Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Signature 1102-Impossible Packet

I've had sig. 1102 Impossible Packet triggered on our internal 4210 sensor several times with source and destination as 3.0.0.2(General Electric IP). We use a private address scheme within our network. Is anyone aware of any applications or benign triggers that might cause this signature? Any ideas on tracking down would be appreciated as well.

6 REPLIES
Cisco Employee

Re: Signature 1102-Impossible Packet

There's no benign triggers for this signature, the IDS is simply seeing a packet with the same source and destination address. 3.0.0.2 is a strange IP address for this to occur on on your inside network, true enough, haven't heard of any application that does this kind of thing (it would be a pretty screwed up application to say the least).

To track it down is difficult since the source is obviously bogus. You could set this signature to IP Log which will tell the sensor to capture all the packets from this source when it next sees the sig, then you can use tcpdump or the like to have a look at the packets in depth. Maybe the source MAC address will be valid and you'll be able to track it down that way.

New Member

Re: Signature 1102-Impossible Packet

I do have the IPLOG of the event. How do I use tcpdump to view it? Would I be able to use a sniffer application to view it as well? Thank you. Scott

New Member

Re: Signature 1102-Impossible Packet

Ethereal works as well. try http://www.ethereal.com.

New Member

Re: Signature 1102-Impossible Packet

We had a few instances of that ip on our sensor as well.

New Member

Re: Signature 1102-Impossible Packet

I have also seen this on our sensors occassionally.

New Member

Re: Signature 1102-Impossible Packet

In my environment we have ATM to TCP/IP. I usually see this signature during high volume periods between my ATM core and our tcp/ip Cisco border router (the border in to the Corporation network).

In every case the source/destination IP addresses are of course the same, but vary between 127.0.0.1 and 127.0.0.10 (same in each case though).

The MAC addresses are the key: look at the MAC addresses and it will tell you the offending devices causing this traffic.

YMMV, but in my case I attributed it to a potentially buggy ATM <-> tcp/ip protocol change, and high traffic loads.

Doesn't happen often, but often enough (saw 2-3 detections per day).

Paul Bobby - Network Security Officer

Lockheed Martin Systems Integration

383
Views
0
Helpful
6
Replies
CreatePlease login to create content