I have IPS 4255 with IOS 5.x,it is monitoring My internet zone traffic. In my event viewer i m seeing few IPs are consider as attack towards my global IP addresses that are not being used in my network. These IPs are spare global IP for future use.
Attack type is MSSQL Resolution Service Stack Overflow
Signature ID: 4703/0
I have global ip address x.x.x.x/24 and only first 10 ip addresses i m using, rest are not being used anywhere.
Why i m getting attack on these ip addresses and how to prevent it.
It's a worm and it's UDP (SQLSlammer). You can't prevent it without an ACL/firewall before your IDS/IPS. If you're not vulnerable (and you wouldn't be unless you have MSSQL in your DMZ), just turn that signature off.
Although you will get a rich, constant stream of events from your sensor on the outside of yoru firewall, performing analysis like this on events that will (or should) be blocked by your firewall is usualy not a usefull expendure of your time and effort.
>Use a /28 this will give you only 6 extra address's. Using a /24 leaves 246 extra, which is way to many.
>If your network is flat, creating more sub nets will add security to your network.
That made no sense and didn't provide any assistance to wasiimcisco' issue.
wasiimcisco: Since your sensor is outside of the firewall and sig 4703 is UDP based, you will see many sweeps of this signature. If you are sure that you don't have UDP 1434 open on your firewall (and I really hope you don't) then you can simply create an event-action-filter for 0.0.0.0-255.255.255.255 to your public range (/24) with 'stop on match'. I would recommend placing the sensor behind your firewall and then you won't have to worry about tuning for traffic that won't make it past your firewall policy.
haha, I don't represent Cisco in any way. If you would like to provide useful information on this forum, I'm sure all would appreciate it but all you've done is trolled every thread and said that IPS is better than IDS.
BTW, # of posts here doesn't mean much so you don't have to reply to every thread. You get points when other forum members believe you have provided useful information.
For the record I am a senior analyst at a large MSSP where we manage hundreds of IDS/IPS sensors; write signatures, tune policies, conduct in-depth investigations, etc with multiple vendors. We have many Cisco devices which is why I post on NetPro occasionally even though the signal to noise ratio here is not as high as I would hope.
BenefitsDocumentationPrerequisiteImage Download LinksLimitationsSupported PlatformsLicense RequirementsTopologyStep-By-Step ConfigurationConfigure Virtual ServiceActivate the virtual service and configure guest IPsConfiguring UTD (Service Plane)Configurin...
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...