Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

scanner signatures on IPS

I have noticed that on IPS 4240 in our environment signature like AD-External TCP scanner,IIegal UDP scanner are firing from internal hosts which are not any known scanner machine ,just simple clients .At times the victim address is 0.0.0.0 and the port is  161 and at times the port field is blank.Important thind is that the action configured on these signatures is drop packet ,which only works when the port is known ,if both destination adress is 0.0.0.0 and port is also not defined the action does not work.

My question is that why the destion shows 0.0.0.0  ? Why sometimes it shows the port and sometimes not ? Why the action is working and at times no action seen?

Kidnly reply

7 REPLIES
Gold

scanner signatures on IPS

Fazel -

The 0.0.0.0 IP address indicates that there were many target IP addresses involved (which is typical of an IP address scan). The alert will summarize all the involved IP addresses into a single 0.0.0.0 address. If you look at the detailed event you will see a list of the first 25 or 50 hosts IP addresses.

I would assume that the ports are also summarized for the Port Scanning signatures.

- Bob

New Member

scanner signatures on IPS

Thanks Bob,

When i see the details of the event,it still shows the victim IP of 0.0.0.0 ,where will i be able to see the list of IP Addresses,Also the action applied to the signature also does not work or appears in the action taken window for the event in which the target/victim is 0.0.0.0

Appreciate your response.

New Member

scanner signatures on IPS

Hi Bob,

Do we have any option to block skype from IDSM-2 in promiscuous mode, as I have already configured but it is not working.

thanks

Gold

scanner signatures on IPS

You can't block inline (drop) when your sensor is operating in Promiscuous mode. You can use shunning (dynamic ACL creation), or TCP resets while in Promiscuous mode.

- Bob

New Member

scanner signatures on IPS

Bob,

Thanks Again ,I would really appreciate if you can guide regarding blocking skype on IPS 4240 in inline mode or on IDSM-2 in promiscuous mode as I have both present in my environment.

Secondly on the intial problem of scanner signatures

When i see the details of the event,it still shows the victim IP of 0.0.0.0 ,where will i be able to see the list of IP Addresses,Also the action applied to the signature also does not work or appears in the action taken window for the event in which the target/victim is 0.0.0.

Gold

scanner signatures on IPS

Blocking Skype is difficult to impossible. This thread has a good discussion of the approach and problems:

https://supportforums.cisco.com/message/3323599#3323599

When the victim IP of a scan is 0.0.0.0 you should be able to see the first 25 or so IPs if you enable detailed (verbose) events for that signature.

- Bob

New Member

scanner signatures on IPS

Bob,

I configure Action "Produce verbose Alert" .it did showed detailed packet capture on the event in which both attacker and victim IP was specified,but for the alert with 0.0.0.0 address it did not give any details or list of IPs.

Moreover I configured summarize mode "Fire All"  for the signature which is triggering too many 0.0.0.0 alert..now I am recieving all alerts with specific attacker and victim addresses..

Please guide if i keep it on summarize then where will be able to see the list of summarised addresses

Thanks a lot for your support on this..

1132
Views
0
Helpful
7
Replies
CreatePlease login to create content