IDS signature General Loki ICMP Tunneling false positives..
I have rather suddenly been getting a lot of Critical alerts for Signature 6053 General Loki ICMP Tunneling. While the Cisco database says that there are no known benign triggers, I have correlated data that shows otherwise. I have a vendor whose software does a remote polling of devices they monitor in my network, and each polling event generates the Loki alert.
I am also in the process of correlating data/alerts from external host connections generating this alert to my Novell platformed DNS server.
Have there been any other false positive triggers/software identified?
Re: IDS signature General Loki ICMP Tunneling false positives..
one way to false positive LOKI is to have asymetric routing or filtering of directional traffic. The general condition is that the Sensor could see the ECHO REPLY messages without having first seen the ECHO REQUEST. This would trigger a false positive on Loki. Note also that it *is* order dependent, so if for some reason the REPLY is seen before the REQUEST, even if the REQUEST is seen, then you can have a false positive.
Another possible cause of Loki alarms is a system that sends out multiple REPLYs to a REQUEST. We have seen the latter in real life and tuned the signature around it.
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...