps of this signature. If you are sure that you don't have UDP 1434 open on your firewall (and I really hope you don't) then you can simply create an event-action-filter for 0.0.0.0-255.255.255.255 to your public range (/24) with 'stop on match'. I would recommend placing the sensor behind your firewall and then you won't have to worry about tuning for traffic that won't make it past your firewall policy.
07-11-2008 09:23 AM
How do I remove stars, I want to take yours away. Another Cisco person without a clue
07-11-2008 09:38 AM
haha, I don't represent Cisco in any way. If you would like to provide useful information on this forum, I'm sure all would appreciate it but all you've done is trolled every thread and said that IPS is better than IDS.
BTW, # of posts here doesn't mean much so you don't have to reply to every thread. You get points when other forum members believe you have provided useful information.
For the record I am a senior analyst at a large MSSP where we manage hundreds of IDS/IPS sensors; write signatures, tune policies, conduct in-depth investigations, etc with multiple vendors. We have many Cisco devices which is why I post on NetPro occasionally even though the signal to noise ratio here is not as high as I would hope.
07-11-2008 10:50 AM
A. There is a lot of Fat in the IT security industry of people without a clue. Your title means nothing to me.
B. All I do is tune NIPS / HIPS
C. I don't care about points. I am just sharing information to secure America
D. Shared security services is like pissing in the wind anyone who uses your service is a fool.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide