12-31-2008 07:31 AM - edited 03-10-2019 04:26 AM
I am getting a lot of edonkey traffic, has anyone seen this before
appInstanceId: 412
time: Dec 30, 2008 22:59:55 UTC offset=-300 timeZone=GMT-05:00
signature: description=UDP eDonkey Activity id=7202 version=S341 type=other created=20080128
subsigId: 0
sigDetails: UDP eDonkey Activity
marsCategory: Info/Misc
marsCategory: Info/UncommonTraffic/P2PFileShare
marsCategory: Info/UncommonTraffic/P2PFileShare/FileTransfer
interfaceGroup: vs0
vlan: 0
participants:
attacker:
addr: 10.100.2.117 locality=OUT
port: 58766
target:
addr: 172.25.2.2 locality=OUT
port: 53
os: idSource=learned type=windows-nt-2k-xp relevance=relevant
summary: 2 final=true initialAlert=1230553111638101867 summaryType=Regular
alertDetails: InterfaceAttributes: context="single_vf" physical="Unknown" backplane="GigabitEthernet0/1" ; Regular Summary: 2 events this interval ;
riskRatingValue: 53 targetValueRating=high attackRelevanceRating=relevant
threatRatingValue: 53
interface: GigabitEthernet0/1 context=single_vf physical=Unknown backplane=GigabitEthernet0/1
protocol: udp
Solved! Go to Solution.
12-31-2008 08:54 AM
Check out the following link
Summary - this signature is obsolete and regularly fires on DNS traffic (port 53).
I would disable signature 7202 in your IPS configuration.
12-31-2008 08:54 AM
Check out the following link
Summary - this signature is obsolete and regularly fires on DNS traffic (port 53).
I would disable signature 7202 in your IPS configuration.
12-31-2008 10:12 AM
I confirmed with packet captures that this fires on normal DNS traffic. I would disable it also or filter where applicable.
01-05-2009 09:36 AM
you can disable this sig in IDM.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide