Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
570
Views
0
Helpful
1
Replies

IPS events appear even after traffic is blocked.

ajbnetworx
Level 1
Level 1

‎02-26-2009 06:44 AM - edited ‎03-10-2019 04:31 AM

I've been logging what is very obviously an attack directed at some of my dns servers. My router/IDS has logged hundreds of thousands of these requests in the last 7 days.

The router is reporting the following events in my syslog which is what initially alerted me to the condition:

IPS-4-SIGNATURE: Sig:4620 Subsig:0 Sev:2 DNS Limited Broadcast Query

My question is, I blackholed the offending source IP address but the events haven't stopped.

Does this mean that the attack is still getting through?

Labels:
0 Helpful
1 Reply 1

smalkeric
Level 6
Level 6

‎03-04-2009 05:45 PM

It looks like you are seeing IPS events on your router and would like more info. We host a site specifically to lookup signatures to get more info. In this case the signature is 4620, and the subsig is 0. Simply open a browser and go to http://www.cisco.com/security and click on the "Advanced Search" link. You can then select "Signatures" and put the

signature number into the keyword field.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card