Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Sig 4508 False Positive

VMS is showing a number of 4508 (Non SNMP Traffic) alerts, and yet VMS shows the destination ports as 9300, 137.

The description file indicates only triggering when non-snmp traffic is detected on udp port 161 only.

On the probe itself, a show settings for this signature lists:

SIGID: 4508 <protected>

SubSig: 0 <protected>

AlarmDelayTimer:

AlarmInterval:

AlarmSeverity: informational <defaulted>

AlarmThrottle: FireOnce <defaulted>

AlarmTraits:

BruteForceCount:

CapturePacket: False <defaulted>

ChokeThreshold:

CommunityName:

Enabled: True <defaulted>

EventAction:

FlipAddr:

IsBruteForce:

IsInvalidPacket:

IsNonSnmpTraffic: True <protected>

MaxInspectLength:

MaxTTL:

MinHits: 1 <defaulted>

ObjectId:

Protocol: UDP <defaulted>

ResetAfterIdle: 15 <defaulted>

SigComment:

SigName: Non SNMP Traffic <protected>

SigStringInfo: Non SNMP traffic <defaulted>

SigVersion: S43 <defaulted>

StorageKey: AxBx <defaulted>

SummaryKey: AaBb <defaulted>

ThrottleInterval: 15 <defaulted>

WantFrag:

No specification of port in there. So I think something is broken.

  • Other Security Subjects
1 REPLY
New Member

Re: Sig 4508 False Positive

Lo, the same issue mentioned further down the page. Apologize for the 4508 spam.

112
Views
0
Helpful
1
Replies
This widget could not be displayed.