Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

sig 6302 Modified Loki, this one NOT related to spyware

I have a customer repeatedly triggering 6302 Modified Loki while monitoring his server at our facility from his remote location. He claims he is using only IPSentry and a standard ICMP ping to do his monitoring. This would appear completely unrelated to the spyware-related 6302 triggering mentioned below. Anyone else seen this?

3 REPLIES
Bronze

Re: sig 6302 Modified Loki, this one NOT related to spyware

This has been added to the NSDB in the S20 update as a benign trigger. 6302 will false positive if multiple (>= 3) icmp replies are detected for a single, unique ICMP request. This has been seen in environments that are using load balancers. For instance, if you ping the virtual interface of a load balance and all of the servers behind the load balancer respond. I would recommend creating a RecordOfExcludedPattern to alleviate the problem. An IPLOG would confirm this. You can send traffic samples to mcerha@cisco.com, and I'd be happy to look at them for you.

New Member

Re: sig 6302 Modified Loki, this one NOT related to spyware

Hi, I've also come across this signature with the source from the CiscoWorks 2000 management station, and the destinations are from some of the Catalyst 3500XL switches & terminal servers in the LAN. Both the Network Management and switches are in the same VLAN except the terminal servers. Is these triggers normal? Thank you in advance for your kind reply.

Bronze

Re: sig 6302 Modified Loki, this one NOT related to spyware

We have seen false positives with 6302 invloving network mgmt. software. We would really like to see the ICMP traffic to and from the CiscoWorks 2000 system. If you are able to provide any traffic samples, please send them to mcerha@cisco.com. For now, you could use a RecordOfExcludedPattern to filter out the alarms.

114
Views
0
Helpful
3
Replies