04-16-2004 12:00 AM - edited 03-09-2019 07:05 AM
I've noticed that an ICQ client in default configuration triggers 9032 Back Door Probe (TCP 5190) alarm while trying to connect to login.icq.com servers.
Regards,
Milan
04-16-2004 08:48 AM
I'd recommend setting up a filter to solve this. If you've defined the IN and OUT system variables, setup a filter for IN to OUT. This should eliminate the problem. I'll add this to the NSDB as a potential benign trigger.
04-18-2004 10:35 PM
Mathew,
thanks, I've set the filters already.
Don't you think it would be a good idea to create a "customer notes" part of Cisco Secure Encyclopedia which would allow IDS users to write such filed notices?
Regards,
Milan
04-19-2004 05:07 AM
Dear Sir,
We are experiencing the same phenomenom concerning back door responses triggered by legitimate ftp traffic. All those back door responses are triggered on the ACKs coming from the client (in case of active ftp) and the server (in case of passive ftp). This is very time consuming to filter out these legitimate ftp clients/servers, as we don't want to disable these signatures. In case of passive ftp we are looking for a workaround using an ftp server that can be configured to use ports out of the known back door port ranges.
Thanks for any comment or advice,
Johan.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: