Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Victim port 0 not blocked

                   We have been seeing multple sig alerts with high severity and victim port 0 that are not being blocked by IPS. All other ports are blocked that are the same sig alert. I understand that port 0 is not valid port for traffic but I have read some articles that suggest there have been reports of port 0 being used for probing and/or DDoS attacks. We're not sure if we should edit action rule to block port 0 or if it's even possible.

Any information or suggestions on this issue are welcomed.

2 ACCEPTED SOLUTIONS

Accepted Solutions
Cisco Employee

Victim port 0 not blocked

Do you have a sample alert you can share - strip out anything sensitive (ip's, context data, etc.)... I suspect that you are seeing a summary alert where the port gets zeroed out - in the alert, you'll see that there is indication of "summary" - the individual alerts consumed by the summary alert would drop packets if that was the action that is assigned.

New Member

Victim port 0 not blocked

Yeah, I agree with wsulym that this sounds like it is just a summary of multiple attacks that are getting dropped.  You'll only see the summary field in your alert if it was indeed a summary.  The second field after the summary field will show you the initial alert ID that is being summarized.  Here is a copy of an alert from our lab device that shows that the attack that generated alert 1368829968935817241, which was dropped, happened an additional 10 times.

evIdsAlert: eventId=1368829968935817242  vendor=Cisco  severity=high  alarmTraits=32768 

  originator:  

    hostId:  

    appName: sensorApp 

    appInstanceId: 29521 

  time: Feb 27, 2014 00:20:56 UTC  offset=-360  timeZone=CST 

  signature:   description=PHP Remote Code Execution  id=2271  version=S722  type=vulnerability  created=20130605 

    subsigId: 0 

    sigDetails: PHP Remote Code Execution 

  interfaceGroup: vs0 

  vlan: 0 

  participants:  

    attacker:  

      addr:   locality=OUT 

      port: 0 

    target:  

      addr: 0.0.0.0  locality=OUT 

      port: 0 

      os:   idSource=unknown  type=unknown  relevance=unknown 

  summary: 10  final=true initialAlert=1368829968935817241  summaryType=Regular 

  alertDetails: InterfaceAttributes:  context="single_vf" physical="Unknown" backplane="GigabitEthernet0/1" ; Regular Summary: 10 events this interval ; 

  riskRatingValue: 85  targetValueRating=medium 

  threatRatingValue: 85 

  interface: GigabitEthernet0/1  context=single_vf  physical=Unknown  backplane=GigabitEthernet0/1 

  protocol: tcp 

Jon.

5 REPLIES

Victim port 0 not blocked

If Port is un used , you can place it in separate Vlan. Also disable them when traffic is not flowing through them.

Cisco Employee

Victim port 0 not blocked

Do you have a sample alert you can share - strip out anything sensitive (ip's, context data, etc.)... I suspect that you are seeing a summary alert where the port gets zeroed out - in the alert, you'll see that there is indication of "summary" - the individual alerts consumed by the summary alert would drop packets if that was the action that is assigned.

New Member

Victim port 0 not blocked

Yeah, I agree with wsulym that this sounds like it is just a summary of multiple attacks that are getting dropped.  You'll only see the summary field in your alert if it was indeed a summary.  The second field after the summary field will show you the initial alert ID that is being summarized.  Here is a copy of an alert from our lab device that shows that the attack that generated alert 1368829968935817241, which was dropped, happened an additional 10 times.

evIdsAlert: eventId=1368829968935817242  vendor=Cisco  severity=high  alarmTraits=32768 

  originator:  

    hostId:  

    appName: sensorApp 

    appInstanceId: 29521 

  time: Feb 27, 2014 00:20:56 UTC  offset=-360  timeZone=CST 

  signature:   description=PHP Remote Code Execution  id=2271  version=S722  type=vulnerability  created=20130605 

    subsigId: 0 

    sigDetails: PHP Remote Code Execution 

  interfaceGroup: vs0 

  vlan: 0 

  participants:  

    attacker:  

      addr:   locality=OUT 

      port: 0 

    target:  

      addr: 0.0.0.0  locality=OUT 

      port: 0 

      os:   idSource=unknown  type=unknown  relevance=unknown 

  summary: 10  final=true initialAlert=1368829968935817241  summaryType=Regular 

  alertDetails: InterfaceAttributes:  context="single_vf" physical="Unknown" backplane="GigabitEthernet0/1" ; Regular Summary: 10 events this interval ; 

  riskRatingValue: 85  targetValueRating=medium 

  threatRatingValue: 85 

  interface: GigabitEthernet0/1  context=single_vf  physical=Unknown  backplane=GigabitEthernet0/1 

  protocol: tcp 

Jon.

New Member

Victim port 0 not blocked

Yes. You are correct. It is a summary. Is there a way to know for sure that the packets were dropped?

Thanks for your responses.

Here is sample of event details:

Event ID6821183056778
Severityhigh
Host ID
Application NamesensorApp
Event Time02/16/2014 04:00:38
Sensor Local Time02/16/2014 12:00:38
Signature ID2271
Signature Sub-ID0
Signature NamePHP Remote Code Execution
Signature VersionS722
Signature DetailsPHP Remote Code Execution
Interface Groupvs0
VLAN ID0
InterfacePortChannel0/0
Attacker IP186.215.70.243
Protocoltcp
Attacker Port0
Attacker LocalityOUT
Target IP
Target Port0
Target LocalityOUT
Target OSunknown unknown (relevant)
Actions
Risk RatingTVR=medium ARR=relevant
Risk Rating Value95
Threat Rating95
Reputation
Context Data
Packet Data
Event Summary5
Initial Alert6821183056478
Summary TypeRegular
Final Alerttrue
Event StatusNew
Event Notes
New Member

Victim port 0 not blocked

I'm not sure there is a way to tell for sure with summary being on, someone correct me if I'm wrong please.  I think the easiest way, perhaps the only way, to verify this is to turn off summarization either for the specific signature or globally.  I'd suggest just turning this off for the specific signature as Cisco recommends only turning off globally for troubleshooting purposes.

Easiest way to turn off either on signature or globally is through the GUI so I'll just tell explain the process through the IDM:

Globally: Click on Configuration\Policies\Event Action Rules\rules0.  From here click on General and uncheck "Use Summarizer".  Click the Apply button and summarization should stop.

On a signature: Click on Configuration\Policies\Signature Definitions\sig0\All Signatures.  Find the specific signature, such as 2271, and double click it or highlight it and click Edit.  Scroll to Alert Frequency\Summary Mode and set that to Fire All.  Click OK and Apply and you should be good.

Again, since I've never turned off summarization globally and havent done it for a single signature in ages feel free to correct me if I'm wrong.

Hope this helps!

Jon.

411
Views
0
Helpful
5
Replies