Re: [OSL | CCIE_Security] IPS custom signature, weird problem

Hi

This is a summary - looks like the Summary Key was set to the Attacker's
address which means that you don't care who the Victim is when you generate
a Summary (Summaries are based on Attackers).

Don't you have any Target Value Rating associated with the victim which
would bump the RR in the regular event?

Regards,

Piotr Kaluzny : Sr Instructor : iPexpert <http://www.ipexpert.com>
CCIE # 25665 :: Security
*:: World-Class Cisco Certification Training*

Direct: +1.810.332.1444
:: Free Videos <http://www.youtube.com/ipexpertinc>
:: Free Training / Product Offerings <https://www.facebook.com/IPexpert>
:: CCIE Blog <http://blog.ipexpert.com/>
:: Twitter <https://twitter.com/ipexpert>

On Tue, Nov 12, 2013 at 1:06 AM, jeremy co <jeremy.cool14_at_gmail.com> wrote:

> Hi,
>
>
> ASA1/2 (7.7.3.10) ------IPS----------- SYSLOG SERVER (150.1.7.20)
>
> I configured a custom signature for syslog messaging between host A and B.
>
> ASA1/ASA2 are in active/standby mode producing syslogs and IPS suppose to
> pick this up.
>
> I can see ips sig triggers when it sees from ipA to IPB port 514 with
> "alert high 85"
>
>
> evIdsAlert: eventId=1376465320547002492 vendor=Cisco severity=high
> alarmTraits=32768
> originator:
> hostId: IPS
> appName: sensorApp
> appInstanceId: 1203
> time: Nov 11, 2013 22:12:19 UTC offset=0 timeZone=UTC
> signature: description=syslog id=61000 version=custom type=other
> created=20000101
> subsigId: 0
> sigDetails: My Sig Info
> interfaceGroup: vs0
> vlan: 3
> participants:
> attacker:
> addr: 7.7.3.10 locality=OUT
> port: 514
> target:
> addr: 150.1.7.20 locality=OUT
> port: 514
> os: idSource=unknown type=unknown relevance=relevant
> riskRatingValue: 85 targetValueRating=medium
> attackRelevanceRating=relevant
> threatRatingValue: 85
> interface: ge0_0
> protocol: udp
>
> -------------------------------------------------------------------------------------------------------------------------
> $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
>
> -------------------------------------------------------------------------------------------------------------------------
>
> *PROBLEM: *
>
> I can see the same sign triggered with the following: (alert 75 and
> destination 0.0.0.0)
>
> *What is 0.0.0.0 is doing here? I never configured it on my custom sig.and
> why alert level is 75 ? and on the above one is 85 ? my original config is
> 75.*
>
>
> evIdsAlert: eventId=1376465320547002493 vendor=Cisco severity=high
> alarmTraits=32768
> originator:
> hostId: IPS
> appName: sensorApp
> appInstanceId: 1203
> time: Nov 11, 2013 22:12:34 UTC offset=0 timeZone=UTC
> signature: description=syslog id=61000 version=custom type=other
> created=20000101
> subsigId: 0
> sigDetails: My Sig Info
> interfaceGroup: vs0
> vlan: 3
> participants:
> attacker:
> addr: 7.7.3.10 locality=OUT
> port: 0
> target:
> addr: 0.0.0.0 locality=OUT
> port: 0
> os: idSource=unknown type=unknown relevance=unknown
> summary: 8 final=true initialAlert=1376465320547002492
> summaryType=Regular
> alertDetails: Regular Summary: 8 events this interval ;
> riskRatingValue: 75 targetValueRating=medium
> threatRatingValue: 75
> interface: ge0_0
> protocol: udp
>
>
>
>
> _______________________________________________
> Free CCIE R&S, Collaboration, Data Center, Wireless & Security Videos ::
>
> iPexpert on YouTube: www.youtube.com/ipexpertinc

Blogs and organic groups at http://www.ccie.net
Received on Tue Nov 12 2013 - 02:01:44 ART