Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Alert Destination IP's - N/A

Hi,

I have recently started seeing a lot of high category alerts with no destination IP or port information.  Event tyores include the following:

TCP Hijack
Microsoft Plug and Play Overflow
TCP Segment Overwrite

Does anyone know why this type of alert occurs?  It is impossible to check target systems when destination information is unavailable.

Many thanks


Liam

3 REPLIES
Cisco Employee

Re: Alert Destination IP's - N/A

Liam;

  You can search for more information on various Cisco IPS signatures by visiting:

http://www.cisco.com/security

  Choose the 'Advanced Search' option and enter the signature ID.  This should help you better understand the specifics of the signatures that are firing.

  In regard to the missing data in the CS-MARS incidents, if the firing signatures are summary events, some details are consolidated to 0.0.0.0 for the IP address and 0 for the port information.  In these instances, CS-MARS cannot provide any further information since the raw event has no additional details.  Could you provide the raw message or one or two of these events for confirmation?

Scott

New Member

Re: Alert Destination IP's - N/A

Hi Scott,

Thanks for the swift reply.

I checked the raw event details for a TCP Hijack alert

target: 
            addr:  0.0.0.0  locality="any" 
            port:  0 

Which seems to confirm your suspicions.  I'm just wondering what I can do with these event types - is this something I should be concerned about?

Many thanks

Liam

Cisco Employee

Re: Alert Destination IP's - N/A

Liam;

  That is certainly indicative of a summarized signature event.  If you look further into the raw message, you should see indication that this is a summary event, as well as the initial trigger event ID.  You may be able to determine a single source from the initial event - but in most instances, these events are generated due to behavior of the attacker, and you would want to investigate the attacker/source of the event if it is located within your control.  If you really want to investigate each, and every occurrence of the attack, you could disable summarization on the signature in question (set the Summary Mode to 'Fire All').  This has the potential to generate a large number of events, and should not be used long-term.  For the specific TCP Hijack signature, there are benign triggers explained on our IntelliShield site:

http://tools.cisco.com/security/center/viewIpsSignature.x?signatureId=3250&signatureSubId=0&softwareVersion=6.0&releaseVersion=S394

  It is always good to be concerned over any incident that is reported prior to any investigation by yourself to understand the implications.  Upon determination of the underlying cause of the signature event, you may wish to continue getting alerts on the event, or you could create an event action filter on the IPS to stop alerting for specific IP addresses, or create a drop rule in the CS-MARS to only log the event to the database (or drop completely).

Scott

584
Views
0
Helpful
3
Replies