Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1899
Views
0
Helpful
5
Replies

Understanding IPS log (sig:16297-Worm Activity)

jagadeeshan.s
Level 1
Level 1

‎10-08-2012 05:33 AM - edited ‎03-10-2019 05:47 AM

Hi,

We are monitoring intrusions for a customer using SIEM and we got an alert based on the below IPS logs.
It would be great if someone helps clarify my doubts in analyzing this and similar IPS logs.

*********** Cisco IDS    08 Oct 2012 08:50:36    id= xyxyxyxyxyxyxyxyxyx    sig_id= 16297    sig= Worm Activity - Brute Force    src= 10.10.10.4    src_port= [3539]    dst= 192.168.178.131    dst_port= [445]    sev= informational    proto= tcp    eventId=1340445327004327804    severity=informational    vendor=Cisco    sd:originator.sd:hostId=AIP-SSM-1    sd:originator.cid:appName=sensorApp    sd:originator.cid:appInstanceId=462    sd:time.offset=XYZ    sd:time.timeZone=XYZ    sd:time=1349686236842887000    sd:signature.cid:created=20090331    sd:signature.cid:type=anomaly    sd:signature.cid:version=S392    sd:signature.description=Worm Activity - Brute Force    sd:signature.id=16297    sd:signature.cid:subsigId=0    sd:signature.cid:sigDetails=Multiple logon failures    sd:signature.marsCategory=Propagate/Worm    sd:interfaceGroup=vs0    sd:vlan=0    sd:participants.sd:attacker.sd:addr.cid:locality=OUT    sd:participants.sd:attacker.sd:addr=10.10.10.4   sd:participants.sd:attacker.sd:port=3539    sd:participants.sd:target.sd:addr.cid:locality=OUT    sd:participants.sd:target.sd:addr=192.168.178.131    sd:participants.sd:target.sd:port=445    sd:participants.sd:target.cid:os.idSource=learned    sd:participants.sd:target.cid:os.relevance=relevant    sd:participants.sd:target.cid:os.type=windows-nt-2k-xp    sd:participants.sd:target.cid:os=    cid:context.cid:fromTarget= <removed> cid:context.cid:fromAttacker=<removed>    cid:alertDetails=InterfaceAttributes:  context="single_vf" physical="Unknown" backplane="GigabitEthernet0/1" ;     cid:triggerPacket=<removed>  cid:riskRatingValue.attackRelevanceRating=relevant    cid:riskRatingValue.targetValueRating=medium    cid:riskRatingValue=25    cid:threatRatingValue=25    cid:interface.backplane=GigabitEthernet0/1    cid:interface.context=single_vf    cid:interface.physical=Unknown    cid:interface=GigabitEthernet0/1    cid:protocol=tcp ************


1. I checked for sig:16297 via ASDM demo version, but didn't found this signature in sig0. Where can we see this signature settings and properties.
2. The fields "cid:context.cid:fromTarget=", "cid:context.cid:fromAttacker=", & "cid:triggerPacket=" looks to be like encoded format. How to decode this, any tools/URL? How these fields are significant
3. If this is false postivie (based on src/dst and activity), how to fine tune this in IPS?

Note: I don't have access to this IPS. But, I need to coach the owner for fine tuning and for other checks.

Thanks!

-Jag.

Labels:
0 Helpful
5 Replies 5

JonPBerbee
Level 1
Level 1

‎10-09-2012 07:31 AM

Hi Jag.

Here is a link with more information on alert 16297/0. 

tools.cisco.com/security/center/viewIpsSignature.x?signatureId=16297&signatureSubId=1&softwareVersion=6.0&releaseVersion=S392

Generally on that signature I'd email the customer and ask them to check the attacker IP to ensure that the computer doesn't have a virus.  If these end up coming in frequently and the customer comes back stating they are false alerts then you may need to filter the alert or just send a report to the customer once a week with the IPs in question from the alert.

As far as decoding the fields in question 2, that comes out in base64.  We have a powershell script that decodes these fields.  I have tried various Web based decoders with mixed success which is why we wrote a powershell script to do the job.

0 Helpful

jagadeeshan.s
Level 1
Level 1
In response to JonPBerbee

‎10-25-2012 09:57 AM

Hi Jon,

Thanks for your reply! If you don't mind, can you share the PowerShell script?

Thanks!

-Jag.

0 Helpful

gspillma
Cisco Employee
Cisco Employee

‎10-10-2012 09:39 AM

Running a virus scan on the source IP address is a good first step.  If you come up with nothing then my next step would be to check the source for any misconfigured scripts or applications that may be causing the host to repeatedly reach out across the network which can trigger false positives.  We have observed cases where shutting down unnecesarry services can eliminate false positives.

0 Helpful

jagadeeshan.s
Level 1
Level 1

‎10-25-2012 10:06 AM

Checking with the users got to know that users were just accessing file servers over 445 port. I am wondering whether the signature will trigger just for normal NetBIOS traffic, nope it wouldn't be, so there should be something that this signature is specifically looking for. What's that. Is there any way to capture those traffic and analyze for suspicious using some packet capture tools? If so, what parameter I should look for to identify the suspicious? More questions coming in my mind.. -Jag.

0 Helpful

gspillma
Cisco Employee
Cisco Employee
In response to jagadeeshan.s

‎10-25-2012 10:29 AM

Here this guide can walk you through using your IPS to display and capture live traffic:

http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/cli/cli_packets.html

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card