Cisco Support Community
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

New IPS deployment. What do these alerts mean

I am getting several of these from diffrent PC's on the network. This is a brand new deployment of an IPS in our core 6500. I need to know where to start tracking down what this is and if its a flase positive.  I changed the attaker IP for this post but they are coming from internal IP's on our network. I am also getting several from the same PC.

Event ID1278964938060722812
Host IDisdm6500
Application NamesensorApp
Event Time07/14/2010 08:23:37
Sensor Local Time07/14/2010 13:23:37
Signature ID13003
Signature Sub-ID1
Signature NameAD - External TCP Scanner
Signature VersionS262
Signature DetailsWorm Attack
Interface Groupvs0
Attacker IP1.1.1.1
Attacker Port
Attacker LocalityOUT
Target IP0.0.0.0
Target Port80
Target LocalityUnknown
Target OS
Risk RatingTVR=medium
Risk Rating Value100
Threat Rating100
Context Data
Packet Data
Event Summary0
Initial Alert
Summary Type
Final Alert
Event StatusNew
Event Notes

Cisco Employee

Re: New IPS deployment. What do these alerts mean


  The best place to begin research for Cisco IPS signatures is our IntelliShield site:

  You can look up any signature by ID by performing an Advanced Search.

  For the signature you presented, the results can be found here:

  This signature fires for a host that crosses a threshold for non-established TCP connections or unacknowledged SYN  packets sent to multiple addresses on an identical  TCP port and may indicate worm-like scanning.

  It would be beneficial to investigate the host listed as the attacker and determine if this is expected behavior or if the host is compromised.


Re: New IPS deployment. What do these alerts mean

This signatures are related with Anomaly detection. Which is a very nice feature is you are able to create a perfect KB during the learning mode.

Cisco States.

We assume that during this phase no attack is being carried out. Anomaly detection creates an initial baseline, known as a knowledge base (KB), of the network traffic.

So if you are able to create a KB during a time that you know that there are no attacks at all go ahead if not you will be receiving a lot false positives.

Is that right?

Cisco Employee

Re: New IPS deployment. What do these alerts mean

It's not that you will be receiving false positives, but false

negatives. During the learning phase if an attack is active, the higher

traffic rate will be learned as the baseline. When traffic is tracked

by the AD engine, it will be compared to this baseline, and in turn not

fire a signature event since it potentially will not cross the learned


If there is concern that the baseline was learned during an active

attack, it may be beneficial to remove the current KBs (initial cannot

be removed) and force the AD engine to learn during a period you feel is

more representative of normal traffic flow.


Re: New IPS deployment. What do these alerts mean

Yes you are right it's false negatives not positives.


CreatePlease to create content