Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
339
Views
0
Helpful
3
Replies

IDS Event 1104

noc
Level 1
Level 1

‎09-29-2003 07:11 AM - edited ‎03-09-2019 04:57 AM

In the last couple of weeks Event ID 1104 started showing up. Signature Name is Localhost. The source address is 127.0.0.1 with destination address's of my public interfaces. The source port is always 80 with different destination ports. Is this from a worm? I am assuming that the 127.0.0.1 is spoofed. Anyone else seeing this?

Thanks.

-Ryan

Labels:
0 Helpful
3 Replies 3

umedryk
Level 5
Level 5

‎10-06-2003 07:23 AM

Temporarily disable Sig 1104 and investigate the source VLAN or Shun Sig 1104 or create and anti-spoofing ACL on the router.

0 Helpful

dblairii
Level 1
Level 1

‎12-24-2003 09:46 AM

Are there any updates to this particular signature? As Ryan stated, the alarms have a source of 127.0.0.1:80 with various destination IP's on ephemeral ports... Is this signature functional yet, or should it be disabled?

Thanks,

Don

0 Helpful

shawn.posthumus
Level 1
Level 1

‎12-26-2003 08:12 AM

This signature is being triggured from the Blaster worm.

Check out the following post:

http://seclists.org/lists/incidents/2003/Oct/0131.html

0 Helpful
Customers Also Viewed These Support Documents