09-29-2003 07:11 AM - edited 03-09-2019 04:57 AM
In the last couple of weeks Event ID 1104 started showing up. Signature Name is Localhost. The source address is 127.0.0.1 with destination address's of my public interfaces. The source port is always 80 with different destination ports. Is this from a worm? I am assuming that the 127.0.0.1 is spoofed. Anyone else seeing this?
Thanks.
-Ryan
10-06-2003 07:23 AM
Temporarily disable Sig 1104 and investigate the source VLAN or Shun Sig 1104 or create and anti-spoofing ACL on the router.
12-24-2003 09:46 AM
Are there any updates to this particular signature? As Ryan stated, the alarms have a source of 127.0.0.1:80 with various destination IP's on ephemeral ports... Is this signature functional yet, or should it be disabled?
Thanks,
Don
12-26-2003 08:12 AM
This signature is being triggured from the Blaster worm.
Check out the following post:
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide