Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Kazaa Alarms

Am getting a few 'Kazaa GET Request' (11005) alarms, but suspect they may be false positives. Can anything apart from Kazaa trigger this?

5 REPLIES

Re: Kazaa Alarms

Me personaly, I have never seen a false positive on 11005. just my 2 cents. What makes you think they are false?

New Member

Re: Kazaa Alarms

are false +ves not possible when the source is a web server or proxy? the signature looks for get/ on the default kazaa port.

Cisco Employee

Re: Kazaa Alarms

Yes in the case of HTTP traffic that has been proxied to the default KaZaa port you could get false fires. I would recommend that you capture trigger packets on the firings and inspect them. If you know the destination if the requests is a proxied web server and these prove to be misfires you can exclude the destination for this alarm.

New Member

Re: Kazaa Alarms

The reason I thought some were false positives is that on one alarm, the source address was a colleague who I know wasnt using kazaa to a destination address on our intranet. This would tie in with the explanation given in the previous two posts.

Thanks for your help, much appreciated.

Bronze

Re: Kazaa Alarms

With 3.x sensors, it is possible that the server and client get reversed resulting in a flase positive. 4.x does not have this problem. For this to happen, a web server would have to return 'GET /' somewhere in it's data to a client on port 1214. This isn't the normal scenario, but it could happen. We will make a change to the signature that should fix this for the next signature update.

111
Views
5
Helpful
5
Replies
CreatePlease to create content