Luiz,
Default signature severities are not
gospel, and not right for everyone everywhere. In this case I can imagine
that it was not low, because the potential impact of exploiting the
vulnerability is high, but not high because it is not straightforward to exploit
from a non-connected network, i.e. the Internet. But that of course, depends on
what your environment looks
like.
If you read the
signature information you'll see that it's 'just' telling you your routers are
using a default password. You need to decide whether that's something to worry
about, and possibly to change it. The event severity has little bearing on this
process.
From
an audit point of view, there's no point in getting half a million events per
day about something you already know, and from an analyst point or
view it's completely useless. Because HSRP is so noisy, even tweaking event
flooding/consolidation won't really help. The bottom line is that you're
aware of the traffic/issue now, and I'd turn the signature off until the
routers are suppodesly reconfigured.
Regards,
Robert
-----Original
Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Sent: 30 June 2003 18:35
To: [EMAIL PROTECTED]
Cc: F2252817_Daniel_Aquino_Fernandes_Lopes/[EMAIL PROTECTED]
Subject: [ISSForum] SIGNATURE - No Informations
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Sent: 30 June 2003 18:35
To: [EMAIL PROTECTED]
Cc: F2252817_Daniel_Aquino_Fernandes_Lopes/[EMAIL PROTECTED]
Subject: [ISSForum] SIGNATURE - No Informations
H,
A signature named HRSP_Default_Password brought by XPress Update 20.6 for NS 7.0 has provided a lot of incidents (around 500,000 a day).
Its just notify and has medium priority. What could do I do? Just disable it? Or is it an important signaturee that tells me what is happening with my
routers?
Thanks in advanced,
Luiz Leao - BBCSIRT
