Need help understanding alarms from signature 2156
This is the "Nachi Worm ICMP Echo Request". I have my outside IDS shunning this signature and I can see that the internet router has "Deny" access lists for each alarm. But what is puzzling me is I also have an IDS inside on my server vlan that is reporting and outside attacker to one of my servers. I have looked over these servers with someone else and we can not find any trace of Nachi. The alarm also has no Source or Destination ports listed. In the past when I have had an infected machine there has been a src port 8 and an dest port listed. The outside addresses are one connection and a few have been to Korea. These servers should not have any reason to connect to the addresses listed as attackers. I am at a loss as to why I am getting these alarms. I should also add the the servers are patched with the latest Critical Updates and have the latest Anti-Virus.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...