09-11-2003 04:42 AM - edited 03-10-2019 01:27 PM
Hello,
Since I have installed the S50 Signature Update for Cisco IDS v.4.1 on my IDS 4210, the alarm 995/1 fires at least twice a day. So I must reset my IDS.
Generally, alarms 3215 (iis dot dot execute bug), 3216 (www directory traversal ../..), 5081 (www winnt cmd.exe access), 5114 (www iis unicode attack), 5124 (www iis double decode error), 5249 (ids evasive encoding) and 5250 (ids evasive double encoding) fire (I have 50-70 alarms within 2 secondes) just before 995/1. Some times I also have alarm 993 (Missed packet count).
Could someone help me please ?
Regards
Eric
09-17-2003 06:43 AM
If you are sure that the alarms are not detecting an attack and that they are false positives, you could opt for exclude them as shown in the document at http://www.cisco.com/en/US/products/sw/secursw/ps2113/products_tech_note09186a008009404e.shtml.
09-17-2003 12:52 PM
Either the device being monitored (eg., switch) or 4210 may be oversubscribed. If you have a TAC case open we would be interested in logging into your sensor if that is all possible.
10-02-2003 07:59 AM
Before the S50 signature update, 4210 was out of the Lan and I never had any problem.
Since I have installed the S50 signature update, 4210 is linked to a hub between firewall and a packetshaper. But I must reset my 4210. The eventAction for alarms 3215, 3216, 5081, 5114, 5124, 5249 and 5250 is shunhost or reset/shunhost. I don't understand why I see all the alarms although the firewall should stop it (in the IDM the attacker is shunned).
10-02-2003 10:11 AM
have you verified the shuns on the firewall? I assume it is a pix, so do a show shun command and verify the shuns are there.
If not, check to make sure NAC is communicating with the pix:
In IDM on the Monitoring tab, select statistics. Go down to the Networkaccess Stastics section. Does the pix show as active? (you can do the same thing in the cli by doing a show stat net command)
10-07-2003 01:03 AM
when an ip is shunned in my IDM, it is not in the pix. So I reset the ssh key between pix and 4210.
Now when alarms 3215 (iis dot dot execute bug), 3216 (www directory traversal ../..), 5081 (www winnt cmd.exe access), 5114 (www iis unicode attack), 5124 (www iis double decode error), 5249 (ids evasive encoding) and 5250 (ids evasive double encoding) fire, I have also about 20 alarm 993 (Missed Packet Count) and then 995/1 (Traffic Flow Stopped).
I don't understand why the traffic is stopped.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide