Certain network traffic can trigger IPS signatures which use the regular expression feature of the ATOMIC.TCP signature engine which may cause the IOS IPS device to crash. This may cause a denial of service resulting in disruption network traffic. Signature 3123.0 (Netbus Pro Traffic) has been demonstrated to trigger this vulnerability. There is a workaround for this vulnerability.
So the question that remains is if the host is not infected, what is it sending via udp port 1434 to 184.108.40.206 which appears to be some machine out of Australia (at least thats where a traceroute leads me). Whatever its sending, looks just like slammer/sapphire packets.
U r right this ip is somewhere in Australia only. There were alerts for other host to some different global IP's. I traced that IP through our proxy server logs, and it shows some of the advertisement link on some web page.
I scanned entire network with removal tool like FixSQLex, f-slammer
Bit confused about this I don't know what action I should take rather than blocking that port on firewall....
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...