Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

IPS upnp signature

Hello,

I have a LAN IDSM in promiscusous mode wherre I'm seing too much of the below alerts, I've researched it and found out that it should be stopped! since it is a high severity alert!! however I guess summarization is preventing me from knowing the attacker and targets because of the 0.0.0.0 source and destination, right? IS  this the case? and how can I solve it?

Should I disable summary for that specific signature? what's the best practice? Should it be stopped?

Regards

evIdsAlert: eventId=1262106216512606028  vendor=Cisco  severity=high 
  originator:  
    hostId: LAN-IDSM2 
    appName: sensorApp 
    appInstanceId: 25921 
  time: Mar 03, 2010 07:38:23 UTC  offset=60  timeZone=GMT+02:00 
  signature:   description=UPnP LOCATION Overflow  id=4058  version=S433  type=vulnerability  created=20050603 
    subsigId: 2 
    sigDetails: LOCATION \x3c100+ Chars> 
    marsCategory: Penetrate/BufferOverflow/Misc 
  interfaceGroup: vs0 
  vlan: 120 
  participants:  
    attacker:  
      addr: 0.0.0.0  locality=OUT 
      port: 1900 
      ipv6Address: fe80::9d91:b37c:be42:5387  locality=OUT 
    target:  
      addr: 0.0.0.0  locality=OUT 
      port: 1900 
      ipv6Address: ff02::c  locality=OUT 
      os:   idSource=unknown  type=unknown  relevance=unknown 
  actions:  
    denyPacketRequestedNotPerformed: true 
  riskRatingValue: 90  targetValueRating=medium 
  threatRatingValue: 90 
  interface: ge0_7 
  protocol: udp

evIdsAlert: eventId=1262106216512606029  vendor=Cisco  severity=high 
  originator:  
    hostId: LAN-IDSM2 
    appName: sensorApp 
    appInstanceId: 25921 
  time: Mar 03, 2010 07:38:38 UTC  offset=60  timeZone=GMT+02:00 
  signature:   description=UPnP LOCATION Overflow  id=4058  version=S433  type=vulnerability  created=20050603 
    subsigId: 2 
    sigDetails: LOCATION \x3c100+ Chars> 
    marsCategory: Penetrate/BufferOverflow/Misc 
  interfaceGroup: vs0 
  vlan: 120 
  participants:  
    attacker:  
      addr: 0.0.0.0  locality=OUT 
      port: 0 
      ipv6Address: fe80::9d91:b37c:be42:5387  locality=OUT 
    target:  
      addr: 0.0.0.0  locality=OUT 
      port: 0 
      ipv6Address: ::  locality=OUT 
      os:   idSource=unknown  type=unknown  relevance=unknown 
  summary: 24  final=true  initialAlert=1262106216512606028  summaryType=Regular 
  alertDetails: Regular Summary: 24 events this interval ; 
  riskRatingValue: 90  targetValueRating=medium 
  threatRatingValue: 90 
  interface: ge0_7 
  protocol: udp

6 REPLIES
Super Bronze

Re: IPS upnp signature

Best practise is to find out which Windows machines are affected and apply the patch accordingly, otherwise, the machine will be vulnerable to UPnP vulnerability as per the following:

http://tools.cisco.com/security/center/viewAlert.x?alertId=2986

New Member

Re: IPS upnp signature

I understand that I have to patch the machines but how can I know what are the machines that should be patches if I'm getting a source and destination ip addresse of 0.0.0.0 on the IPS

If I disable event summary for this specific sig, will I be able to see the source and destination ip addresses?

Super Bronze

Re: IPS upnp signature

Yes, you are absolutely right. You would need to disable the "summarization" to see the source and destination IP.

New Member

Re: IPS upnp signature

Hello,

I removed summarization on a signature basis by forcing it to be fire all instead of summarize but still the source and destionation ip are 0.0.0.0

What could it be? the customer is very picky and asking about it

Please advise

Regards

Super Bronze

Re: IPS upnp signature

Looking back at the event that you have attached earlier, the attacker is using IPv6 address:

   ipv6Address: fe80::9d91:b37c:be42:5387

New Member

Re: IPS upnp signature

Hello all,

Can someone please pick up on the last comment made?  I am seeing the exact same signature in my IDS output with the attacker having an IPv6 ip.  How do I resolve the IPv6 to understand who is attacking me?  From the fe80 I can tell it is a link local ip so the attacker must be from the inside?

1476
Views
0
Helpful
6
Replies