Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Cisco IOS version 12.3.1 IDS: Signature 1102

What, (other than a ping from the local router), other traffic from a local router would cause my IOS IDS to log an Intrusion event for signature 1102. I have signature 1102 events being logged approximately every 2 minutes. Is this an attack, or is my local router generating traffic that is causing this?

4 REPLIES
Cisco Employee

Re: Cisco IOS version 12.3.1 IDS: Signature 1102

Hi Jim,

Sig 1102 triggers when an IP packet arrives with source equal to destination address. This signature will catch the so-called Land Attack.

This could be due to a DOS attack as well. You may want to implement the measures depicted under "Securing IP routing" on the below url;

http://www.cisco.com/en/US/partner/tech/tk648/tk361/technologies_tech_note09186a0080120f48.shtml#sec_ip

Thanks,

yatin

Cisco Employee

Re: Cisco IOS version 12.3.1 IDS: Signature 1102

Jim,

You may also want to get a sniffer trace of this. Is there a DHCP server in the "vicinity" on this wire?

Thanks,

yatin

New Member

Re: Cisco IOS version 12.3.1 IDS: Signature 1102

There is a DHCP server on the inside and outside of the Firewall. All local net hosts access the server on the inside, no hosts access the outside server.

New Member

Re: Cisco IOS version 12.3.1 IDS: Signature 1102

I've noted when I ping from the local router the IDS message is:

%IDS-4-IP_IMPOSSIBLE_SIG: Sig:1102:Impossible IP Packet - from (Actual IP) to (Actual IP)

When the message comes in on its own it is:

%IDS-4-IP_IMPOSSIBLE_SIG: Sig:1102:Impossible IP Packet - from 0.0.0.0 to 0.0.0.0

Short of a packet sniffer on the outside, what other options might I have to trace the source of this message.

176
Views
0
Helpful
4
Replies
CreatePlease to create content