03-06-2002 12:49 PM - edited 03-08-2019 09:59 PM
The sig. 4507 keeps on firing on NTP traffic. I will have to turn off the sig. because it is firing so much.
Can I address the sig. so it will not fire on NTP traffic?
03-07-2002 09:27 AM
Are you running NTP over port 161?
03-07-2002 10:57 AM
When I look at the packet traces the source port is 161 and the dest port is NTP.
03-07-2002 01:25 PM
Currently the sig 4507 sees port 161u traffic to be SNMP traffic. If the traffic is not SNMP, well then it violates the protocol. We know this is probably not going to be a good answer for you and we're taking steps to prevent this in a future release.
Currently, however, you can use a RecordOfExcluded address for any NTP client that is running on port 161.
03-07-2002 02:56 PM
An alternative may be to exclude the NTP server for the alarm rather than each client.
If the NTP Server is showing up as the source of the alarm, then you can exlcude it as the source.
If the NTP Server is showing up as the destination of the alarm, then if the NTP server is not running SNMP, you can filter the signature for your NTP server as the destination without much worry.
Filtering the server might easier than trying to filter all the NTP clients.
03-12-2002 01:50 PM
Yes, we've seen similar effects. DNS servers would sometimes reply to requests originating from port 161 as well as the NTP issue already mentioned.
Cisco's position that "NTP and DNS aren't SNMP, therefore the signature should fire" is reasonable, but the real alarm is "stupid source port selected by client software".
Our solution was just to use Exclusion Records.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide