in victom report,high

martlee2 · ‎05-01-2017

what are the usual practices if find attacks records from Cisco IME?

is it to update firmware the only action that users can take?

Marvin Rhoads · ‎05-01-2017

If IME is reporting events that were incoming connection attempts blocked by the IPS then no further action is required.

If an internal device is the source then additional remediation may be indicated depending on what trigger event is detected.

martlee2 · ‎05-03-2017

in victom report,high severity , no action in excel file, whats should do?

Cisco IOS NX-OS Malformed LISP Packet Denial of Service	7170/0
DNS Query Name Loop DoS	6065/0

Marvin Rhoads · ‎05-03-2017

The first one is tellilng you that the detected IOS or NX-OS version on one or more of your devices has this vulnerability. LISP is seldom seen in small or medium enterprise and if you do not have it configured, it's not an issue.

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCuu64279/?referring_site=bugquickviewredir

The second one generally points to DNS misconfiguration somewhere in your network. You'd have to look more closely at the victim system to determine more information and whether or not it is important in your environment.

In general, IPS alerts are a starting point for security operations to perform investigations. You're using the older discontined IPS type and it does not have the flexibility of self-tuning like the newer FirePOWER-based systems do.