Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Sig 4507 SNMP Protocol Violation

The sig. 4507 keeps on firing on NTP traffic. I will have to turn off the sig. because it is firing so much.

Can I address the sig. so it will not fire on NTP traffic?

5 REPLIES
Cisco Employee

Re: Sig 4507 SNMP Protocol Violation

Are you running NTP over port 161?

New Member

Re: Sig 4507 SNMP Protocol Violation

When I look at the packet traces the source port is 161 and the dest port is NTP.

New Member

Re: Sig 4507 SNMP Protocol Violation

Currently the sig 4507 sees port 161u traffic to be SNMP traffic. If the traffic is not SNMP, well then it violates the protocol. We know this is probably not going to be a good answer for you and we're taking steps to prevent this in a future release.

Currently, however, you can use a RecordOfExcluded address for any NTP client that is running on port 161.

Cisco Employee

Re: Sig 4507 SNMP Protocol Violation

An alternative may be to exclude the NTP server for the alarm rather than each client.

If the NTP Server is showing up as the source of the alarm, then you can exlcude it as the source.

If the NTP Server is showing up as the destination of the alarm, then if the NTP server is not running SNMP, you can filter the signature for your NTP server as the destination without much worry.

Filtering the server might easier than trying to filter all the NTP clients.

New Member

Re: Sig 4507 SNMP Protocol Violation

Yes, we've seen similar effects. DNS servers would sometimes reply to requests originating from port 161 as well as the NTP issue already mentioned.

Cisco's position that "NTP and DNS aren't SNMP, therefore the signature should fire" is reasonable, but the real alarm is "stupid source port selected by client software".

Our solution was just to use Exclusion Records.

2171
Views
0
Helpful
5
Replies
CreatePlease login to create content