Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1439
Views
0
Helpful
3
Replies

Ip local source spoof attack on ips

szamin125
Level 1
Level 1

‎09-10-2011 04:48 AM - edited ‎03-10-2019 05:28 AM

Hi Guys,

we have ip local source spooof attack on our cisco ips the signature id on ips is 1104..what will be the proper metigation for this attack...

Regards

Sher

Labels:
0 Helpful
3 Replies 3

praprama
Cisco Employee
Cisco Employee

‎09-12-2011 09:22 AM

Here are details of this signature:

http://tools.cisco.com/security/center/viewIpsSignature.x?signatureId=1104&signatureSubId=0&softwareVersion=6.0&releaseVersion=S2

You will want to track by using captures where the packets with a source of 127.0.0.1 are coming from (using MAC addresses).

You can use the packet display command on the sensor as well.

If there are any layer 3 hops, you will again have to capture on that layer 3 device.

regards,

Prapanch

0 Helpful

szamin125
Level 1
Level 1
In response to praprama

‎09-13-2011 11:22 PM

Hi Prapanch,

the ips logs for the attack is following..i used packet dispaly command on my senson but couldnt find any any mac address ...

 

participants:  

    attacker:  

      addr: 127.0.0.1  locality=OUT 

    target:  

      addr: 108.122.0.0  locality=OUT 

      os:   idSource=unknown  type=unknown  relevance=relevant 

  actions:  

    denyPacketRequestedNotPerformed: true 

  riskRatingValue: 100  targetValueRating=medium  attackRelevanceRating=relevant 

  threatRatingValue: 100 

    protocol: IP protocol 0 

Regards

Sher

0 Helpful

praprama
Cisco Employee
Cisco Employee
In response to szamin125

‎09-14-2011 07:22 AM

Hi Sher,

You can try using the packet capture command and then copy of the captured file to an ftp server and view it using wiresark. here's the document on using the packet capture command and also explains how to copy the capture file for analysis:

http://www.cisco.com/en/US/docs/security/ips/5.0/configuration/guide/cli/clipack.html

Regards,

Prapanch

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card