Re: IDM alert monitoring - Cisco Community

680

Views

5

Helpful

5

Replies

Hi,

Monitoring the IDM alerts show that one of the internal clients attacking outside IP addresses. Couls someone shed light on the above dynamics.

Thanks.

Said

evIdsAlert: eventId=1216735955474843112 vendor=Cisco severity=informational

originator:

hostId: ips

appName: sensorApp

appInstanceId: 406

time: Jul 29, 2008 12:50:48 UTC offset=0 timeZone=UTC

signature: description=TCP SYN Host Sweep id=3030 version=S2

subsigId: 0

marsCategory: Probe/SpecificPorts

interfaceGroup: vs0

vlan: 0

participants:

attacker:

addr: 192.168.1.207 locality=OUT

port: 4580

target:

addr: 66.150.11.50 locality=OUT

os: idSource=unknown type=unknown relevance=relevant

target:

addr: 68.180.219.138 locality=OUT

os: idSource=learned type=bsd relevance=relevant

target:

addr: 74.201.95.4 locality=OUT

os: idSource=unknown type=unknown relevance=relevant

target:

addr: 72.247.169.161 locality=OUT

os: idSource=unknown type=unknown relevance=relevant

target:

addr: 207.230.151.254 locality=OUT

os: idSource=unknown type=unknown relevance=relevant

target:

addr: 216.252.124.207 locality=OUT

os: idSource=learned type=bsd relevance=relevant

target:

addr: 67.228.69.100 locality=OUT

os: idSource=unknown type=unknown relevance=relevant

target:

addr: 208.43.2.146 locality=OUT

os: idSource=unknown type=unknown relevance=relevant

target:

addr: 66.196.126.101 locality=OUT

os: idSource=unknown type=unknown relevance=relevant

target:

addr: 69.22.167.239 locality=OUT

os: idSource=unknown type=unknown relevance=relevant

target:

addr: 216.73.87.152 locality=OUT

os: idSource=unknown type=unknown relevance=relevant

target:

addr: 12.130.60.4 locality=OUT

os: idSource=unknown type=unknown relevance=relevant

target:

addr: 66.94.234.72 locality=OUT

os: idSource=unknown type=unknown relevance=relevant

target:

addr: 216.145.50.247 locality=OUT

os: idSource=unknown type=unknown relevance=relevant

target:

addr: 216.252.125.76 locality=OUT

os: idSource=learned type=bsd relevance=relevant

target:

addr: 209.131.37.77 locality=OUT

os: idSource=learned type=bsd relevance=relevant

alertDetails: InterfaceAttributes: context="Unknown" physical="Unknown" backplane="GigabitEthernet0/1" ;

riskRatingValue: 31 targetValueRating=medium attackRelevanceRating=relevant

threatRatingValue: 31

interface: GigabitEthernet0/1 context=Unknown physical=Unknown backplane=GigabitEthernet0/1

protocol: tcp

5 Replies 5

A host sweep does not equal an attack. We don't have the destination port here so this could simply be outbound web traffic from a proxy server or outbound mail traffic from your mail server. Perform a packet display on the sensor to see what connections the above IP is making (look at the destination port) and also look for other events with this same source.

Hi,

I had the exact same issue going on at my location, and there were two causes.

One was that we had a bluecoat proxy, which uses multiple ports to refresh its website cache, and for new requests.

The other cause was a machine that was infested with spyware.

If it is a users machine, I would suggest downloading the Sysinternals Suite from Microsoft, and doing a PSLOGGEDON \\ to see who is using that machine.

Jason

Jason,

Thanks.

Said

Jason,

I downloaded and unzipped Sysinternals Suite. Wwhere do I type in PSLOGGEDON \\ ?

I ran a spyware program on machines that "attcked" outside IPs There were mo spyware found.

Review Cisco Networking products for a $25 gift card