Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
423
Views
0
Helpful
1
Replies

Interpretation of CSIDS alarms

kynesedgman
Level 1
Level 1

‎05-12-2002 08:46 PM - edited ‎03-08-2019 10:36 PM

Dear All,

New to the world of IDS I am seeking assistance in the interpretation of a swarm of alarms noted in the logs last week.

I have a bank of 8 IIS servers and a 4230 sensor sitting behind a PIX firewall. On any given day I will see a few hundred attempted attacks using the IIS Unicode exploit or WinNT cmd.exe access.

On one certain day I saw hundreds of thousands of such alarms. The source IP address was that of one of the IIS servers on port 80, while the destination address and port varied across a gamet of addresses and ports.

I figured that an attacker had attempted a DoS attack by spoofing the source address of an internal server (believable since I do not yet have the public interface of the PIX configured to drop packets with internal source addresses). However, I am told that it is very difficult to spoof such an IIS response so my initial assumption may be wrong.

How would others interpret seeing such traffic?

Thanks,

Kyne.

Labels:
0 Helpful
1 Reply 1

marcabal
Cisco Employee
Cisco Employee

‎05-12-2002 10:53 PM

It is possible that you are under attack or may have even been compromised by a virus.

Nimda is one such virus that attacks IIS web servers using the IIS Unicode exploit or WinNT cmd.exe access, and there are several more that use similar methods for propogating themselves.

Be sure you have loaded the latest IIS Security Patches on your web server, and be sure your Anti-Virus software is up to date. Scan your web server with the latest antivirus to determine if you've been infected.

0 Helpful
Customers Also Viewed These Support Documents