Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
543
Views
0
Helpful
2
Replies

IPS not detecting malicious traffic in the outbound direction

Go to solution
WILLIAM STEGMAN
Level 4
Level 4

‎01-16-2007 09:13 AM - edited ‎03-10-2019 03:25 AM

I have a 4240 running IPS 6.0. I have an interface in promiscuous mode that is connected to a port that has SPAN enabled on the uplink from a switch to my router. I'm doing some testing and noticed that when using nmap from a host located on the inside to a host on a remote subnet that requires me to send my traffic through the uplink port crossing the interface the IPS is monitoring in an outbound direction, no signatures are triggered. However, if I do the same scan reversing the location of the attacker and victim so the scan comes inbound the sensor immediately picks up the scan and triggers the appropriate signatures. Why would this behavior occur and is there a way to change it?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
wsulym
Cisco Employee
Cisco Employee

‎01-16-2007 01:05 PM

Do any other signatures fire on "outbound" traffic. Anything at all?

The very first thing that popped into my mind was that you might only have span set such that your span destination port is only seeing the receive traffic and not the transmit traffic. This is only a guess since I don;t have any details here.

Before we can even really begin to consider the why, we need some details.

What switch model (in case there's some limitation to the span config).

What's the span config.

How are you running nmap (what options).

What alerts fire for you on the reverse direction.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
wsulym
Cisco Employee
Cisco Employee

‎01-16-2007 01:05 PM

Do any other signatures fire on "outbound" traffic. Anything at all?

The very first thing that popped into my mind was that you might only have span set such that your span destination port is only seeing the receive traffic and not the transmit traffic. This is only a guess since I don;t have any details here.

Before we can even really begin to consider the why, we need some details.

What switch model (in case there's some limitation to the span config).

What's the span config.

How are you running nmap (what options).

What alerts fire for you on the reverse direction.

0 Helpful

Go to solution
WILLIAM STEGMAN
Level 4
Level 4
In response to wsulym

‎01-16-2007 06:44 PM

that's great, you nailed it. I've had span setup a while on there for a packet sniffer and was sure I was monitoring traffic in both directions...until I checked the session, it was only looking at receive. Once I changed it to both the signatures began firing as expected. Thank you very much!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card