Cisco Support Community

Problem with SigID 11000 - KaZaA v2 UDP Client Probe


Some of you may have noticed that any displayed data related to SigID 11000 appears to be not quite right when the alarm details are reviewed.

Some research and discussion with Cisco TAC has determined that SigID 11000 has an error that is causing the Source and Destination IP addresses to be displayed incorrectly; essential they are reversed.

If you do not have another type of IDS in place analysing the same data flow (this is how it was found in my shop), you'll need to use a packet sniffer to see what I mean. If, however, you just want to take my word for it, Cisco has assigned it a BugID.

BugID CSCea13034 refers:

"Internally found moderate defect: New (N)

11000 events show up with reversed source and dest ip addresses.

(moderator edit)

Signature 11000 fires alarms with reversed IP addresses. This happens in both Appliance and IDSM."

I figured this as good a place as any to pass this tidbit on, just in case anyone else was having trouble analysing events related to SigID 11000...

BTW, there is no inidication (yet) as to when a fix is expected.

NOTE: Thanks to Evan Trimble at TAC for providing the BugID to confirm my suspicions about this signature.

CreatePlease to create content