Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Sig ID 4701 won't shun

I've added the all the availible actions in IDS MC for signature 4701. When I get me emails, I'm not getting "shun requested". Here is the text of my emails:

EXTERNALIDS reported a high severity alert at 09/29/2003 23:21:45

Signature MSSQL Control Overflow (4701:0) from 81.112.118.235 to **.**.**.**

Actions taken: None

Information on this vulnerability can be found here:

http://localinternalweb/nsdb/expsig_4701.html

The odd part is, the IDS MC thinks that it's set to this:

4701 0 MSSQL Control Overflow STRING.UDP Yes High Reset,Block,BlockConnection

Any thoughts as to why this won't seem to take? I've deleted the IDS device from IDS MC, and let the MC discover the settings of the device. It's shunning on all the other addresses that I've set it up to shun, just not this one signature....

Thanks

John

  • Other Security Subjects
5 REPLIES
Cisco Employee

Re: Sig ID 4701 won't shun

what version sensor are you using? On the sensor, using the cli what actions do you get for sig 4701 ?

again on the sensor using cli, if you do a show events and give it time parameters surrounding the event, do you see the alarm (you should) do you see any other actions?

New Member

Re: Sig ID 4701 won't shun

4.1(1)S54. It's a 4210.

if I do a "sh events 00:00:00" all I get is:

evLogTransaction: command=execAuthenticateUser eventId=1060268788727970229 succe

ssful=true

originator:

hostId: EXTERNALIDS

appName: authentication

appInstanceId: 1169

time: 2003/10/01 00:14:06 2003/10/01 00:14:06 UTC

requestor:

user: cids

application:

hostId:

appName: cidwebserver

appInstanceId: 1170

I did find this interesting:

EXTERNALIDS# sh interfaces sensing

Error: ct-sensorApp.1173 not responding, please check system processes - The con

nect to the specified Io::ServerPipe failed.

That's probably part of my problem. Should I just call TAC?

Thanks!

John

Cisco Employee

Re: Sig ID 4701 won't shun

I am checking a couple things in our lab. I will let you know ASAP.

New Member

Re: Sig ID 4701 won't shun

No problem. Thanks for the help. I'm not apposed to rebuilding the unit. I just got the new software image, so I'd be starting at 4.1(1)S47. It wouldn't be that big of a problem.

Thanks again

John

Cisco Employee

Re: Sig ID 4701 won't shun

well, that would give us a known good system. I can check on the error in the mean time.

Jim

114
Views
0
Helpful
5
Replies
This widget could not be displayed.