Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Interpretation of CSIDS alarms

Dear All,

New to the world of IDS I am seeking assistance in the interpretation of a swarm of alarms noted in the logs last week.

I have a bank of 8 IIS servers and a 4230 sensor sitting behind a PIX firewall. On any given day I will see a few hundred attempted attacks using the IIS Unicode exploit or WinNT cmd.exe access.

On one certain day I saw hundreds of thousands of such alarms. The source IP address was that of one of the IIS servers on port 80, while the destination address and port varied across a gamet of addresses and ports.

I figured that an attacker had attempted a DoS attack by spoofing the source address of an internal server (believable since I do not yet have the public interface of the PIX configured to drop packets with internal source addresses). However, I am told that it is very difficult to spoof such an IIS response so my initial assumption may be wrong.

How would others interpret seeing such traffic?



Cisco Employee

Re: Interpretation of CSIDS alarms

It is possible that you are under attack or may have even been compromised by a virus.

Nimda is one such virus that attacks IIS web servers using the IIS Unicode exploit or WinNT cmd.exe access, and there are several more that use similar methods for propogating themselves.

Be sure you have loaded the latest IIS Security Patches on your web server, and be sure your Anti-Virus software is up to date. Scan your web server with the latest antivirus to determine if you've been infected.