Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
456
Views
0
Helpful
5
Replies

Alarm 995/1

meether
Level 1
Level 1

‎09-11-2003 04:42 AM - edited ‎03-10-2019 01:27 PM

Hello,

Since I have installed the S50 Signature Update for Cisco IDS v.4.1 on my IDS 4210, the alarm 995/1 fires at least twice a day. So I must reset my IDS.

Generally, alarms 3215 (iis dot dot execute bug), 3216 (www directory traversal ../..), 5081 (www winnt cmd.exe access), 5114 (www iis unicode attack), 5124 (www iis double decode error), 5249 (ids evasive encoding) and 5250 (ids evasive double encoding) fire (I have 50-70 alarms within 2 secondes) just before 995/1. Some times I also have alarm 993 (Missed packet count).

Could someone help me please ?

Regards

Eric

Labels:
0 Helpful
5 Replies 5

drolemc
Level 6
Level 6

‎09-17-2003 06:43 AM

If you are sure that the alarms are not detecting an attack and that they are false positives, you could opt for exclude them as shown in the document at http://www.cisco.com/en/US/products/sw/secursw/ps2113/products_tech_note09186a008009404e.shtml.

0 Helpful

rgloria
Cisco Employee
Cisco Employee

‎09-17-2003 12:52 PM

Either the device being monitored (eg., switch) or 4210 may be oversubscribed. If you have a TAC case open we would be interested in logging into your sensor if that is all possible.

0 Helpful

meether
Level 1
Level 1
In response to rgloria

‎10-02-2003 07:59 AM

Before the S50 signature update, 4210 was out of the Lan and I never had any problem.

Since I have installed the S50 signature update, 4210 is linked to a hub between firewall and a packetshaper. But I must reset my 4210. The eventAction for alarms 3215, 3216, 5081, 5114, 5124, 5249 and 5250 is shunhost or reset/shunhost. I don't understand why I see all the alarms although the firewall should stop it (in the IDM the attacker is shunned).

0 Helpful

jlively
Cisco Employee
Cisco Employee
In response to meether

‎10-02-2003 10:11 AM

have you verified the shuns on the firewall? I assume it is a pix, so do a show shun command and verify the shuns are there.

If not, check to make sure NAC is communicating with the pix:

In IDM on the Monitoring tab, select statistics. Go down to the Networkaccess Stastics section. Does the pix show as active? (you can do the same thing in the cli by doing a show stat net command)

0 Helpful

meether
Level 1
Level 1
In response to jlively

‎10-07-2003 01:03 AM

when an ip is shunned in my IDM, it is not in the pix. So I reset the ssh key between pix and 4210.

Now when alarms 3215 (iis dot dot execute bug), 3216 (www directory traversal ../..), 5081 (www winnt cmd.exe access), 5114 (www iis unicode attack), 5124 (www iis double decode error), 5249 (ids evasive encoding) and 5250 (ids evasive double encoding) fire, I have also about 20 alarm 993 (Missed Packet Count) and then 995/1 (Traffic Flow Stopped).

I don't understand why the traffic is stopped.

0 Helpful
Customers Also Viewed These Support Documents