Show events question

Hello fine folks at techexams

Studying for the IPS test and I am viewing alerts from the CLI

I did show events.

Now I did a ping from my work station to a machine that is participating in a vlan pair for my IDS sensor...

I pinged from: 192.168.2.39 to 192.168.1.155

But there alert shows:

evIdsAlert: eventId=1019899328185340939 severity=informational vendor=Cisco
originator:
hostId: Keefssensor
appName: sensorApp
appInstanceId: 346
time: 2008/03/22 23:35:45 2008/03/22 23:35:45 UTC
signature: description=ICMP Echo Reply id=2000 version=S1
subsigId: 0
interfaceGroup:
vlan: 0
participants:
attacker:
addr: locality=OUT 192.168.1.155
target:
addr: locality=OUT 192.168.2.39
summary: final=true initialAlert=1019899328185340935 summaryType=Regular 4
alertDetails: Regular Summary: 4 events this interval ;
riskRatingValue: 25
interface: ge0_2
protocol: icmp

Am I reading the alert incorrectly? I ask because the attacker address appears to be my target address....

[/b][/code]

Find more posts tagged with

Comments

mikej412

liven wrote:

signature: description=ICMP Echo Reply id=2000 version=S1

The echo request goes from 192.168.2.39 to 192.168.1.155

And the Echo Reply does go from 192.168.1.155 to 192.168.2.39.

While you'd hope for an echo reply to an echo request, if someone just started sending you echo replies out of the blue, then they definitely would be the attacker.

liven

mikej412 wrote:

liven wrote:

signature: description=ICMP Echo Reply id=2000 version=S1

The echo request goes from 192.168.2.39 to 192.168.1.155

And the Echo Reply does go from 192.168.1.155 to 192.168.2.39.

While you'd hope for an echo reply to an echo request, if someone just started sending you echo replies out of the blue, then they definitely would be the attacker.

Man I feel dumb right now....

I didn't even read my log.....

Sorry for the dumb question.