Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
487
Views
0
Helpful
1
Replies

IDS Signature 3001 Flipping Source and Dest Addresses

stevemurphy
Level 1
Level 1

‎09-24-2001 07:18 AM - edited ‎03-08-2019 08:45 PM

We've recently noticed that the Source and Destination addresses in the IDS 3001 alarms have been reversed, that is the source address is reported in the dest adress field, and the dest address is placed in the source address field. This is happening in the NetRanger log itself. We cross-checked the alarms with the actual sessions we're seeing to verify that this is occurring?

We're still running CIDS 2.2.1, with packetd version of 2.2.1.8. Is there a reason the addresses have been flipped?

Labels:
0 Helpful
1 Reply 1

s-doyle
Level 3
Level 3

‎09-28-2001 01:14 PM

I think there was a problem with a signature in the older sensors where the source/destination addresses were swapped in the context buffer. I remember this bug was found and fixed somewhere around the 2.5 code release. In any case, you should upgrade to 3.0. 2.2.1.8 is falling behind very quickly in signature coverage. Doing this should also fix the bug I think you’re running into.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents