Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

IPS Signature explanation

evIdsAlert: eventId=1287530989864443762 severity=high vendor=Cisco alarmTraits=2147483648
  originator:
    hostId:     appName: sensorApp
    appInstanceId: 665
    signature: description=AD - External UDP Scanner id=13004 created=20061120 type=anomaly version=S262
    subsigId: 1
    sigDetails: Worm Attack
    marsCategory: Info/Misc/Scanner
    marsCategory: Probe/FromScanner
    marsCategory: Propagate/Worm
  interfaceGroup: VS1
  vlan: 0
  participants:
    attacker:
      addr: locality=PrivateNetworks 10.10.10.1

    target:
      addr: locality=Unknown 0.0.0.0
      port: 137
  actions:
    deniedPacket: true
    snmpTrapRequested: true
    deniedAttackerVictimPair: true
  alertDetails: .    adExtraData: numDestIps=5; currentThreshold=5; destPort=137 ;
  riskRatingValue: targetValueRating=medium 100
  threatRatingValue: 60
  interface: ge0_7
  protocol: udp

From the logs shown above is it possible to find out how many udp packets were sent from private network 10.10.10.1 to 0.0.0.0.?

What is the threshold that triggers the deny actions and how can i modify it?

Thank you very much

1 REPLY
Bronze

IPS Signature explanation

Hi,

Do you see any stats under:

sensor# show statistics analysis-engine | be Mali
MaliciousSiteDenyHitCounts
A.B.C.D/16 = 1
MaliciousSiteDenyHitCountsAUDIT

If the event-action is set to Drop packet, then the mailicious packet will be dropped everytime.

Regards,

Sawan Gupta

Thanks & Regards, Sawan Gupta
899
Views
0
Helpful
1
Replies
CreatePlease to create content