01-14-2003 02:02 PM - edited 03-09-2019 01:40 AM
I've had sig. 1102 Impossible Packet triggered on our internal 4210 sensor several times with source and destination as 3.0.0.2(General Electric IP). We use a private address scheme within our network. Is anyone aware of any applications or benign triggers that might cause this signature? Any ideas on tracking down would be appreciated as well.
01-14-2003 03:58 PM
There's no benign triggers for this signature, the IDS is simply seeing a packet with the same source and destination address. 3.0.0.2 is a strange IP address for this to occur on on your inside network, true enough, haven't heard of any application that does this kind of thing (it would be a pretty screwed up application to say the least).
To track it down is difficult since the source is obviously bogus. You could set this signature to IP Log which will tell the sensor to capture all the packets from this source when it next sees the sig, then you can use tcpdump or the like to have a look at the packets in depth. Maybe the source MAC address will be valid and you'll be able to track it down that way.
01-16-2003 01:56 PM
I do have the IPLOG of the event. How do I use tcpdump to view it? Would I be able to use a sniffer application to view it as well? Thank you. Scott
01-16-2003 01:58 PM
Ethereal works as well. try http://www.ethereal.com.
01-18-2003 04:51 PM
We had a few instances of that ip on our sensor as well.
02-27-2003 10:17 AM
I have also seen this on our sensors occassionally.
03-05-2003 05:06 PM
In my environment we have ATM to TCP/IP. I usually see this signature during high volume periods between my ATM core and our tcp/ip Cisco border router (the border in to the Corporation network).
In every case the source/destination IP addresses are of course the same, but vary between 127.0.0.1 and 127.0.0.10 (same in each case though).
The MAC addresses are the key: look at the MAC addresses and it will tell you the offending devices causing this traffic.
YMMV, but in my case I attributed it to a potentially buggy ATM <-> tcp/ip protocol change, and high traffic loads.
Doesn't happen often, but often enough (saw 2-3 detections per day).
Paul Bobby - Network Security Officer
Lockheed Martin Systems Integration
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: