Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
663
Views
0
Helpful
1
Replies

IPS Sensor Monitoring Events

Bighead81
Level 1
Level 1

‎10-01-2014 02:31 AM - edited ‎03-10-2019 06:15 AM

I have had Bash environment variable light up the ips log the last few days.  When the target address is summarised 0.0.0.0 (a combination of ips addresses) I do not see the packets as being dropped.  When I have an individual target address 1.2.3.4 all packet are dropped.  Even though the IPS doesn't state the packet has been dropped for summarised ip addresses are they being dropped?

Labels:
0 Helpful
1 Reply 1

shepp
Level 1
Level 1

‎10-03-2014 09:32 AM

In short, yes.

The shellshock sigs all have summary-key set to AxBx, so your initial alert should give you the attacker and victim IPs.  For 1 summary interval after the initial alert, further events caused by traffic between that pair will be collected into a summary alert.  Each event that causes the shellshock sig to fire will have its event-actions applied.

In the case of 4689-0, its SFR of 90 in combination with the default HIGHRISK event-action rule results in not just the produce-alert event action but also deny-inline.

We changed 4689-1 in S825 to have a tighter regex and lowered its SFR of 85 so that it will fire less and also will not block by default.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card