Show events question
liven
Member Posts: 918
Hello fine folks at techexams
Studying for the IPS test and I am viewing alerts from the CLI
I did show events.
Now I did a ping from my work station to a machine that is participating in a vlan pair for my IDS sensor...
I pinged from: 192.168.2.39 to 192.168.1.155
But there alert shows:
evIdsAlert: eventId=1019899328185340939 severity=informational vendor=Cisco
originator:
hostId: Keefssensor
appName: sensorApp
appInstanceId: 346
time: 2008/03/22 23:35:45 2008/03/22 23:35:45 UTC
signature: description=ICMP Echo Reply id=2000 version=S1
subsigId: 0
interfaceGroup:
vlan: 0
participants:
attacker:
addr: locality=OUT 192.168.1.155
target:
addr: locality=OUT 192.168.2.39
summary: final=true initialAlert=1019899328185340935 summaryType=Regular 4
alertDetails: Regular Summary: 4 events this interval ;
riskRatingValue: 25
interface: ge0_2
protocol: icmp
Am I reading the alert incorrectly? I ask because the attacker address appears to be my target address....
[/b][/code]
Studying for the IPS test and I am viewing alerts from the CLI
I did show events.
Now I did a ping from my work station to a machine that is participating in a vlan pair for my IDS sensor...
I pinged from: 192.168.2.39 to 192.168.1.155
But there alert shows:
evIdsAlert: eventId=1019899328185340939 severity=informational vendor=Cisco
originator:
hostId: Keefssensor
appName: sensorApp
appInstanceId: 346
time: 2008/03/22 23:35:45 2008/03/22 23:35:45 UTC
signature: description=ICMP Echo Reply id=2000 version=S1
subsigId: 0
interfaceGroup:
vlan: 0
participants:
attacker:
addr: locality=OUT 192.168.1.155
target:
addr: locality=OUT 192.168.2.39
summary: final=true initialAlert=1019899328185340935 summaryType=Regular 4
alertDetails: Regular Summary: 4 events this interval ;
riskRatingValue: 25
interface: ge0_2
protocol: icmp
Am I reading the alert incorrectly? I ask because the attacker address appears to be my target address....
[/b][/code]
encrypt the encryption, never mind my brain hurts.
Comments
-
mikej412 Member Posts: 10,086 ■■■■■■■■■■liven wrote:signature: description=ICMP Echo Reply id=2000 version=S1
The echo request goes from 192.168.2.39 to 192.168.1.155
And the Echo Reply does go from 192.168.1.155 to 192.168.2.39.
While you'd hope for an echo reply to an echo request, if someone just started sending you echo replies out of the blue, then they definitely would be the attacker.:mike: Cisco Certifications -- Collect the Entire Set! -
liven Member Posts: 918mikej412 wrote:liven wrote:signature: description=ICMP Echo Reply id=2000 version=S1
The echo request goes from 192.168.2.39 to 192.168.1.155
And the Echo Reply does go from 192.168.1.155 to 192.168.2.39.
While you'd hope for an echo reply to an echo request, if someone just started sending you echo replies out of the blue, then they definitely would be the attacker.
Man I feel dumb right now....
I didn't even read my log.....
Sorry for the dumb question.encrypt the encryption, never mind my brain hurts.