Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1109
Views
0
Helpful
1
Replies

IPS Signature explanation

akisbouza
Level 1
Level 1

‎03-27-2012 02:44 AM - edited ‎03-10-2019 05:38 AM

evIdsAlert: eventId=1287530989864443762 severity=high vendor=Cisco alarmTraits=2147483648
  originator:
    hostId:     appName: sensorApp
    appInstanceId: 665
    signature: description=AD - External UDP Scanner id=13004 created=20061120 type=anomaly version=S262
    subsigId: 1
    sigDetails: Worm Attack
    marsCategory: Info/Misc/Scanner
    marsCategory: Probe/FromScanner
    marsCategory: Propagate/Worm
  interfaceGroup: VS1
  vlan: 0
  participants:
    attacker:
      addr: locality=PrivateNetworks 10.10.10.1

    target:
      addr: locality=Unknown 0.0.0.0
      port: 137
  actions:
    deniedPacket: true
    snmpTrapRequested: true
    deniedAttackerVictimPair: true
  alertDetails: .    adExtraData: numDestIps=5; currentThreshold=5; destPort=137 ;
  riskRatingValue: targetValueRating=medium 100
  threatRatingValue: 60
  interface: ge0_7
  protocol: udp

From the logs shown above is it possible to find out how many udp packets were sent from private network 10.10.10.1 to 0.0.0.0.?

What is the threshold that triggers the deny actions and how can i modify it?

Thank you very much

Labels:
0 Helpful
1 Reply 1

sawgupta
Level 1
Level 1

‎03-27-2012 10:40 AM

Hi,

Do you see any stats under:

sensor# show statistics analysis-engine | be Mali
MaliciousSiteDenyHitCounts
A.B.C.D/16 = 1
MaliciousSiteDenyHitCountsAUDIT

If the event-action is set to Drop packet, then the mailicious packet will be dropped everytime.

Regards,

Sawan Gupta

Thanks & Regards, Sawan Gupta
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card