01-10-2011 06:30 AM
I am currently seeing a Windows 2003 Domain Controller and client machines showing up as if they are doing P2P between each other. However I have confirmed this is not the case but curious as to what could possibly cause them to show up in a P2P report. Thanks in advance.
Jeremy Lawrence
Solved! Go to Solution.
01-11-2011 05:15 AM
Jeremy;
The first thing to do is determine the reporting device that detected behavior. You will most likely want to review the details of the CS-MARS event as well as the raw message supporting that event. If the device is an IDS/IPS sensor, the raw message should contain the signature name/ID as well as source/destination IP addresses and service reports. You can research the specifics of the signature here:
http://tools.cisco.com/security/center/search.x
If the reporting device is not an IDS/IPS, the raw message should still contain details as to traffic specifics that caused the classification as potential P2P.
You can then review the machines reported to determine if there is anything unexpected running on them, or if this is an expected behavior.
This should let you see the underlying event/behavior that caused the devices to be added to the P2P report.
Scott
01-11-2011 05:15 AM
Jeremy;
The first thing to do is determine the reporting device that detected behavior. You will most likely want to review the details of the CS-MARS event as well as the raw message supporting that event. If the device is an IDS/IPS sensor, the raw message should contain the signature name/ID as well as source/destination IP addresses and service reports. You can research the specifics of the signature here:
http://tools.cisco.com/security/center/search.x
If the reporting device is not an IDS/IPS, the raw message should still contain details as to traffic specifics that caused the classification as potential P2P.
You can then review the machines reported to determine if there is anything unexpected running on them, or if this is an expected behavior.
This should let you see the underlying event/behavior that caused the devices to be added to the P2P report.
Scott
01-13-2011 02:50 PM
For some reason the eDonkey signature was causing this issue. Thanks for your help.
01-14-2011 04:56 AM
Jeremy;
Glad to hear you were able to track down the cause of the issue.
Scott
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide