Cisco Cisco IPS 4255 Sensor Weißbuch
![Cisco](https://files.manualsbrain.com/attachments/7380d0050044647c30f5c24bbbf5d0c0b6d9bb84/common/fit/150/50/faa183d287233c52228cfea3dbc2a127fe780f60564fcb0955d9c3d1cd23/brand_logo.png)
Overview
© 2008 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Page 5 of 7
3. The next step is to filter attacks that have been dropped. Scroll though the list and you can
easily see those alerts. Keep in mind that even though these are high-level alerts, they are not
overly concerning because they have been blocked. No forensics need to be performed on
these alerts unless you want to check the attacking IP address.
If the attacking address is outside your IP address range, you can contact the owner of the IP
address range, which you can find by using the Cisco IPS Manager Express “whois” tool. To do
this, highlight the event, click on the tool icon, and select “whois.” Results may vary because when
you are attacked, the machine that attacked you has often been exploited and the operator of that
machine may be unaware of any problems.
If it’s an internal address, you will want to run security scans to try and repair the infected machine
or reinstall the OS and applications to fix the problem. It’s important to remember that there is an
outside chance that the owner of the machine is responsible for the attack.
To filter dropped signatures, select the “Action” field, click on the popup button at the right, and
select all the actions that drop or reset packets or flows.
4. The next step is to filter information alerts. Uncheck the box labeled “Informational.” Even
though these events are filtered out, they could warrant investigation. In many cases,
including this example, the low-priority events may indicate that another device is doing
reconnaissance on a device protected by the IPS.. Network administrators should research
these source addresses to see if the reconnaissance on those machines is being caused by
malware or an employee. If it’s an infected machine, remove the malware or restore the
infected device to a known good condition. There are now five alerts remaining.
5. At this point, the tuning process is essentially complete: all the benign scanning events, alerts
for invalid destination address, informational alerts, and stopped attacks have been filtered.
The remaining alerts are considered actionable information. They represent the greatest
threat to your network and therefore must be analyzed. Researching these events with Cisco
IPS Manager Express is a straightforward process.
Following is a step-by-step explanation of how to process the remaining events. In this case study,
forensics analysis will be performed only on one of the remaining alerts. If this were a live network,
you would take the same steps for the remaining events.
1. The event in the case study to be analyzed is Cisco sig ID 5867/0. The following steps must
be taken.
Research the alert: Right-click on the event and select the “Explanation” tab. The description
says, “The signature fires on attempts to instantiate the WinZip ActiveX control. A vulnerability
exists in the ActiveX control that was never intended to be used in Internet Explorer.” A
second section in the explanation tab tells you if other actions besides an attack can cause
this signature to fire. In this case, it says “Individuals browsing proof of concept code may
cause this signature to trigger.” This description is telling us that either someone browsed to a
Webpage and looked at proof of concept code or there was an actual attack. We are going to
assume that an attack was attempted because if it was an incident during browsing, the port
says, “The signature fires on attempts to instantiate the WinZip ActiveX control. A vulnerability
exists in the ActiveX control that was never intended to be used in Internet Explorer.” A
second section in the explanation tab tells you if other actions besides an attack can cause
this signature to fire. In this case, it says “Individuals browsing proof of concept code may
cause this signature to trigger.” This description is telling us that either someone browsed to a
Webpage and looked at proof of concept code or there was an actual attack. We are going to
assume that an attack was attempted because if it was an incident during browsing, the port