Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1083
Views
0
Helpful
1
Replies

WWW WinNT cmd.exe Access & SQL Injection

JEFF SPRADLING
Level 1
Level 1

‎03-19-2013 01:42 PM - edited ‎03-10-2019 05:55 AM

Hi all,

I'm getting tons of alerts for the above signatures, all targeted at one server but from different IP Addresses.  They started in Germany, and now are coming from Texas.  We've checked the server and it's not vulnerable to the attack, plus the IPS is dropping the packets and sending resets, so it's not a big concern, but I wonder WHY these attacks keep coming.

Also, I've setup several Event Filters to 'subtract' the Produce Alert Action so we'll stop getting alerts when these occur.  How can I:

1) be sure that the packets are still being dropped and resets sent to the server?

2) track these attacks if we're no longer getting alerts

Finally, is the event filter the best way to turn these alerts off?

Thanks!

Labels:
0 Helpful
1 Reply 1

Julio Carvajal
VIP Alumni
VIP Alumni

‎03-19-2013 11:38 PM

Hello Jeff,

1) Why dont' you run wireshark and check if you are receiving Reset packets ( That would be the easiest one)

2) You could try to tune the IPS signature to send an alert after several of this events and not just one so you dont get a bunch of alerts

3) I would say it's a great approach sr, but disabling the alert I do not like it that much, I would change the way the alerts are generated as I said on point 2

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card