09-30-2003 05:29 AM - edited 03-09-2019 04:58 AM
I've added the all the availible actions in IDS MC for signature 4701. When I get me emails, I'm not getting "shun requested". Here is the text of my emails:
EXTERNALIDS reported a high severity alert at 09/29/2003 23:21:45
Signature MSSQL Control Overflow (4701:0) from 81.112.118.235 to **.**.**.**
Actions taken: None
Information on this vulnerability can be found here:
http://localinternalweb/nsdb/expsig_4701.html
The odd part is, the IDS MC thinks that it's set to this:
4701 0 MSSQL Control Overflow STRING.UDP Yes High Reset,Block,BlockConnection
Any thoughts as to why this won't seem to take? I've deleted the IDS device from IDS MC, and let the MC discover the settings of the device. It's shunning on all the other addresses that I've set it up to shun, just not this one signature....
Thanks
John
09-30-2003 03:14 PM
what version sensor are you using? On the sensor, using the cli what actions do you get for sig 4701 ?
again on the sensor using cli, if you do a show events and give it time parameters surrounding the event, do you see the alarm (you should) do you see any other actions?
10-01-2003 04:20 AM
4.1(1)S54. It's a 4210.
if I do a "sh events 00:00:00" all I get is:
evLogTransaction: command=execAuthenticateUser eventId=1060268788727970229 succe
ssful=true
originator:
hostId: EXTERNALIDS
appName: authentication
appInstanceId: 1169
time: 2003/10/01 00:14:06 2003/10/01 00:14:06 UTC
requestor:
user: cids
application:
hostId:
appName: cidwebserver
appInstanceId: 1170
I did find this interesting:
EXTERNALIDS# sh interfaces sensing
Error: ct-sensorApp.1173 not responding, please check system processes - The con
nect to the specified Io::ServerPipe failed.
That's probably part of my problem. Should I just call TAC?
Thanks!
John
10-01-2003 06:23 AM
I am checking a couple things in our lab. I will let you know ASAP.
10-01-2003 06:29 AM
No problem. Thanks for the help. I'm not apposed to rebuilding the unit. I just got the new software image, so I'd be starting at 4.1(1)S47. It wouldn't be that big of a problem.
Thanks again
John
10-01-2003 07:00 AM
well, that would give us a known good system. I can check on the error in the mean time.
Jim
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: