sig 6302 Modified Loki, this one NOT related to spyware

stbob · ‎04-05-2002

I have a customer repeatedly triggering 6302 Modified Loki while monitoring his server at our facility from his remote location. He claims he is using only IPSentry and a standard ICMP ping to do his monitoring. This would appear completely unrelated to the spyware-related 6302 triggering mentioned below. Anyone else seen this?

mcerha · ‎04-11-2002

This has been added to the NSDB in the S20 update as a benign trigger. 6302 will false positive if multiple (>= 3) icmp replies are detected for a single, unique ICMP request. This has been seen in environments that are using load balancers. For instance, if you ping the virtual interface of a load balance and all of the servers behind the load balancer respond. I would recommend creating a RecordOfExcludedPattern to alleviate the problem. An IPLOG would confirm this. You can send traffic samples to mcerha@cisco.com, and I'd be happy to look at them for you.

laimf · ‎04-22-2002

Hi, I've also come across this signature with the source from the CiscoWorks 2000 management station, and the destinations are from some of the Catalyst 3500XL switches & terminal servers in the LAN. Both the Network Management and switches are in the same VLAN except the terminal servers. Is these triggers normal? Thank you in advance for your kind reply.

mcerha · ‎04-23-2002

We have seen false positives with 6302 invloving network mgmt. software. We would really like to see the ICMP traffic to and from the CiscoWorks 2000 system. If you are able to provide any traffic samples, please send them to mcerha@cisco.com. For now, you could use a RecordOfExcludedPattern to filter out the alarms.