cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1771
Views
0
Helpful
3
Replies

IPS Signature alarm

dipak jaiswal
Level 1
Level 1

Hi,

We have two AIP-SSM module installed at Cisco ASA 5540 running at Active/Standby mode. I have configured IPS in a inline mode, before hand it was in a promiscous mode. After configuring it in a inline mode, IPS triggering two signatutures always {i.e. UDP Edonkey Activity(Sig Id : 7202/0) and OpenSSL TLS Malformed Handshak DoS(Sig Id: 5403/0)}. UDP edonkey activity is happening from our local dns server and OpenSSL TLS Malformed Handshak DoS activity is happening from our local proxy server. The server contaions Linux OS. I have searched at internet got the following links:

http://tools.cisco.com/security/center/viewIpsSignature.x?signatureId=5403&signatureSubId=0&softwareVersion=6.0&releaseVersion=S81

http://tools.cisco.com/security/center/viewIpsSignature.x?signatureId=7202&signatureSubId=0&softwareVersion=6.0&releaseVersion=S341

For UDP edonkey activity, its say Certain traffic may cause this signature to false positive. It is recommended that ports 1-1024 be filtered out. Known triggers include: DNS (udp port 53), NetBIOS NS (udp port 137).

Within 1 hour, 250 times signatures has got triggered. Attacker IP address is our local server and Victim IP address is Wan IP address. How can i filter ports 1 - 1024 at IPS ?

I am very new at IPS and have very rare knowledga about it. I am not able to understand whether it's a Server or Network problem.

Do i have to tune the Signatures ?

Please help me ti solve this issue.

Thanks a lot in advance.

Regrds

Dipak

3 Replies 3

dipak jaiswal
Level 1
Level 1

Hi,

Can anybody help me to solve this issue ?

Regards

Dipak

rhermes
Level 7
Level 7

Welcome to the world of analysis.

You will be doing quite a bit of this with your IPS Sensors. This is how you will tune your signature set to give you good, actionable events.

Perform a packet capture on this signature. Download the PCAP from the sensor to your workstation.

Open the PCAP in Wireshark. Examine the PCAP to determine if the traffic from your DNS server is normal DNS traffic or eDonkey activity.

Once you determine it is normal UDP activity, filter your signature as suggested.

- Bob

Hi Bob,

I am also getting the two signatures (OpenSSL TLS Malformed Handshak DoS 5403/0   and

Unecrypted SSL 6005/0 ) firing quite frequently on IPS ,the attacker address is local proxy and the victim are internet addresses moslty from Skype Technologies..I want to know whether it is false positive or need to blocked..

Best Rgds

Fazal

Review Cisco Networking for a $25 gift card