IPS custom signature, weird problem from jeremy co on 2013-11-11 (Ccielab archives 12/2013)

From: jeremy co <jeremy.cool14_at_gmail.com>
Date: Mon, 11 Nov 2013 16:06:41 -0800

Hi,

ASA1/2 (7.7.3.10) ------IPS----------- SYSLOG SERVER (150.1.7.20)

I configured a custom signature for syslog messaging between host A and B.

ASA1/ASA2 are in active/standby mode producing syslogs and IPS suppose to
pick this up.

I can see ips sig triggers when it sees from ipA to IPB port 514 with
"alert high 85"

evIdsAlert: eventId=1376465320547002492 vendor=Cisco severity=high
alarmTraits=32768
  originator:
    hostId: IPS
    appName: sensorApp
    appInstanceId: 1203
  time: Nov 11, 2013 22:12:19 UTC offset=0 timeZone=UTC
  signature: description=syslog id=61000 version=custom type=other
created=20000101
    subsigId: 0
    sigDetails: My Sig Info
  interfaceGroup: vs0
  vlan: 3
  participants:
    attacker:
      addr: 7.7.3.10 locality=OUT
      port: 514
    target:
      addr: 150.1.7.20 locality=OUT
      port: 514
      os: idSource=unknown type=unknown relevance=relevant
  riskRatingValue: 85 targetValueRating=medium
attackRelevanceRating=relevant
  threatRatingValue: 85
  interface: ge0_0
  protocol: udp
-------------------------------------------------------------------------------------------------------------------------
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
-------------------------------------------------------------------------------------------------------------------------

*PROBLEM: *

I can see the same sign triggered with the following: (alert 75 and
destination 0.0.0.0)

*What is 0.0.0.0 is doing here? I never configured it on my custom sig.and
why alert level is 75 ? and on the above one is 85 ? my original config is
75.*

evIdsAlert: eventId=1376465320547002493 vendor=Cisco severity=high
alarmTraits=32768
  originator:
    hostId: IPS
    appName: sensorApp
    appInstanceId: 1203
  time: Nov 11, 2013 22:12:34 UTC offset=0 timeZone=UTC
  signature: description=syslog id=61000 version=custom type=other
created=20000101
    subsigId: 0
    sigDetails: My Sig Info
  interfaceGroup: vs0
  vlan: 3
  participants:
    attacker:
      addr: 7.7.3.10 locality=OUT
      port: 0
    target:
      addr: 0.0.0.0 locality=OUT
      port: 0
      os: idSource=unknown type=unknown relevance=unknown
  summary: 8 final=true initialAlert=1376465320547002492
summaryType=Regular
  alertDetails: Regular Summary: 8 events this interval ;
  riskRatingValue: 75 targetValueRating=medium
  threatRatingValue: 75
  interface: ge0_0
  protocol: udp

Blogs and organic groups at http://www.ccie.net
Received on Mon Nov 11 2013 - 16:06:41 ART

This archive was generated by hypermail 2.2.0 : Wed Jan 01 2014 - 20:26:19 ART