Re: vms

nataraj_v · ‎01-30-2005

Dear All ,

iam getting lot of alerts on

9017 - Back Door Probe (TCP 5401) . i found in my

vms server ( D:\Program Files\CSCOpx\CSAMC\cfg ) ssl-

bundle file [BUNDLE_CONF]

mc.server_cert_cn=itvms

mc.http_port=80

mc.https_port=5401

mc.alt_https_port=443

is tht all alerts are coming due to this vms server listening on 5401 port ?

pls reply ,

Thanks in advance.

Regards.

Nataraj

gfullage · ‎01-31-2005

The default port for CSA agent to MC communication is 5401, with a fallback to 443 if that fails. So yes, this traffic will also set off IDS signature 9017 since all it is looking for is a TCP SYN on port 5401. The benign triggers for this event listed in the NSDB do state:

Benign Trigger(s): It is entirely possible that a machine is running a service on the same port as a known trojan.

Recommended Signature Filter: Exclude systems running a valid service on the port in question as destinations.

My recommendation would be to add a filter for this signature with a destination address of your VMS server, that will eliminate all these signatures firing.

nataraj_v · ‎02-01-2005

Dear Sir ,

Thanks very much gfullage, but i never done adding this filter to a sig. could u pls guide me.

in my setup i m using cisco nids 4235 sensor.

and we have 2 sensors in eachlocation. 1 is for incoming traffic and other outgoing traffic.

our wan is centralized and all nids ( in each location 2 nids ) will send alerts to our VMS server. now in which sensors should i add this filter so tht i wont get alerts on 9017 .

Thanks and Regards.

Nataraj

sachinraja · ‎02-01-2005

Hi nataraj,

you need to add it on the server, where you get these alerts. When you filter any signature on the VMS, it is applied onto to the IDS automatically, and the signature can no longer be seen on the security monitor. if this is a false poisitive, you can configure a filter as follows:

1) on the IDS MC, click configuration>settings.

2) If you have only one IDS, u you will find a tab TOC with a lot of options like identification, settings, filters etc...

3) on the filter menu, give the signature,source addr & dest addresses as desired by you.

you can find information about this on the following URL:

http://www.cisco.com/en/US/products/sw/cscowork/ps3990/products_user_guide_chapter09186a008031b030.html

hope this helps.. all the best..

Raj

nataraj_v · ‎02-02-2005

Dear SachinRaja,

Thank u very much , I did so ,i created a exclusive filter on 9017 for present alerts.source is (My VMS Server ) and destination is internal lan . pls confirm me , the signature will eliminate alerts on from the above source and destination but alerts on other source and destination. is it rt ?

Thanks and Regards

Nataraj

sachinraja · ‎02-02-2005

yes nataraj,

this filter will eliminate the events generated on the security monitor, with the specified source/destination/signature id etc... its only on the security monitor, that you are filtering events.. hope you got it..

Raj

nataraj_v · ‎02-04-2005

Dear All,

Im still getting alerts from this source (10.0.67.120 ) to destination (10.1.1.34) ( This is gateway ip ,where nids sensor is present ) . as u know i applied exclude filter from the above soruce and destination. y im still getting alerts even though i applied filter on vms .

Thanks and Regards

Nataraj