Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Alarm 995/1

Hello,

Since I have installed the S50 Signature Update for Cisco IDS v.4.1 on my IDS 4210, the alarm 995/1 fires at least twice a day. So I must reset my IDS.

Generally, alarms 3215 (iis dot dot execute bug), 3216 (www directory traversal ../..), 5081 (www winnt cmd.exe access), 5114 (www iis unicode attack), 5124 (www iis double decode error), 5249 (ids evasive encoding) and 5250 (ids evasive double encoding) fire (I have 50-70 alarms within 2 secondes) just before 995/1. Some times I also have alarm 993 (Missed packet count).

Could someone help me please ?

Regards

Eric

  • Other Security Subjects
5 REPLIES
Silver

Re: Alarm 995/1

If you are sure that the alarms are not detecting an attack and that they are false positives, you could opt for exclude them as shown in the document at http://www.cisco.com/en/US/products/sw/secursw/ps2113/products_tech_note09186a008009404e.shtml.

Cisco Employee

Re: Alarm 995/1

Either the device being monitored (eg., switch) or 4210 may be oversubscribed. If you have a TAC case open we would be interested in logging into your sensor if that is all possible.

New Member

Re: Alarm 995/1

Before the S50 signature update, 4210 was out of the Lan and I never had any problem.

Since I have installed the S50 signature update, 4210 is linked to a hub between firewall and a packetshaper. But I must reset my 4210. The eventAction for alarms 3215, 3216, 5081, 5114, 5124, 5249 and 5250 is shunhost or reset/shunhost. I don't understand why I see all the alarms although the firewall should stop it (in the IDM the attacker is shunned).

Cisco Employee

Re: Alarm 995/1

have you verified the shuns on the firewall? I assume it is a pix, so do a show shun command and verify the shuns are there.

If not, check to make sure NAC is communicating with the pix:

In IDM on the Monitoring tab, select statistics. Go down to the Networkaccess Stastics section. Does the pix show as active? (you can do the same thing in the cli by doing a show stat net command)

New Member

Re: Alarm 995/1

when an ip is shunned in my IDM, it is not in the pix. So I reset the ssh key between pix and 4210.

Now when alarms 3215 (iis dot dot execute bug), 3216 (www directory traversal ../..), 5081 (www winnt cmd.exe access), 5114 (www iis unicode attack), 5124 (www iis double decode error), 5249 (ids evasive encoding) and 5250 (ids evasive double encoding) fire, I have also about 20 alarm 993 (Missed Packet Count) and then 995/1 (Traffic Flow Stopped).

I don't understand why the traffic is stopped.

113
Views
0
Helpful
5
Replies
This widget could not be displayed.