topic Re: Understanding IPS log (sig:16297-Worm Activity) in Network Security

Understanding IPS log (sig:16297-Worm Activity)

jagadeeshan.s — Sun, 10 Mar 2019 12:47:53 GMT

Hi,

We are monitoring intrusions for a customer using SIEM and we got an alert based on the below IPS logs.
It would be great if someone helps clarify my doubts in analyzing this and similar IPS logs.

*********** Cisco IDS 08 Oct 2012 08:50:36 id= xyxyxyxyxyxyxyxyxyx sig_id= 16297 sig= Worm Activity - Brute Force src= 10.10.10.4 src_port= [3539] dst= 192.168.178.131 dst_port= [445] sev= informational proto= tcp eventId=1340445327004327804 severity=informational vendor=Cisco sd:originator.sd:hostId=AIP-SSM-1 sd:originator.cid:appName=sensorApp sd:originator.cid:appInstanceId=462 sd:time.offset=XYZ sd:time.timeZone=XYZ sd:time=1349686236842887000 sd:signature.cid:created=20090331 sd:signature.cid:type=anomaly sd:signature.cid:version=S392 sd:signature.description=Worm Activity - Brute Force sd:signature.id=16297 sd:signature.cid:subsigId=0 sd:signature.cid:sigDetails=Multiple logon failures sd:signature.marsCategory=Propagate/Worm sd:interfaceGroup=vs0 sd:vlan=0 sd:participants.sd:attacker.sd:addr.cid:locality=OUT sd:participants.sd:attacker.sd:addr=10.10.10.4 sd:participants.sd:attacker.sd:port=3539 sd:participants.sd:target.sd:addr.cid:locality=OUT sd:participants.sd:target.sd:addr=192.168.178.131 sd:participants.sd:target.sd:port=445 sd:participants.sd:target.cid:os.idSource=learned sd:participants.sd:target.cid:os.relevance=relevant sd:participants.sd:target.cid:os.type=windows-nt-2k-xp sd:participants.sd:target.cid:os= cid:context.cid:fromTarget= <removed> cid:context.cid:fromAttacker=<removed> cid:alertDetails=InterfaceAttributes: context="single_vf" physical="Unknown" backplane="GigabitEthernet0/1" ; cid:triggerPacket=<removed> cid:riskRatingValue.attackRelevanceRating=relevant cid:riskRatingValue.targetValueRating=medium cid:riskRatingValue=25 cid:threatRatingValue=25 cid:interface.backplane=GigabitEthernet0/1 cid:interface.context=single_vf cid:interface.physical=Unknown cid:interface=GigabitEthernet0/1 cid:protocol=tcp ************

1. I checked for sig:16297 via ASDM demo version, but didn't found this signature in sig0. Where can we see this signature settings and properties.
2. The fields "cid:context.cid:fromTarget=", "cid:context.cid:fromAttacker=", & "cid:triggerPacket=" looks to be like encoded format. How to decode this, any tools/URL? How these fields are significant
3. If this is false postivie (based on src/dst and activity), how to fine tune this in IPS?

Note: I don't have access to this IPS. But, I need to coach the owner for fine tuning and for other checks.

Thanks!

-Jag.

Understanding IPS log (sig:16297-Worm Activity)

JonPBerbee — Tue, 09 Oct 2012 14:31:51 GMT

Hi Jag.

Here is a link with more information on alert 16297/0.

tools.cisco.com/security/center/viewIpsSignature.x?signatureId=16297&signatureSubId=1&softwareVersion=6.0&releaseVersion=S392

Generally on that signature I'd email the customer and ask them to check the attacker IP to ensure that the computer doesn't have a virus. If these end up coming in frequently and the customer comes back stating they are false alerts then you may need to filter the alert or just send a report to the customer once a week with the IPs in question from the alert.

As far as decoding the fields in question 2, that comes out in base64. We have a powershell script that decodes these fields. I have tried various Web based decoders with mixed success which is why we wrote a powershell script to do the job.

Re: Understanding IPS log (sig:16297-Worm Activity)

gspillma — Wed, 10 Oct 2012 16:39:54 GMT

Running a virus scan on the source IP address is a good first step. If you come up with nothing then my next step would be to check the source for any misconfigured scripts or applications that may be causing the host to repeatedly reach out across the network which can trigger false positives. We have observed cases where shutting down unnecesarry services can eliminate false positives.

Re: Understanding IPS log (sig:16297-Worm Activity)

jagadeeshan.s — Thu, 25 Oct 2012 16:57:38 GMT

Hi Jon,

Thanks for your reply! If you don't mind, can you share the PowerShell script?

Thanks!

-Jag.

Re: Understanding IPS log (sig:16297-Worm Activity)

jagadeeshan.s — Thu, 25 Oct 2012 17:06:57 GMT

Checking with the users got to know that users were just accessing file servers over 445 port. I am wondering whether the signature will trigger just for normal NetBIOS traffic, nope it wouldn't be, so there should be something that this signature is specifically looking for. What's that. Is there any way to capture those traffic and analyze for suspicious using some packet capture tools? If so, what parameter I should look for to identify the suspicious? More questions coming in my mind.. -Jag.

Re: Understanding IPS log (sig:16297-Worm Activity)

gspillma — Thu, 25 Oct 2012 17:29:09 GMT

Here this guide can walk you through using your IPS to display and capture live traffic:

http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/cli/cli_packets.html