05-03-2010 02:28 AM
Hi,
I have recently started seeing a lot of high category alerts with no destination IP or port information. Event tyores include the following:
TCP Hijack
Microsoft Plug and Play Overflow
TCP Segment Overwrite
Does anyone know why this type of alert occurs? It is impossible to check target systems when destination information is unavailable.
Many thanks
Liam
05-03-2010 03:44 AM
Liam;
You can search for more information on various Cisco IPS signatures by visiting:
Choose the 'Advanced Search' option and enter the signature ID. This should help you better understand the specifics of the signatures that are firing.
In regard to the missing data in the CS-MARS incidents, if the firing signatures are summary events, some details are consolidated to 0.0.0.0 for the IP address and 0 for the port information. In these instances, CS-MARS cannot provide any further information since the raw event has no additional details. Could you provide the raw message or one or two of these events for confirmation?
Scott
05-03-2010 05:45 AM
Hi Scott,
Thanks for the swift reply.
I checked the raw event details for a TCP Hijack alert
target:
addr: 0.0.0.0 locality="any"
port: 0
Which seems to confirm your suspicions. I'm just wondering what I can do with these event types - is this something I should be concerned about?
Many thanks
Liam
05-03-2010 05:58 AM
Liam;
That is certainly indicative of a summarized signature event. If you look further into the raw message, you should see indication that this is a summary event, as well as the initial trigger event ID. You may be able to determine a single source from the initial event - but in most instances, these events are generated due to behavior of the attacker, and you would want to investigate the attacker/source of the event if it is located within your control. If you really want to investigate each, and every occurrence of the attack, you could disable summarization on the signature in question (set the Summary Mode to 'Fire All'). This has the potential to generate a large number of events, and should not be used long-term. For the specific TCP Hijack signature, there are benign triggers explained on our IntelliShield site:
It is always good to be concerned over any incident that is reported prior to any investigation by yourself to understand the implications. Upon determination of the underlying cause of the signature event, you may wish to continue getting alerts on the event, or you could create an event action filter on the IPS to stop alerting for specific IP addresses, or create a drop rule in the CS-MARS to only log the event to the database (or drop completely).
Scott
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide