Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

IPS events appear even after traffic is blocked.

I've been logging what is very obviously an attack directed at some of my dns servers. My router/IDS has logged hundreds of thousands of these requests in the last 7 days.

The router is reporting the following events in my syslog which is what initially alerted me to the condition:

IPS-4-SIGNATURE: Sig:4620 Subsig:0 Sev:2 DNS Limited Broadcast Query

My question is, I blackholed the offending source IP address but the events haven't stopped.

Does this mean that the attack is still getting through?

1 REPLY
Silver

Re: IPS events appear even after traffic is blocked.

It looks like you are seeing IPS events on your router and would like more info. We host a site specifically to lookup signatures to get more info. In this case the signature is 4620, and the subsig is 0. Simply open a browser and go to http://www.cisco.com/security and click on the "Advanced Search" link. You can then select "Signatures" and put the

signature number into the keyword field.

362
Views
0
Helpful
1
Replies
CreatePlease to create content