Problem with SigID 11000 - KaZaA v2 UDP Client Probe
Some of you may have noticed that any displayed data related to SigID 11000 appears to be not quite right when the alarm details are reviewed.
Some research and discussion with Cisco TAC has determined that SigID 11000 has an error that is causing the Source and Destination IP addresses to be displayed incorrectly; essential they are reversed.
If you do not have another type of IDS in place analysing the same data flow (this is how it was found in my shop), you'll need to use a packet sniffer to see what I mean. If, however, you just want to take my word for it, Cisco has assigned it a BugID.
BugID CSCea13034 refers:
"Internally found moderate defect: New (N)
11000 events show up with reversed source and dest ip addresses.
Signature 11000 fires alarms with reversed IP addresses. This happens in both Appliance and IDSM."
I figured this as good a place as any to pass this tidbit on, just in case anyone else was having trouble analysing events related to SigID 11000...
BTW, there is no inidication (yet) as to when a fix is expected.
NOTE: Thanks to Evan Trimble at TAC for providing the BugID to confirm my suspicions about this signature.
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...