IDS Signature 3001 Flipping Source and Dest Addresses
We've recently noticed that the Source and Destination addresses in the IDS 3001 alarms have been reversed, that is the source address is reported in the dest adress field, and the dest address is placed in the source address field. This is happening in the NetRanger log itself. We cross-checked the alarms with the actual sessions we're seeing to verify that this is occurring?
We're still running CIDS 2.2.1, with packetd version of 188.8.131.52. Is there a reason the addresses have been flipped?
Re: IDS Signature 3001 Flipping Source and Dest Addresses
I think there was a problem with a signature in the older sensors where the source/destination addresses were swapped in the context buffer. I remember this bug was found and fixed somewhere around the 2.5 code release. In any case, you should upgrade to 3.0. 184.108.40.206 is falling behind very quickly in signature coverage. Doing this should also fix the bug I think youre running into.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...