Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1176
Views
10
Helpful
4
Replies

New IPS deployment. What do these alerts mean

Bill19795_2
Level 1
Level 1

‎07-14-2010 07:11 AM - edited ‎03-10-2019 05:03 AM

I am getting several of these from diffrent PC's on the network. This is a brand new deployment of an IPS in our core 6500. I need to know where to start tracking down what this is and if its a flase positive.  I changed the attaker IP for this post but they are coming from internal IP's on our network. I am also getting several from the same PC.

Event ID1278964938060722812
Severityhigh
Host IDisdm6500
Application NamesensorApp
Event Time07/14/2010 08:23:37
Sensor Local Time07/14/2010 13:23:37
Signature ID13003
Signature Sub-ID1
Signature NameAD - External TCP Scanner
Signature VersionS262
Signature DetailsWorm Attack
Interface Groupvs0
VLAN ID0
Interfacege0_7
Attacker IP1.1.1.1
Protocoltcp
Attacker Port
Attacker LocalityOUT
Target IP0.0.0.0
Target Port80
Target LocalityUnknown
Target OS
ActionsdenyPacketRequestedNotPerformed
Risk RatingTVR=medium
Risk Rating Value100
Threat Rating100
Reputation
Context Data
Packet Data
Event Summary0
Initial Alert
Summary Type
Final Alert
Event StatusNew
Event Notes

Labels:
0 Helpful
4 Replies 4

Scott Fringer
Cisco Employee
Cisco Employee

‎07-14-2010 12:14 PM

Bill;

  The best place to begin research for Cisco IPS signatures is our IntelliShield site:

http://www.cisco.com/security

  You can look up any signature by ID by performing an Advanced Search.

  For the signature you presented, the results can be found here:

http://tools.cisco.com/security/center/viewAlert.x?alertId=91

  This signature fires for a host that crosses a threshold for non-established TCP connections or unacknowledged SYN  packets sent to multiple addresses on an identical  TCP port and may indicate worm-like scanning.

  It would be beneficial to investigate the host listed as the attacker and determine if this is expected behavior or if the host is compromised.

Scott

Diego Armando Cambronero Arias
Level 3
Level 3
In response to Scott Fringer

‎07-27-2010 09:58 AM

This signatures are related with Anomaly detection. Which is a very nice feature is you are able to create a perfect KB during the learning mode.

http://www.cisco.com/en/US/docs/security/ips/6.0/configuration/guide/idm/dmAD.html#wp1049627

Cisco States.

We assume that during this phase no attack is being carried out. Anomaly detection creates an initial baseline, known as a knowledge base (KB), of the network traffic.

So if you are able to create a KB during a time that you know that there are no attacks at all go ahead if not you will be receiving a lot false positives.

Is that right?

0 Helpful

Scott Fringer
Cisco Employee
Cisco Employee
In response to Diego Armando Cambronero Arias

‎07-27-2010 10:22 AM

It's not that you will be receiving false positives, but false

negatives. During the learning phase if an attack is active, the higher

traffic rate will be learned as the baseline. When traffic is tracked

by the AD engine, it will be compared to this baseline, and in turn not

fire a signature event since it potentially will not cross the learned

threshold.

If there is concern that the baseline was learned during an active

attack, it may be beneficial to remove the current KBs (initial cannot

be removed) and force the AD engine to learn during a period you feel is

more representative of normal traffic flow.

Scott

Diego Armando Cambronero Arias
Level 3
Level 3
In response to Scott Fringer

‎07-27-2010 10:26 AM

Yes you are right it's false negatives not positives.

Thanks.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card