cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
211
Views
0
Helpful
3
Replies

ICQ and Signature 9032

milan.kulik
Level 10
Level 10

I've noticed that an ICQ client in default configuration triggers 9032 Back Door Probe (TCP 5190) alarm while trying to connect to login.icq.com servers.

Regards,

Milan

3 Replies 3

mcerha
Level 3
Level 3

I'd recommend setting up a filter to solve this. If you've defined the IN and OUT system variables, setup a filter for IN to OUT. This should eliminate the problem. I'll add this to the NSDB as a potential benign trigger.

Mathew,

thanks, I've set the filters already.

Don't you think it would be a good idea to create a "customer notes" part of Cisco Secure Encyclopedia which would allow IDS users to write such filed notices?

Regards,

Milan

Dear Sir,

We are experiencing the same phenomenom concerning back door responses triggered by legitimate ftp traffic. All those back door responses are triggered on the ACKs coming from the client (in case of active ftp) and the server (in case of passive ftp). This is very time consuming to filter out these legitimate ftp clients/servers, as we don't want to disable these signatures. In case of passive ftp we are looking for a workaround using an ftp server that can be configured to use ports out of the known back door port ranges.

Thanks for any comment or advice,

Johan.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: