Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Need help understanding alarms from signature 2156

This is the "Nachi Worm ICMP Echo Request". I have my outside IDS shunning this signature and I can see that the internet router has "Deny" access lists for each alarm. But what is puzzling me is I also have an IDS inside on my server vlan that is reporting and outside attacker to one of my servers. I have looked over these servers with someone else and we can not find any trace of Nachi. The alarm also has no Source or Destination ports listed. In the past when I have had an infected machine there has been a src port 8 and an dest port listed. The outside addresses are one connection and a few have been to Korea. These servers should not have any reason to connect to the addresses listed as attackers. I am at a loss as to why I am getting these alarms. I should also add the the servers are patched with the latest Critical Updates and have the latest Anti-Virus.

4 REPLIES
New Member

Re: Need help understanding alarms from signature 2156

does the icmp pattern look simular to this?

inetnum: 220.116.0.0 - 220.127.255.255

netname: KORNET

descr: KOREA TELECOM

descr: Network Management Center

country: KR

1 0.00000 a.b.c.d -> 220.117.223.36 ICMP Echo request (ID: 768 Sequence number: 49151)

2 73.59386 a.b.c.d -> 220.117.47.209 ICMP Echo request (ID: 768 Sequence number: 60689)

3 83.95402 a.b.c.d -> 220.117.84.48 ICMP Echo request (ID: 768 Sequence number: 43558)

4 106.05646 a.b.c.d -> 220.117.29.189 ICMP Echo request (ID: 768 Sequence number: 57152)

5 10.85057 a.b.c.d -> 220.117.147.40 ICMP Echo request (ID: 768 Sequence number: 35139)

6 83.58813 a.b.c.d -> 220.117.186.47 ICMP Echo request (ID: 768 Sequence number: 12120)

7 53.25838 a.b.c.d -> 220.117.236.176 ICMP Echo request (ID: 768 Sequence number: 22373)

8 14.82192 a.b.c.d -> 220.117.189.110 ICMP Echo request (ID: 768 Sequence number: 105)

9 14.11701 a.b.c.d -> 220.117.157.189 ICMP Echo request (ID: 768 Sequence number: 31084)

10 59.87000 a.b.c.d -> 220.117.0.155 ICMP Echo request (ID: 768 Sequence number: 15995)

New Member

Re: Need help understanding alarms from signature 2156

Yes, This looks like what I am getting.

Bronze

Re: Need help understanding alarms from signature 2156

Could you possibly capture some of the ICMP traffic and send it to mcerha@cisco.com. We'll need some traffic to diagnose what's going on.

New Member

Re: Need help understanding alarms from signature 2156

Can you tell me how best to capture this? I am think ing I use the IP logging on the IDS?

104
Views
0
Helpful
4
Replies