Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

noc
New Member

IDS Event 1104

In the last couple of weeks Event ID 1104 started showing up. Signature Name is Localhost. The source address is 127.0.0.1 with destination address's of my public interfaces. The source port is always 80 with different destination ports. Is this from a worm? I am assuming that the 127.0.0.1 is spoofed. Anyone else seeing this?

Thanks.

-Ryan

3 REPLIES
Silver

Re: IDS Event 1104

Temporarily disable Sig 1104 and investigate the source VLAN or Shun Sig 1104 or create and anti-spoofing ACL on the router.

New Member

Re: IDS Event 1104

Are there any updates to this particular signature? As Ryan stated, the alarms have a source of 127.0.0.1:80 with various destination IP's on ephemeral ports... Is this signature functional yet, or should it be disabled?

Thanks,

Don

New Member

Re: IDS Event 1104

This signature is being triggured from the Blaster worm.

Check out the following post:

http://seclists.org/lists/incidents/2003/Oct/0131.html

134
Views
0
Helpful
3
Replies
CreatePlease login to create content