Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
581
Views
0
Helpful
5
Replies

Mis-categorized Signatures in S153

oconnelj
Level 1
Level 1

‎03-29-2005 12:03 PM - edited ‎03-10-2019 01:21 AM

Why are they putting worm signature's in the 12000's range?????

42. 12025 0 Kelvir Worm Activity STRING.TCP No High None

43. 12025 1 Kelvir Worm Activity STRING.TCP No High None

44. 12026 0 Fatso Worm Activity STRING.TCP No High None

Labels:
0 Helpful
5 Replies 5

oconnelj
Level 1
Level 1

‎03-29-2005 01:27 PM

And also, these, why are they in the 11000's range???

11233 0 SSH Over Non-standard Ports STRING.TCP No Info None

79. 11233 1 SSH Over Non-standard Ports STRING.TCP No Info None

80. 11233 2 SSH Over Non-standard Ports STRING.TCP No Info None

0 Helpful

a.arndt
Level 3
Level 3

‎03-30-2005 06:40 AM

Kelvir and Fatso were actually added with S150. No idea why they landed in the 12000 range. Even more odd is that they don't show up in the list when you go to the "Signature Configuration Mode -> Attack -> Viruses/Worms/Trojans" list in IDM.

BTW, "SSH over non-standard ports" showed up in S143. In this case, I think the SigID range chosen relates to the fact that, like many of the other signatures in the 11200 range, this one covers software involving client/server communications.

I hope this helps,

Alex Arndt

0 Helpful

oconnelj
Level 1
Level 1
In response to a.arndt

‎03-30-2005 07:46 AM

I think I understand why they put the nonstandard ssh in the 11 thousand range. After looking through all the other ranges, it seems that the 11 thousand range is more of an inappropriate usage type category. From that perspective, I can see no other place for the non standard ssh signatures.

I do agree, the worm signatures are DEFINITELY not in the right place!

-John

0 Helpful

wsulym
Cisco Employee
Cisco Employee
In response to oconnelj

‎03-30-2005 08:32 AM

I'd like to clear this issue up. We no longer group signatures by ID number. There was a time about 3+ years back when similar signatures were all grouped into the same range, but that is no longer the case.

I also took a quick look at the IDM classification issue that was brought up. Thanks for pointing that out, we'll have to take a better look at it. I know the signature is tagged correctly, but at the moment I don't know why it does not appear when the signatures are viewed by type.

Walter.

0 Helpful

a.arndt
Level 3
Level 3
In response to wsulym

‎03-30-2005 08:44 AM

Thanks for the info. I had no idea that the groupings had been decoupled from the SigID range (though it makes sense...).

As for the IDM thing, no problem.

Alex Arndt

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card