Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

IPS Attack

I have IPS 4255 with IOS 5.x,it is monitoring My internet zone traffic. In my event viewer i m seeing few IPs are consider as attack towards my global IP addresses that are not being used in my network. These IPs are spare global IP for future use.

Attack type is MSSQL Resolution Service Stack Overflow

Signature ID: 4703/0

I have global ip address x.x.x.x/24 and only first 10 ip addresses i m using, rest are not being used anywhere.

Why i m getting attack on these ip addresses and how to prevent it.

9 REPLIES
Gold

Re: IPS Attack

It's a worm and it's UDP (SQLSlammer). You can't prevent it without an ACL/firewall before your IDS/IPS. If you're not vulnerable (and you wouldn't be unless you have MSSQL in your DMZ), just turn that signature off.

Gold

Re: IPS Attack

Is your sensor behind your firewall?

Community Member

Re: IPS Attack

Thanks for the reply, My IPS is front of firewall, and it is monitoring traffic only that comes from Internet.

Gold

Re: IPS Attack

Although you will get a rich, constant stream of events from your sensor on the outside of yoru firewall, performing analysis like this on events that will (or should) be blocked by your firewall is usualy not a usefull expendure of your time and effort.

Community Member

Re: IPS Attack

Hi there,

Use a /28 this will give you only 6 extra address's. Using a /24 leaves 246 extra, which is way to many.

If your network is flat, creating more sub nets will add security to your network.

Let me know if that helps.

~TS

Silver

Re: IPS Attack

>Use a /28 this will give you only 6 extra address's. Using a /24 leaves 246 extra, which is way to many.

>If your network is flat, creating more sub nets will add security to your network.

That made no sense and didn't provide any assistance to wasiimcisco' issue.

wasiimcisco: Since your sensor is outside of the firewall and sig 4703 is UDP based, you will see many sweeps of this signature. If you are sure that you don't have UDP 1434 open on your firewall (and I really hope you don't) then you can simply create an event-action-filter for 0.0.0.0-255.255.255.255 to your public range (/24) with 'stop on match'. I would recommend placing the sensor behind your firewall and then you won't have to worry about tuning for traffic that won't make it past your firewall policy.

Community Member

Re: IPS Attack

How do I remove stars, I want to take yours away. Another Cisco person without a clue

Silver

Re: IPS Attack

haha, I don't represent Cisco in any way. If you would like to provide useful information on this forum, I'm sure all would appreciate it but all you've done is trolled every thread and said that IPS is better than IDS.

BTW, # of posts here doesn't mean much so you don't have to reply to every thread. You get points when other forum members believe you have provided useful information.

For the record I am a senior analyst at a large MSSP where we manage hundreds of IDS/IPS sensors; write signatures, tune policies, conduct in-depth investigations, etc with multiple vendors. We have many Cisco devices which is why I post on NetPro occasionally even though the signal to noise ratio here is not as high as I would hope.

Community Member

Re: IPS Attack

A. There is a lot of Fat in the IT security industry of people without a clue. Your title means nothing to me.

B. All I do is tune NIPS / HIPS

C. I don't care about points. I am just sharing information to secure America

D. Shared security services is like pissing in the wind anyone who uses your service is a fool.

817
Views
51
Helpful
9
Replies
CreatePlease to create content