topic Re: MP2P Without IP address in Network Security

MP2P Without IP address

aohn — Sun, 10 Mar 2019 09:11:06 GMT

Hi There

I have an interesting question. Does anyone seen an alert on Cisco IDS 3.1(5)S82, MP2P Client Scan alerts with no info on SRC nor DEST IP addresses.?? There is positive scan happening since we detected 751 alert in 30 mins...

Re: MP2P Without IP address

owillins — Mon, 20 Dec 2004 14:54:53 GMT

I haven't seen an alert without an IP address. Here is a link on Configuring Automatic IP Logging and Configuring and Tuning Signatures that might be of some use.

http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/mgt_ids/idsmc12/ug/ch05.htm

Re: MP2P Without IP address

aohn — Mon, 20 Dec 2004 21:57:13 GMT

Thanks for the reply.

What confusing me is that only this alert is triggering with out IP. All are ok..

Re: MP2P Without IP address

marcabal — Mon, 20 Dec 2004 22:34:29 GMT

Check the alert details to determine if this a Global Summary alert.

If it is, then that would explain what is happening.

With a Global Summary the sensor will simply count the number of times the attack happens in a certain amount of time. Because it counts attacks from any source address to any destination address it does not individually report them.

If this happens to be the case, then there are changes to the sensor that can be made to prevent the alert from going into Global Summary mode so that individual addresses will be reported.

If you are not seeing this a Global Summary, then there may be a bug that I am not aware of.

A copy of the alarm as it is recorded in the sensor's log file would be needed to debug further.

(Need the actual alarm as seen in the sensor log file, often screen captures from monitoring tools do not show all of the necessary alarm fields).