[OSL | CCIE_Security] IPS custom signature, weird problem

Mon, 11 Nov 2013 16:14:01 -0800 

Hi,


ASA1/2  (7.7.3.10) ------IPS----------- SYSLOG SERVER (150.1.7.20)

I configured a custom signature for syslog messaging between host A and B.

ASA1/ASA2 are in active/standby mode producing syslogs and IPS suppose to
pick this up.

I can see ips sig triggers when it sees from ipA to IPB port 514 with
"alert high 85"


evIdsAlert: eventId=1376465320547002492  vendor=Cisco  severity=high
alarmTraits=32768
  originator:
    hostId: IPS
    appName: sensorApp
    appInstanceId: 1203
  time: Nov 11, 2013 22:12:19 UTC  offset=0  timeZone=UTC
  signature:   description=syslog  id=61000  version=custom  type=other
created=20000101
    subsigId: 0
    sigDetails: My Sig Info
  interfaceGroup: vs0
  vlan: 3
  participants:
    attacker:
      addr: 7.7.3.10  locality=OUT
      port: 514
    target:
      addr: 150.1.7.20  locality=OUT
      port: 514
      os:   idSource=unknown  type=unknown  relevance=relevant
  riskRatingValue: 85  targetValueRating=medium
attackRelevanceRating=relevant
  threatRatingValue: 85
  interface: ge0_0
  protocol: udp
-------------------------------------------------------------------------------------------------------------------------
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
-------------------------------------------------------------------------------------------------------------------------

*PROBLEM: *

I can see the same sign triggered with the following: (alert 75 and
destination 0.0.0.0)

*What is 0.0.0.0 is doing here? I never configured it on my custom sig.and
why alert level is 75 ? and on the above one is 85 ?  my original config is
75.*


evIdsAlert: eventId=1376465320547002493  vendor=Cisco  severity=high
alarmTraits=32768
  originator:
    hostId: IPS
    appName: sensorApp
    appInstanceId: 1203
  time: Nov 11, 2013 22:12:34 UTC  offset=0  timeZone=UTC
  signature:   description=syslog  id=61000  version=custom  type=other
created=20000101
    subsigId: 0
    sigDetails: My Sig Info
  interfaceGroup: vs0
  vlan: 3
  participants:
    attacker:
      addr: 7.7.3.10  locality=OUT
      port: 0
    target:
      addr: 0.0.0.0  locality=OUT
      port: 0
      os:   idSource=unknown  type=unknown  relevance=unknown
  summary: 8  final=true  initialAlert=1376465320547002492
summaryType=Regular
  alertDetails: Regular Summary: 8 events this interval ;
  riskRatingValue: 75  targetValueRating=medium
  threatRatingValue: 75
  interface: ge0_0
  protocol: udp

_______________________________________________
Free CCIE R&S, Collaboration, Data Center, Wireless & Security Videos ::

iPexpert on YouTube: www.youtube.com/ipexpertinc

Reply via email to