Worm Activity - IDS Going Crazy - Can you help with the analysis

Lonnie Nagel · ‎06-17-2013

This is what I am seeing on the IDS (lots of these with lots of attackers - but always 0.0.0.0 for victime)

evIdsAlert: eventId=6824202298114 vendor=Cisco severity=high alarmTraits=32768

originator:

hostId: TAMUK_IPS-9

appName: sensorApp

appInstanceId: 3448

time: Jun 17, 2013 20:57:09 UTC offset=-300 timeZone=CDT

signature: description=AD - External TCP Scanner id=13003 version=S262 type=anomaly created=20061120

subsigId: 1

sigDetails: Worm Attack

interfaceGroup: vs0

vlan: 0

participants:

attacker:

addr: 139.XX.XXX.240 locality=OUT

target:

addr: 0.0.0.0 locality=Unknown

port: 80

actions:

ipLoggingActivated: true

shunRequested: true

denyPacketRequestedNotPerformed: true

logAttackerPacketsActivated: true

logVictimPacketsActivated: true

alertDetails: . adExtraData: numDestIps=5; currentThreshold=5; destPort=80 ;

ipLogIds:

ipLogId: 2

riskRatingValue: 100 targetValueRating=medium

threatRatingValue: 80

interface: po0_0

protocol: tcp

Any Idea of what I am looking at here - All reports list the port as either 443 or 80

Thanks in advance

Lonnie Nagel · ‎06-18-2013

Also note that all of my "attackers" are listed as internal IP addressess.

All Victims are listed as 0.0.0.0

All ports are listed as either 80 or 443

smetieh001 · ‎06-18-2013

Hi Lonnie,

Is this an AIP-SSM module? if so your IPS is configured with a global policy to match any traffic (which includes internal network)or your internal subnet is included in the ACL (Access-list IPS_acl permit 192.X.X.X ; match IPS_acl ) to be inspected. This is likely the reason why you can see internal IP addresses as the attacker.... having said that, i would track down the attacking computer and investigate it further or take it offline and see if alert stops.

Hope this helps.

Sylvester

Lonnie Nagel · ‎06-18-2013

Sylvester - Thanks for response. Couple of things here :

Yes is the AIP-SSM module residing in ASA 5585

I would think that I normally would want to include internal subnets in scope of the acl. Is this not how the implementation would typically go? This is a new implementation and is only about 3 weeks old. However, when I inititially brought it online - I don't recall seeing these kinds of hits for this type of activity.

The other thing is that I am receiving around 3 hits per second (same thing always port 80 and/or 443 and always 0.0.0.0 as the victim)

Additionally - I am up to around 1400 different internal hosts so I'm kinda in a "can't see the forest because of the trees" conundrum.

I am receiving only an occasional abuse notification on the issue and when we track down individual hosts - we are seeing no worm activity on that host.

Almost want to believe that I am getting "false positives" here - but having trouble deciding how to proceed other than what I have been doing.

Any further advice would be appreciated.

smetieh001 · ‎06-18-2013

First Internal network should normally be in the ACL - better security practise. Is your IPS set to anormally detection? (I see that the signature giving off this alert is an AD signature), if so your IPS might may have sensed some traffic it considers abnormal and then resulted in false positives.

Instance wen this could happen is if network traffic partern changes due to changes in network activity i.e. due to a new enterprise application deployment.

Since your IPS was deployed 3 weeks ago chances are that it has not fully learned the environment before being put into active service.

I would investigate a couple of these computers (attackers) to rule out warm.

These are just my thought....

http://www.cisco.com/en/US/docs/security/ips/7.2/configuration/guide/ime/ime_anomaly_detections.pdf

Sylvester

smetieh001 · ‎06-18-2013

Is your IPS issue resolved?

Lonnie Nagel · ‎06-18-2013

Not quite but a bit closer. We were able to determine a "phone home" address (amsterdam) and have set up an ACL Block in firewall. It appears that 40 or so machines are reporting back to the IP so we are currently sending desktop guys out to verify that the worm actually resides on those machines.

One question you might know the answer to - We seem to have the ACL working correctly as we received 800,000 hits in the first hour or so. However - I am still seeing activity in the IDS event viewer.

The IDS/IPS is the AIP-SSM so with the ACL block in the ASA should'nt the event viewer in the IPS have stopped logging. I guess the question is - In order of sequence does the ASA protection come 1st or does the IPS protection come first for outbound traffic.

smetieh001 · ‎06-19-2013

Hi Lonnie,

I am happy to hear you are making good progress. I think investigating those 40 machine was the write call.

What i can see from your log is that the IDS/IPS signature requested a "Shun" which the ASA responds to, and blocks the traffic for a duration. if i am not mistaking, It means the IDS/IPS received the traffic before the block was placed by the IPS. I guess that's why you still recieve the alerts.

http://www.cisco.com/en/US/docs/security/asa/quick_start/ips/ips_qsg.html

Regards,

Sylvester