Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
1875
Views
0
Helpful
7
Replies

scanner signatures on IPS

fazalunus
Level 1
Level 1

‎03-09-2012 04:01 AM - edited ‎03-10-2019 05:38 AM

I have noticed that on IPS 4240 in our environment signature like AD-External TCP scanner,IIegal UDP scanner are firing from internal hosts which are not any known scanner machine ,just simple clients .At times the victim address is 0.0.0.0 and the port is  161 and at times the port field is blank.Important thind is that the action configured on these signatures is drop packet ,which only works when the port is known ,if both destination adress is 0.0.0.0 and port is also not defined the action does not work.

My question is that why the destion shows 0.0.0.0  ? Why sometimes it shows the port and sometimes not ? Why the action is working and at times no action seen?

Kidnly reply

Labels:
0 Helpful
7 Replies 7

rhermes
Level 7
Level 7

‎03-09-2012 03:53 PM

Fazel -

The 0.0.0.0 IP address indicates that there were many target IP addresses involved (which is typical of an IP address scan). The alert will summarize all the involved IP addresses into a single 0.0.0.0 address. If you look at the detailed event you will see a list of the first 25 or 50 hosts IP addresses.

I would assume that the ports are also summarized for the Port Scanning signatures.

- Bob

0 Helpful

fazalunus
Level 1
Level 1
In response to rhermes

‎03-11-2012 09:50 PM

Thanks Bob,

When i see the details of the event,it still shows the victim IP of 0.0.0.0 ,where will i be able to see the list of IP Addresses,Also the action applied to the signature also does not work or appears in the action taken window for the event in which the target/victim is 0.0.0.0

Appreciate your response.

0 Helpful

fazalunus
Level 1
Level 1
In response to fazalunus

‎03-12-2012 04:56 AM

Hi Bob,

Do we have any option to block skype from IDSM-2 in promiscuous mode, as I have already configured but it is not working.

thanks

0 Helpful

rhermes
Level 7
Level 7
In response to fazalunus

‎03-12-2012 09:00 AM

You can't block inline (drop) when your sensor is operating in Promiscuous mode. You can use shunning (dynamic ACL creation), or TCP resets while in Promiscuous mode.

- Bob

0 Helpful

fazalunus
Level 1
Level 1
In response to fazalunus

‎03-12-2012 10:17 PM

Bob,

Thanks Again ,I would really appreciate if you can guide regarding blocking skype on IPS 4240 in inline mode or on IDSM-2 in promiscuous mode as I have both present in my environment.

Secondly on the intial problem of scanner signatures

When i see the details of the event,it still shows the victim IP of 0.0.0.0 ,where will i be able to see the list of IP Addresses,Also the action applied to the signature also does not work or appears in the action taken window for the event in which the target/victim is 0.0.0.

0 Helpful

rhermes
Level 7
Level 7
In response to fazalunus

‎03-14-2012 09:10 AM

Blocking Skype is difficult to impossible. This thread has a good discussion of the approach and problems:

https://supportforums.cisco.com/message/3323599#3323599

When the victim IP of a scan is 0.0.0.0 you should be able to see the first 25 or so IPs if you enable detailed (verbose) events for that signature.

- Bob

0 Helpful

fazalunus
Level 1
Level 1
In response to rhermes

‎03-15-2012 05:03 AM

Bob,

I configure Action "Produce verbose Alert" .it did showed detailed packet capture on the event in which both attacker and victim IP was specified,but for the alert with 0.0.0.0 address it did not give any details or list of IPs.

Moreover I configured summarize mode "Fire All"  for the signature which is triggering too many 0.0.0.0 alert..now I am recieving all alerts with specific attacker and victim addresses..

Please guide if i keep it on summarize then where will be able to see the list of summarised addresses

Thanks a lot for your support on this..

0 Helpful
Review Cisco Networking for a $25 gift card
Top