09-10-2011 04:48 AM - edited 03-10-2019 05:28 AM
Hi Guys,
we have ip local source spooof attack on our cisco ips the signature id on ips is 1104..what will be the proper metigation for this attack...
Regards
Sher
09-12-2011 09:22 AM
Here are details of this signature:
You will want to track by using captures where the packets with a source of 127.0.0.1 are coming from (using MAC addresses).
You can use the packet display command on the sensor as well.
If there are any layer 3 hops, you will again have to capture on that layer 3 device.
regards,
Prapanch
09-13-2011 11:22 PM
Hi Prapanch,
the ips logs for the attack is following..i used packet dispaly command on my senson but couldnt find any any mac address ...
participants:
attacker:
addr: 127.0.0.1 locality=OUT
target:
addr: 108.122.0.0 locality=OUT
os: idSource=unknown type=unknown relevance=relevant
actions:
denyPacketRequestedNotPerformed: true
riskRatingValue: 100 targetValueRating=medium attackRelevanceRating=relevant
threatRatingValue: 100
protocol: IP protocol 0
Regards
Sher
09-14-2011 07:22 AM
Hi Sher,
You can try using the packet capture command and then copy of the captured file to an ftp server and view it using wiresark. here's the document on using the packet capture command and also explains how to copy the capture file for analysis:
http://www.cisco.com/en/US/docs/security/ips/5.0/configuration/guide/cli/clipack.html
Regards,
Prapanch
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide