Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1160
Views
0
Helpful
3
Replies

False Positive P2P

Go to solution
jnlawrence76
Level 1
Level 1

‎01-10-2011 06:30 AM

I am currently seeing a Windows 2003 Domain Controller and client machines showing up as if they are doing P2P between each other.  However I have confirmed this is not the case but curious as to what could possibly cause them to show up in a P2P report.  Thanks in advance.

Jeremy Lawrence

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Scott Fringer
Cisco Employee
Cisco Employee

‎01-11-2011 05:15 AM

Jeremy;

  The first thing to do is determine the reporting device that detected behavior.  You will most likely want to review the details of the CS-MARS event as well as the raw message supporting that event.  If the device is an IDS/IPS sensor, the raw message should contain the signature name/ID as well as source/destination IP addresses and service reports.  You can research the specifics of the signature here:

http://tools.cisco.com/security/center/search.x

  If the reporting device is not an IDS/IPS, the raw message should still contain details as to traffic specifics that caused the classification as potential P2P.

  You can then review the machines reported to determine if there is anything unexpected running on them, or if this is an expected behavior.

  This should let you see the underlying event/behavior that caused the devices to be added to the P2P report.

Scott

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Scott Fringer
Cisco Employee
Cisco Employee

‎01-11-2011 05:15 AM

Jeremy;

  The first thing to do is determine the reporting device that detected behavior.  You will most likely want to review the details of the CS-MARS event as well as the raw message supporting that event.  If the device is an IDS/IPS sensor, the raw message should contain the signature name/ID as well as source/destination IP addresses and service reports.  You can research the specifics of the signature here:

http://tools.cisco.com/security/center/search.x

  If the reporting device is not an IDS/IPS, the raw message should still contain details as to traffic specifics that caused the classification as potential P2P.

  You can then review the machines reported to determine if there is anything unexpected running on them, or if this is an expected behavior.

  This should let you see the underlying event/behavior that caused the devices to be added to the P2P report.

Scott

0 Helpful

Go to solution
jnlawrence76
Level 1
Level 1
In response to Scott Fringer

‎01-13-2011 02:50 PM

For some reason the eDonkey signature was causing this issue.  Thanks for your help.

0 Helpful

Go to solution
Scott Fringer
Cisco Employee
Cisco Employee
In response to jnlawrence76

‎01-14-2011 04:56 AM

Jeremy;

  Glad to hear you were able to track down the cause of the issue.

Scott

0 Helpful
Customers Also Viewed These Support Documents