11-24-2003 08:28 AM - edited 03-09-2019 05:38 AM
after an update for a sensors 3.1(5) to s62, we are receiving a large amount of events for the new signature 11018-eDonkey Activity, around 12k/hr The source of the alarm is a proxy server on the network. Has any seen or noticed any false positives for this alarm?
11-24-2003 11:10 AM
With 3.1, it possible for the sensor to get the actual client and server reversed while monitoring a TCP stream. It may be possible for the proxy server to return traffic to the actual client that happens to be using one of the eDonkey ports (4242,4661,4662) as an ephemeral port for an application that matches the pattern for eDonkey traffic. The best solution is to create a filter with the proxy server as a source for this alarm. 4.x sensors should not see this problem.
04-19-2004 05:35 AM
I have now upgraded the sensors to version 4.1 (3) but I am still have the same problem where I am receiving zillions of events for the signature ID: 11018.
I have captured some data by enabling iplog for the signature.
Could someone from the Cisco help by taking a look at the data that I have capture and perhaps be able to confirm the events are or are not false?
I could mail the data capture offline
04-19-2004 08:03 AM
You can email the traffic samples to me at mcerha@cisco.com.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide