Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Alarm 1104 source 127.0.0.1

Hello,

We have been receiving alerts for this alarm. It seems that someone is trying to spoof the host IP to check for vulnerabilities. Is there a way at all to find out the real source IP of the attacker trying to spoof the IP address? Here is the alert we receive from the IDS sensor

High Severity Alarms

IDS alarm 1104 source: 127.0.0.1 port: 80 destination: x.x.252.19 port: 1987 @ 2004/03/17

Alarm Details

Thank you!

1 REPLY
New Member

Re: Alarm 1104 source 127.0.0.1

As far as I am aware the only way to trace this is to take a sniffer and move it from segment to segment

> locate the sniffer at the segment that you are receiving the localhost packets, obtain the MAC address, and trace it to the device. If it is a router MAC then move to the next segment behind the router until you find the virus-infected device.

Ref http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.eea1a4b

98
Views
0
Helpful
1
Replies