Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

csico signatures of msblast and welchia worms

We have been battled with these worms for a while. I know cisco issued SID 3327 and SID 3328 for MS DCOM RPC vulnerbility. I have not seen many 3327 and 3328 alerts so far. Can anybody tell me how cisco IDS helps me best to battle with these worms?

Philip

5 REPLIES
Cisco Employee

Re: csico signatures of msblast and welchia worms

Phillip,

Unfortunately the nature of these worms is such that they tend to contain themselves to the local segment of the infected host. Only occasionally do they try to propogate off segment. In order for your IDS to help you it must be positioned so that it sees all communication on a particular segment not just cross segment traffic. This is a deployment issue rather than a signature effectiveness issue.

KLW

New Member

Re: csico signatures of msblast and welchia worms

I know our IDS deployment is right there to monitor all the traffic on these dedication segments. These worms can be seen from other ids tools, which are at the same locations as cisco. How come cisco cannot see these worms?

Philip

New Member

Re: csico signatures of msblast and welchia worms

Philip,

There must be a problem with the Cisco IDS (configuration, setup, hardware). We have gotten positive feedback about the signature 3327 in detecting blaster and welchia.

What version of the sensor are you running?

What sigupdate level are you running?

What is the traffic load on the segment the IDS is on?

-Tony

New Member

Re: csico signatures of msblast and welchia worms

Thank you for telling me the signature 3327 is not a fake.

version 3 - 4

signature level S49

as far as traffic load, not much, less than 10 MB normally.

I have ciscoworks to monitor the events, currently there are 7 sensors under it, lots of events, not a single 3327 or 3328. I am confusing?

Philip

New Member

Re: csico signatures of msblast and welchia worms

Did you tune sig 3327 or 3328? Ensure that they are turned on and don't have filters set for them.

Please respond to anthall@cisco.com let's try to resolve this quicker.

107
Views
0
Helpful
5
Replies
CreatePlease login to create content