Cisco Community
English
Register
We're here for you! LEARN about free offerings and business continuity best practices during the COVID-19 pandemic
Register
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

929
Views
0
Helpful
3
Replies
Highlighted
szamin125
Beginner
Beginner
‎09-10-2011 04:48 AM
‎09-10-2011 04:48 AM

Ip local source spoof attack on ips

Hi Guys,

we have ip local source spooof attack on our cisco ips the signature id on ips is 1104..what will be the proper metigation for this attack...

Regards

Sher

Labels:
0 Helpful
Reply
3 REPLIES 3
Highlighted
praprama
Cisco Employee
Cisco Employee
‎09-12-2011 09:22 AM
‎09-12-2011 09:22 AM

Ip local source spoof attack on ips

Here are details of this signature:

http://tools.cisco.com/security/center/viewIpsSignature.x?signatureId=1104&signatureSubId=0&softwareVersion=6.0&releaseVersion=S2

You will want to track by using captures where the packets with a source of 127.0.0.1 are coming from (using MAC addresses).

You can use the packet display command on the sensor as well.

If there are any layer 3 hops, you will again have to capture on that layer 3 device.

regards,

Prapanch

0 Helpful
Reply
Highlighted
szamin125
Beginner
Beginner
‎09-13-2011 11:22 PM
‎09-13-2011 11:22 PM

Ip local source spoof attack on ips

Hi Prapanch,

the ips logs for the attack is following..i used packet dispaly command on my senson but couldnt find any any mac address ...

 

participants:  

    attacker:  

      addr: 127.0.0.1  locality=OUT 

    target:  

      addr: 108.122.0.0  locality=OUT 

      os:   idSource=unknown  type=unknown  relevance=relevant 

  actions:  

    denyPacketRequestedNotPerformed: true 

  riskRatingValue: 100  targetValueRating=medium  attackRelevanceRating=relevant 

  threatRatingValue: 100 

    protocol: IP protocol 0 

Regards

Sher

0 Helpful
Reply
Highlighted
praprama
Cisco Employee
Cisco Employee
‎09-14-2011 07:22 AM
‎09-14-2011 07:22 AM

Ip local source spoof attack on ips

Hi Sher,

You can try using the packet capture command and then copy of the captured file to an ftp server and view it using wiresark. here's the document on using the packet capture command and also explains how to copy the capture file for analysis:

http://www.cisco.com/en/US/docs/security/ips/5.0/configuration/guide/cli/clipack.html

Regards,

Prapanch

0 Helpful
Reply
Latest Contents
FMC
Created by MassB on 06-01-2020 03:47 AM
1
0
1
0
HIDoes anyone know if there is an easier way than the belowQ. I check connection events for IOC's when requested and sometimes i have to check many url's which i am presently doing one url at a time and is very time consuming, is there a way to check mult... view more
How to: Cisco Identity Services Engine TC-NAC Integration wi...
Created by pavagupt on 05-30-2020 02:05 AM
0
0
0
0
HI   Introduction             Cisco Identity Services Engine (ISE) gives you intelligent Integrated protection through intent-based policy and compliance solution. Cisco ISE supports TC-NAC inte... view more
How to Integrate Cisco Identity Services Engine with IBM Maa...
Created by pavagupt on 05-29-2020 12:45 AM
0
10
0
10
HI   Introduction Cisco Identity Services Engine (ISE) gives you intelligent Integrated protection through intent-based policy and compliance solution. ISE supports external MDM vendor integration to help the customers to look for compliance of a dev... view more
AMP4E - Cisco Threat Response and ESA Integration
Created by bremarqu on 05-27-2020 09:16 AM
0
0
0
0
Hello, This video provides the steps to configure the Cisco Threat Response (CTR) and ESA Integration.   This is live on the portal:https://video.cisco.com/video/6159336218001   And on YouTube:https://www.youtube.com/watch?v=UCKIdx5rdFg   ... view more
Migrate from C170 to C190
Created by fhk_license on 05-26-2020 02:24 AM
3
0
3
0
I need to migrate from C170 to C190 and have already match to the same Firmware Version. I have a question. Is there any method that can export and import the configuration file instead of form cluster ?
CreatePlease to create content
Discussion
Blog
Document
Video
Content for Community-Ad