Re: IPS Attack

wasiimcisco · ‎07-08-2008

I have IPS 4255 with IOS 5.x,it is monitoring My internet zone traffic. In my event viewer i m seeing few IPs are consider as attack towards my global IP addresses that are not being used in my network. These IPs are spare global IP for future use.

Attack type is MSSQL Resolution Service Stack Overflow

Signature ID: 4703/0

I have global ip address x.x.x.x/24 and only first 10 ip addresses i m using, rest are not being used anywhere.

Why i m getting attack on these ip addresses and how to prevent it.

mhellman · ‎07-08-2008

It's a worm and it's UDP (SQLSlammer). You can't prevent it without an ACL/firewall before your IDS/IPS. If you're not vulnerable (and you wouldn't be unless you have MSSQL in your DMZ), just turn that signature off.

rhermes · ‎07-08-2008

Is your sensor behind your firewall?

wasiimcisco · ‎07-09-2008

Thanks for the reply, My IPS is front of firewall, and it is monitoring traffic only that comes from Internet.

rhermes · ‎07-09-2008

Although you will get a rich, constant stream of events from your sensor on the outside of yoru firewall, performing analysis like this on events that will (or should) be blocked by your firewall is usualy not a usefull expendure of your time and effort.

TradeSecrets · ‎07-11-2008

Hi there,

Use a /28 this will give you only 6 extra address's. Using a /24 leaves 246 extra, which is way to many.

If your network is flat, creating more sub nets will add security to your network.

Let me know if that helps.

~TS

attmidsteam · ‎07-11-2008

>Use a /28 this will give you only 6 extra address's. Using a /24 leaves 246 extra, which is way to many.

>If your network is flat, creating more sub nets will add security to your network.

That made no sense and didn't provide any assistance to wasiimcisco' issue.

wasiimcisco: Since your sensor is outside of the firewall and sig 4703 is UDP based, you will see many sweeps of this signature. If you are sure that you don't have UDP 1434 open on your firewall (and I really hope you don't) then you can simply create an event-action-filter for 0.0.0.0-255.255.255.255 to your public range (/24) with 'stop on match'. I would recommend placing the sensor behind your firewall and then you won't have to worry about tuning for traffic that won't make it past your firewall policy.

TradeSecrets · ‎07-11-2008

How do I remove stars, I want to take yours away. Another Cisco person without a clue

attmidsteam · ‎07-11-2008

haha, I don't represent Cisco in any way. If you would like to provide useful information on this forum, I'm sure all would appreciate it but all you've done is trolled every thread and said that IPS is better than IDS.

BTW, # of posts here doesn't mean much so you don't have to reply to every thread. You get points when other forum members believe you have provided useful information.

For the record I am a senior analyst at a large MSSP where we manage hundreds of IDS/IPS sensors; write signatures, tune policies, conduct in-depth investigations, etc with multiple vendors. We have many Cisco devices which is why I post on NetPro occasionally even though the signal to noise ratio here is not as high as I would hope.

TradeSecrets · ‎07-11-2008

A. There is a lot of Fat in the IT security industry of people without a clue. Your title means nothing to me.

B. All I do is tune NIPS / HIPS

C. I don't care about points. I am just sharing information to secure America

D. Shared security services is like pissing in the wind anyone who uses your service is a fool.