10-28-2008 08:20 AM
Hello all,
we are incrementally receiving a lot of MARS events that comes from Cisco IDS, all those events are â NULL TCP PACKETâ, and the destination is always the same, a smtp ironport machine trough the 25 port, from diferent public IPs.
Does anybody have a similar scenario? What can we do?
Thanks
10-29-2008 04:54 AM
What is the frequency of such packets? A few of them are usually negliglble, this is specially true if you are at over/near utilization for your internet link.
Regards
Farrukh
10-29-2008 05:42 AM
Thank you for the reply,
the frecuence is
augus 925
September 1828
October till thursday 23 2329
And growing up. I think it is not licit trafic
Regards
Izaskun
10-29-2008 07:16 AM
How is the congestion/utlization on your Internet Link?
Exactly 'which' IPS signature is firing btw? (you can check this out by the raw event logs in MARS, this is done by clicking the icon next to the name of the reporting device).
Regards
Farrukh
10-29-2008 08:36 AM
Hi,
The ratio of average use is 88%, and the maximun peak is 5%.
Our IPS signature is 364
Thanks again
Izaskun
10-29-2008 03:39 PM
What make/model of IPS are you running?
Have you checked with that vendor for known false positives?
If there are false positives that will help you with tuning your sensor or with tuning out the alert on MARS.
Raymond
10-30-2008 01:05 AM
Hi,
We've a CISCO IPS, I think that this traffic is not a false positive, I think it is ilegal trafic.
Regards
10-30-2008 11:36 AM
What IPS signature are you seeing firing? I don't recognize 364.
Have you done a packet capture on the traffic? If so, what are you seeing out of the ordinary?
Are the sources of this connection a valid host or is it from areas of the world that are more known for hacking?
10-31-2008 01:16 AM
Hi,
The signature version 364 and the IPS version is 6.1 (1) E2.
It is suppoused that is a single TCP packet with none of the SYN, ACK,FIN or RST flags.
It comes from different public IP's that comes from different ISP's.
Regards
Izaskun
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: