Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1160
Views
0
Helpful
5
Replies

Victim port 0 not blocked

Go to solution
dominic pangallo
Level 1
Level 1

‎02-26-2014 10:47 AM - edited ‎03-10-2019 06:09 AM

                   We have been seeing multple sig alerts with high severity and victim port 0 that are not being blocked by IPS. All other ports are blocked that are the same sig alert. I understand that port 0 is not valid port for traffic but I have read some articles that suggest there have been reports of port 0 being used for probing and/or DDoS attacks. We're not sure if we should edit action rule to block port 0 or if it's even possible.

Any information or suggestions on this issue are welcomed.

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
wsulym
Cisco Employee
Cisco Employee

‎02-27-2014 05:30 AM

Do you have a sample alert you can share - strip out anything sensitive (ip's, context data, etc.)... I suspect that you are seeing a summary alert where the port gets zeroed out - in the alert, you'll see that there is indication of "summary" - the individual alerts consumed by the summary alert would drop packets if that was the action that is assigned.

View solution in original post

0 Helpful

Go to solution
JonPBerbee
Level 1
Level 1
In response to wsulym

‎02-27-2014 07:53 AM

Yeah, I agree with wsulym that this sounds like it is just a summary of multiple attacks that are getting dropped.  You'll only see the summary field in your alert if it was indeed a summary.  The second field after the summary field will show you the initial alert ID that is being summarized.  Here is a copy of an alert from our lab device that shows that the attack that generated alert 1368829968935817241, which was dropped, happened an additional 10 times.

evIdsAlert: eventId=1368829968935817242  vendor=Cisco  severity=high  alarmTraits=32768 

  originator:  

    hostId:  

    appName: sensorApp 

    appInstanceId: 29521 

  time: Feb 27, 2014 00:20:56 UTC  offset=-360  timeZone=CST 

  signature:   description=PHP Remote Code Execution  id=2271  version=S722  type=vulnerability  created=20130605 

    subsigId: 0 

    sigDetails: PHP Remote Code Execution 

  interfaceGroup: vs0 

  vlan: 0 

  participants:  

    attacker:  

      addr:   locality=OUT 

      port: 0 

    target:  

      addr: 0.0.0.0  locality=OUT 

      port: 0 

      os:   idSource=unknown  type=unknown  relevance=unknown 

  summary: 10  final=true initialAlert=1368829968935817241  summaryType=Regular 

  alertDetails: InterfaceAttributes:  context="single_vf" physical="Unknown" backplane="GigabitEthernet0/1" ; Regular Summary: 10 events this interval ; 

  riskRatingValue: 85  targetValueRating=medium 

  threatRatingValue: 85 

  interface: GigabitEthernet0/1  context=single_vf  physical=Unknown  backplane=GigabitEthernet0/1 

  protocol: tcp 

Jon.

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Saurav Lodh
Level 7
Level 7

‎02-27-2014 02:48 AM

If Port is un used , you can place it in separate Vlan. Also disable them when traffic is not flowing through them.

0 Helpful

Go to solution
wsulym
Cisco Employee
Cisco Employee

‎02-27-2014 05:30 AM

Do you have a sample alert you can share - strip out anything sensitive (ip's, context data, etc.)... I suspect that you are seeing a summary alert where the port gets zeroed out - in the alert, you'll see that there is indication of "summary" - the individual alerts consumed by the summary alert would drop packets if that was the action that is assigned.

0 Helpful

Go to solution
JonPBerbee
Level 1
Level 1
In response to wsulym

‎02-27-2014 07:53 AM

Yeah, I agree with wsulym that this sounds like it is just a summary of multiple attacks that are getting dropped.  You'll only see the summary field in your alert if it was indeed a summary.  The second field after the summary field will show you the initial alert ID that is being summarized.  Here is a copy of an alert from our lab device that shows that the attack that generated alert 1368829968935817241, which was dropped, happened an additional 10 times.

evIdsAlert: eventId=1368829968935817242  vendor=Cisco  severity=high  alarmTraits=32768 

  originator:  

    hostId:  

    appName: sensorApp 

    appInstanceId: 29521 

  time: Feb 27, 2014 00:20:56 UTC  offset=-360  timeZone=CST 

  signature:   description=PHP Remote Code Execution  id=2271  version=S722  type=vulnerability  created=20130605 

    subsigId: 0 

    sigDetails: PHP Remote Code Execution 

  interfaceGroup: vs0 

  vlan: 0 

  participants:  

    attacker:  

      addr:   locality=OUT 

      port: 0 

    target:  

      addr: 0.0.0.0  locality=OUT 

      port: 0 

      os:   idSource=unknown  type=unknown  relevance=unknown 

  summary: 10  final=true initialAlert=1368829968935817241  summaryType=Regular 

  alertDetails: InterfaceAttributes:  context="single_vf" physical="Unknown" backplane="GigabitEthernet0/1" ; Regular Summary: 10 events this interval ; 

  riskRatingValue: 85  targetValueRating=medium 

  threatRatingValue: 85 

  interface: GigabitEthernet0/1  context=single_vf  physical=Unknown  backplane=GigabitEthernet0/1 

  protocol: tcp 

Jon.

0 Helpful

Go to solution
dominic pangallo
Level 1
Level 1
In response to wsulym

‎02-27-2014 08:06 AM

Yes. You are correct. It is a summary. Is there a way to know for sure that the packets were dropped?

Thanks for your responses.

Here is sample of event details:

Event ID6821183056778
Severityhigh
Host ID
Application NamesensorApp
Event Time02/16/2014 04:00:38
Sensor Local Time02/16/2014 12:00:38
Signature ID2271
Signature Sub-ID0
Signature NamePHP Remote Code Execution
Signature VersionS722
Signature DetailsPHP Remote Code Execution
Interface Groupvs0
VLAN ID0
InterfacePortChannel0/0
Attacker IP186.215.70.243
Protocoltcp
Attacker Port0
Attacker LocalityOUT
Target IP
Target Port0
Target LocalityOUT
Target OSunknown unknown (relevant)
Actions
Risk RatingTVR=medium ARR=relevant
Risk Rating Value95
Threat Rating95
Reputation
Context Data
Packet Data
Event Summary5
Initial Alert6821183056478
Summary TypeRegular
Final Alerttrue
Event StatusNew
Event Notes
0 Helpful

Go to solution
JonPBerbee
Level 1
Level 1
In response to dominic pangallo

‎02-28-2014 09:45 AM

I'm not sure there is a way to tell for sure with summary being on, someone correct me if I'm wrong please.  I think the easiest way, perhaps the only way, to verify this is to turn off summarization either for the specific signature or globally.  I'd suggest just turning this off for the specific signature as Cisco recommends only turning off globally for troubleshooting purposes.

Easiest way to turn off either on signature or globally is through the GUI so I'll just tell explain the process through the IDM:

Globally: Click on Configuration\Policies\Event Action Rules\rules0.  From here click on General and uncheck "Use Summarizer".  Click the Apply button and summarization should stop.

On a signature: Click on Configuration\Policies\Signature Definitions\sig0\All Signatures.  Find the specific signature, such as 2271, and double click it or highlight it and click Edit.  Scroll to Alert Frequency\Summary Mode and set that to Fire All.  Click OK and Apply and you should be good.

Again, since I've never turned off summarization globally and havent done it for a single signature in ages feel free to correct me if I'm wrong.

Hope this helps!

Jon.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card