Re: Sig 4507 SNMP Protocol Violation

mhicks · ‎03-06-2002

The sig. 4507 keeps on firing on NTP traffic. I will have to turn off the sig. because it is firing so much.

Can I address the sig. so it will not fire on NTP traffic?

scothrel · ‎03-07-2002

Are you running NTP over port 161?

mhicks · ‎03-07-2002

When I look at the packet traces the source port is 161 and the dest port is NTP.

anthall · ‎03-07-2002

Currently the sig 4507 sees port 161u traffic to be SNMP traffic. If the traffic is not SNMP, well then it violates the protocol. We know this is probably not going to be a good answer for you and we're taking steps to prevent this in a future release.

Currently, however, you can use a RecordOfExcluded address for any NTP client that is running on port 161.

marcabal · ‎03-07-2002

An alternative may be to exclude the NTP server for the alarm rather than each client.

If the NTP Server is showing up as the source of the alarm, then you can exlcude it as the source.

If the NTP Server is showing up as the destination of the alarm, then if the NTP server is not running SNMP, you can filter the signature for your NTP server as the destination without much worry.

Filtering the server might easier than trying to filter all the NTP clients.

astuckey · ‎03-12-2002

Yes, we've seen similar effects. DNS servers would sometimes reply to requests originating from port 161 as well as the NTP issue already mentioned.

Cisco's position that "NTP and DNS aren't SNMP, therefore the signature should fire" is reasonable, but the real alarm is "stupid source port selected by client software".

Our solution was just to use Exclusion Records.