Currently, I am using IDS 4210, I am wondering is there is a way to create custom signature to capture alarms only on Port (6129). Any Idea on how to do that?
I think you are in the forensics phase trying to find out what attack is happening? If so you can creat a signature to produce an alarm whenever you see 6129 traffic, then look at those alarms and analize what's going on. As far as creating a signature for all known attacks on 6129, that may be very tinme consuming and not practical. See the following URL for signature creation. http://www.cisco.com/en/US/partner/products/sw/cscowork/ps3990/products_user_guide_chapter09186a0080104f44.html
Sorry - Here's an addemdum. Apparently port 6129 is a popular attack port recently. Look at the folloiwng URL. http://www.keyfocus.net/kfsensor/kb/mydoom.php. Check the Cisco signature updates and see of a signature has been create yet for this attack, if not using the information in this URL and the previous URL I sent you should be able to cteate a signature to stop the attack.
Learn, share, save
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
