Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
338
Views
0
Helpful
5
Replies

Sig ID 4701 won't shun

john.kingston
Level 1
Level 1

‎09-30-2003 05:29 AM - edited ‎03-09-2019 04:58 AM

I've added the all the availible actions in IDS MC for signature 4701. When I get me emails, I'm not getting "shun requested". Here is the text of my emails:

EXTERNALIDS reported a high severity alert at 09/29/2003 23:21:45

Signature MSSQL Control Overflow (4701:0) from 81.112.118.235 to **.**.**.**

Actions taken: None

Information on this vulnerability can be found here:

http://localinternalweb/nsdb/expsig_4701.html

The odd part is, the IDS MC thinks that it's set to this:

4701 0 MSSQL Control Overflow STRING.UDP Yes High Reset,Block,BlockConnection

Any thoughts as to why this won't seem to take? I've deleted the IDS device from IDS MC, and let the MC discover the settings of the device. It's shunning on all the other addresses that I've set it up to shun, just not this one signature....

Thanks

John

Labels:
0 Helpful
5 Replies 5

jlively
Cisco Employee
Cisco Employee

‎09-30-2003 03:14 PM

what version sensor are you using? On the sensor, using the cli what actions do you get for sig 4701 ?

again on the sensor using cli, if you do a show events and give it time parameters surrounding the event, do you see the alarm (you should) do you see any other actions?

0 Helpful

john.kingston
Level 1
Level 1
In response to jlively

‎10-01-2003 04:20 AM

4.1(1)S54. It's a 4210.

if I do a "sh events 00:00:00" all I get is:

evLogTransaction: command=execAuthenticateUser eventId=1060268788727970229 succe

ssful=true

originator:

hostId: EXTERNALIDS

appName: authentication

appInstanceId: 1169

time: 2003/10/01 00:14:06 2003/10/01 00:14:06 UTC

requestor:

user: cids

application:

hostId:

appName: cidwebserver

appInstanceId: 1170

I did find this interesting:

EXTERNALIDS# sh interfaces sensing

Error: ct-sensorApp.1173 not responding, please check system processes - The con

nect to the specified Io::ServerPipe failed.

That's probably part of my problem. Should I just call TAC?

Thanks!

John

0 Helpful

jlively
Cisco Employee
Cisco Employee
In response to john.kingston

‎10-01-2003 06:23 AM

I am checking a couple things in our lab. I will let you know ASAP.

0 Helpful

john.kingston
Level 1
Level 1
In response to jlively

‎10-01-2003 06:29 AM

No problem. Thanks for the help. I'm not apposed to rebuilding the unit. I just got the new software image, so I'd be starting at 4.1(1)S47. It wouldn't be that big of a problem.

Thanks again

John

0 Helpful

jlively
Cisco Employee
Cisco Employee
In response to john.kingston

‎10-01-2003 07:00 AM

well, that would give us a known good system. I can check on the error in the mean time.

Jim

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents