Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1769
Views
0
Helpful
3
Replies

IPS Signature alarm

dipak jaiswal
Level 1
Level 1

‎07-19-2011 04:21 AM - edited ‎03-10-2019 05:25 AM

Hi,

We have two AIP-SSM module installed at Cisco ASA 5540 running at Active/Standby mode. I have configured IPS in a inline mode, before hand it was in a promiscous mode. After configuring it in a inline mode, IPS triggering two signatutures always {i.e. UDP Edonkey Activity(Sig Id : 7202/0) and OpenSSL TLS Malformed Handshak DoS(Sig Id: 5403/0)}. UDP edonkey activity is happening from our local dns server and OpenSSL TLS Malformed Handshak DoS activity is happening from our local proxy server. The server contaions Linux OS. I have searched at internet got the following links:

http://tools.cisco.com/security/center/viewIpsSignature.x?signatureId=5403&signatureSubId=0&softwareVersion=6.0&releaseVersion=S81

http://tools.cisco.com/security/center/viewIpsSignature.x?signatureId=7202&signatureSubId=0&softwareVersion=6.0&releaseVersion=S341

For UDP edonkey activity, its say Certain traffic may cause this signature to false positive. It is recommended that ports 1-1024 be filtered out. Known triggers include: DNS (udp port 53), NetBIOS NS (udp port 137).

Within 1 hour, 250 times signatures has got triggered. Attacker IP address is our local server and Victim IP address is Wan IP address. How can i filter ports 1 - 1024 at IPS ?

I am very new at IPS and have very rare knowledga about it. I am not able to understand whether it's a Server or Network problem.

Do i have to tune the Signatures ?

Please help me ti solve this issue.

Thanks a lot in advance.

Regrds

Dipak

Labels:
0 Helpful
3 Replies 3

dipak jaiswal
Level 1
Level 1

‎07-21-2011 05:01 AM

Hi,

Can anybody help me to solve this issue ?

Regards

Dipak

0 Helpful

rhermes
Level 7
Level 7

‎07-21-2011 08:17 AM

Welcome to the world of analysis.

You will be doing quite a bit of this with your IPS Sensors. This is how you will tune your signature set to give you good, actionable events.

Perform a packet capture on this signature. Download the PCAP from the sensor to your workstation.

Open the PCAP in Wireshark. Examine the PCAP to determine if the traffic from your DNS server is normal DNS traffic or eDonkey activity.

Once you determine it is normal UDP activity, filter your signature as suggested.

- Bob

0 Helpful

fazalunus
Level 1
Level 1
In response to rhermes

‎03-15-2012 05:19 AM

Hi Bob,

I am also getting the two signatures (OpenSSL TLS Malformed Handshak DoS 5403/0   and

Unecrypted SSL 6005/0 ) firing quite frequently on IPS ,the attacker address is local proxy and the victim are internet addresses moslty from Skype Technologies..I want to know whether it is false positive or need to blocked..

Best Rgds

Fazal

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card