Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Sig#2156 Tuning

This signature (W32.Nachi Worm), was originally released in S54 (I'm using V4.x). The original release of this signature had the Source and Destination hosts swapped (so that the destination was actually the infected host). Signature release S55 tuned this signature to fix that problem...

My question is:

Why when I previously enabled the 'FlipAddr' with IDM (while I was at S54), did the addresses not swap? (Yes, I saved the config after tuning it :) )


New Member

Re: Sig#2156 Tuning

Any update on this ?


Re: Sig#2156 Tuning

The problem with 2156 was not that the addresses were being tranposed by the sensor. The problem is that the sensor was firing on both the ICMP echo request and the echo reply. When responding to a ping, it is customary to respond with the same payload that was sent to you. The sensor was not properly restricted to only look for echo requests, so it fired on the same payload in the echo reply. Since the packets are so similar looking, it might have appeared to have flipped the addresses. With S55, there is no reason to use the FlipAddr parameter.

CreatePlease to create content