Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

11018-eDonkey Activity

after an update for a sensors 3.1(5) to s62, we are receiving a large amount of events for the new signature 11018-eDonkey Activity, around 12k/hr The source of the alarm is a proxy server on the network. Has any seen or noticed any false positives for this alarm?

  • Other Security Subjects
3 REPLIES
Bronze

Re: 11018-eDonkey Activity

With 3.1, it possible for the sensor to get the actual client and server reversed while monitoring a TCP stream. It may be possible for the proxy server to return traffic to the actual client that happens to be using one of the eDonkey ports (4242,4661,4662) as an ephemeral port for an application that matches the pattern for eDonkey traffic. The best solution is to create a filter with the proxy server as a source for this alarm. 4.x sensors should not see this problem.

New Member

Re: 11018-eDonkey Activity

I have now upgraded the sensors to version 4.1 (3) but I am still have the same problem where I am receiving zillions of events for the signature ID: 11018.

I have captured some data by enabling iplog for the signature.

Could someone from the Cisco help by taking a look at the data that I have capture and perhaps be able to confirm the events are or are not false?

I could mail the data capture offline

Bronze

Re: 11018-eDonkey Activity

You can email the traffic samples to me at mcerha@cisco.com.

144
Views
0
Helpful
3
Replies
This widget could not be displayed.