Cisco Support Community
Community Member

MARS fragmented ICMP and microsoft DC

Hi, I have many fragmented ICMP incidents related to microsoft speed check from client to domain controller.

How to tune them ?

I need to tune the events to avoid this kind of incidents when microsoft client attempt to access DC server through ASA, but I need to mantain fragmented ICMP rules in case of worm prop attempts.




Re: MARS fragmented ICMP and microsoft DC

I assume you're talking about this:

You might be able to tune on the actual client:

What is the actual alarm on the ASA that is firing? What is the actual inspection rule in MARS that is firing?

Community Member

Re: MARS fragmented ICMP and microsoft DC

Yes, I'm talking about that and in 3 ASA 7.0(4), used for ip audit configuration pilot, the alarm firing is 400023,Signature ID 2150, Fragmented ICMP Traffic.

I think it's not easy to tune MARS to avoid this incident and mantain ICMP fragment attention for worm propagation



Re: MARS fragmented ICMP and microsoft DC

Well, according to the MS link, a specific large ICMP packet is used. I'm guessing that is what is being fragmented. It appears one option is to modify the MS clients to use a smaller ICMP packet for this process. But I think you'll find other "normal" software using large ICMP too.

Is there something that leads you to believe that fragmented ICMP is a good indication of worm propagation? Personally, I don't think it is. What _might_ be a good indicator is the ICMP messages themselves (not whether they are fragmented). If suddenly one or more hosts is scanning subnets with ICMP, then there should be other incidents firing than "fragmented ICMP". I'm not even talking about IDS alarms, just the normal log information about "connections" received from the ASA should generate an incident in CSMARS.

You should be able to test this pretty easily with nmap.

Community Member

Re: MARS fragmented ICMP and microsoft DC

Well, I agree with you, in CS-MARS I can see incidents matching the "System Rule: Worm Propagation - Attempt" rules, with ICMP fragmented with also related TCP connections (i.e. tcp 139) but the rule "System Rule: Server Attack: Misc. - Attempt" (event type "Fragmented ICMP traffic") fires only with fragmented ICMP traffic: this is the problem, only ICMP !

thank you in advance


Re: MARS fragmented ICMP and microsoft DC

Regarding the "System Rule: Server Attack: Misc. - Attempt" rule, it should fire on a single event received that is a member of any of these event categories:










signature 2150-0 maps to event type "Fragmented ICMP Traffic", which is a member of the DoS/Host and DoS/All event type categories. So, a single 2150-0 would normally trigger this rule.

If you goal is to have sig 2150-0 fire (and thus the CSMARS rule) for all other fragmented ICMP traffic but those that result from Windows slow link detection, one option is to create an event action filter on the sensor that won't create an alert for 2150-0 if the destination is a domain controller.

CreatePlease to create content