Recieving alert 4055 whenever Logging into VPN Concentrator using VPN Clien

s.surani · ‎02-23-2004

Hello,

I am receiving the following alert from our NIDS, whenever a remote user tries to connect to our network using VPN Client:

nids2 reported a high severity alert at 02/24/2004 16:10:27 Signature B02K-UDP (4055:2) from sourceip to destination ip Actions taken: None

Please assist me to resolve this. this alert started appreaing only after S69 Signature update. Is it something to do with the Signature update?

Thanks and Regards

Salim

marcabal · ‎02-24-2004

This is a known False Positive for the alarm.

THe NSDB entry for 4055 says to refer to the NSDB entry for 3992 for a list of Benign Triggers.

The NSDB entry for 3992 states:

The traffic produced by Napster and BearShare (a variant of the Gnutella file-sharing program) have caused this signature to fire. This is due to the compression used in MP3 and video files transferred by these programs, which closely resemble the patterns found in BO2K encrypted traffic. Other false positive triggers include: Age Of Empires network game traffic, HP JetDirect printer dialog, BGP routing protocol traffic, encrypted VPN traffic (including the Cisco VPN 3000 concetrator / client).

The last false positive trigger listed is VPN traffic.

The encryption in the VPN traffic sometimes randomly matches the pattern we are looking for in BO2K traffic, and you get the false positive firing of the alarm.

If you can verify that the alarms are going to or coming from your VPN concentrator then you can exclude the VPN concentrator for these alarms to prevent reporting of the false positives.

As for why it started being seen after S69 I am not sure why you would not have seen the false positive before S69.