Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

IPS Sensor Monitoring Events

I have had Bash environment variable light up the ips log the last few days.  When the target address is summarised 0.0.0.0 (a combination of ips addresses) I do not see the packets as being dropped.  When I have an individual target address 1.2.3.4 all packet are dropped.  Even though the IPS doesn't state the packet has been dropped for summarised ip addresses are they being dropped?

1 REPLY
New Member

In short, yes.The shellshock

In short, yes.

The shellshock sigs all have summary-key set to AxBx, so your initial alert should give you the attacker and victim IPs.  For 1 summary interval after the initial alert, further events caused by traffic between that pair will be collected into a summary alert.  Each event that causes the shellshock sig to fire will have its event-actions applied.

In the case of 4689-0, its SFR of 90 in combination with the default HIGHRISK event-action rule results in not just the produce-alert event action but also deny-inline.

We changed 4689-1 in S825 to have a tighter regex and lowered its SFR of 85 so that it will fire less and also will not block by default.

58
Views
0
Helpful
1
Replies
CreatePlease login to create content