Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
288
Views
0
Helpful
1
Replies

Alarm 1104 source 127.0.0.1

fregon
Level 1
Level 1

‎03-18-2004 11:16 AM - edited ‎03-09-2019 06:48 AM

Hello,

We have been receiving alerts for this alarm. It seems that someone is trying to spoof the host IP to check for vulnerabilities. Is there a way at all to find out the real source IP of the attacker trying to spoof the IP address? Here is the alert we receive from the IDS sensor

High Severity Alarms

IDS alarm 1104 source: 127.0.0.1 port: 80 destination: x.x.252.19 port: 1987 @ 2004/03/17

Alarm Details

Thank you!

Labels:
0 Helpful
1 Reply 1

darin.marais
Level 4
Level 4

‎03-18-2004 12:51 PM

As far as I am aware the only way to trace this is to take a sniffer and move it from segment to segment

> locate the sniffer at the segment that you are receiving the localhost packets, obtain the MAC address, and trace it to the device. If it is a router MAC then move to the next segment behind the router until you find the virus-infected device.

Ref http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.eea1a4b

0 Helpful
Customers Also Viewed These Support Documents