topic Re: New IPS deployment. What do these alerts mean in Network Security

New IPS deployment. What do these alerts mean

Bill19795_2 — Sun, 10 Mar 2019 12:03:44 GMT

I am getting several of these from diffrent PC's on the network. This is a brand new deployment of an IPS in our core 6500. I need to know where to start tracking down what this is and if its a flase positive. I changed the attaker IP for this post but they are coming from internal IP's on our network. I am also getting several from the same PC.

Event ID	1278964938060722812
Severity	high
Host ID	isdm6500
Application Name	sensorApp
Event Time	07/14/2010 08:23:37
Sensor Local Time	07/14/2010 13:23:37
Signature ID	13003
Signature Sub-ID	1
Signature Name	AD - External TCP Scanner
Signature Version	S262
Signature Details	Worm Attack
Interface Group	vs0
VLAN ID	0
Interface	ge0_7
Attacker IP	1.1.1.1
Protocol	tcp
Attacker Port
Attacker Locality	OUT
Target IP	0.0.0.0
Target Port	80
Target Locality	Unknown
Target OS
Actions	denyPacketRequestedNotPerformed
Risk Rating	TVR=medium
Risk Rating Value	100
Threat Rating	100
Reputation
Context Data
Packet Data
Event Summary	0
Initial Alert
Summary Type
Final Alert
Event Status	New
Event Notes

Re: New IPS deployment. What do these alerts mean

Scott Fringer — Wed, 14 Jul 2010 19:14:31 GMT

Bill;

The best place to begin research for Cisco IPS signatures is our IntelliShield site:

http://www.cisco.com/security

You can look up any signature by ID by performing an Advanced Search.

For the signature you presented, the results can be found here:

http://tools.cisco.com/security/center/viewAlert.x?alertId=91

This signature fires for a host that crosses a threshold for non-established TCP connections or unacknowledged SYN packets sent to multiple addresses on an identical TCP port and may indicate worm-like scanning.

It would be beneficial to investigate the host listed as the attacker and determine if this is expected behavior or if the host is compromised.

Scott

Re: New IPS deployment. What do these alerts mean

Diego Armando Cambronero Arias — Tue, 27 Jul 2010 16:58:39 GMT

This signatures are related with Anomaly detection. Which is a very nice feature is you are able to create a perfect KB during the learning mode.

http://www.cisco.com/en/US/docs/security/ips/6.0/configuration/guide/idm/dmAD.html#wp1049627

Cisco States.

We assume that during this phase no attack is being carried out. Anomaly detection creates an initial baseline, known as a knowledge base (KB), of the network traffic.

So if you are able to create a KB during a time that you know that there are no attacks at all go ahead if not you will be receiving a lot false positives.

Is that right?

Re: New IPS deployment. What do these alerts mean

Scott Fringer — Tue, 27 Jul 2010 17:22:17 GMT

It's not that you will be receiving false positives, but false

negatives. During the learning phase if an attack is active, the higher

traffic rate will be learned as the baseline. When traffic is tracked

by the AD engine, it will be compared to this baseline, and in turn not

fire a signature event since it potentially will not cross the learned

threshold.

If there is concern that the baseline was learned during an active

attack, it may be beneficial to remove the current KBs (initial cannot

be removed) and force the AD engine to learn during a period you feel is

more representative of normal traffic flow.

Scott

Re: New IPS deployment. What do these alerts mean

Diego Armando Cambronero Arias — Tue, 27 Jul 2010 17:26:25 GMT

Yes you are right it's false negatives not positives.

Thanks.