Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
235
Views
5
Helpful
2
Replies

Sig#2156 Tuning

dblairii
Level 1
Level 1

‎10-08-2003 10:54 AM - edited ‎03-09-2019 05:04 AM

This signature (W32.Nachi Worm), was originally released in S54 (I'm using V4.x). The original release of this signature had the Source and Destination hosts swapped (so that the destination was actually the infected host). Signature release S55 tuned this signature to fix that problem...

My question is:

Why when I previously enabled the 'FlipAddr' with IDM (while I was at S54), did the addresses not swap? (Yes, I saved the config after tuning it :) )

Don

Labels:
0 Helpful
2 Replies 2

sirpa_k
Level 1
Level 1

‎10-14-2003 10:00 AM

Any update on this ?

0 Helpful

mcerha
Level 3
Level 3

‎10-14-2003 10:38 AM

The problem with 2156 was not that the addresses were being tranposed by the sensor. The problem is that the sensor was firing on both the ICMP echo request and the echo reply. When responding to a ping, it is customary to respond with the same payload that was sent to you. The sensor was not properly restricted to only look for echo requests, so it fired on the same payload in the echo reply. Since the packets are so similar looking, it might have appeared to have flipped the addresses. With S55, there is no reason to use the FlipAddr parameter.

Customers Also Viewed These Support Documents