False Alarms?

Similar Messages

• Persistent, chronic, false alarms for the past eight months

  We now have two installations that utilize a unified wireless (WLC or WiSM - AIR-LAP1131AG, AIR-LAP1231G, AIR-LAP1242AG access points) that have been exhibiting the following IDS false alarms:
  Disassoc Flood
  AP Impersonation
  We have TAC cases going back to October 2006 to address them and have upgraded to the latest/greatest version 4.0.206.0 in hopes of getting this solved.
  Version 4.0.206.0 was supposed to have fixed these problems, and it did reduce some of the other false alarms (not listed). However, the two mentioned above persist.
  Is anyone else out there experiencing this?
  - John

  Thank you for confirming this behavior.
  In answer to your question, upgrading to 4.0.206.0 did get rid of the "Generic Netstumbler" IDS alarm that turned out to be another false positive.
  As it turns out, there have been comments from Cisco that now indicate that .206 has stability issues (nice to know that now). However, we have not experienced any of these issues at the two installations where this version is operating.
  I also wanted to point out that we went ahead and opened TAC cases for each error at each customer site.
  Currently, most of them have reached a status of "Release Pending". (Now as to *WHICH* release....)
  If you have not opened a TAC case for these issues, taking the time to do so will help Cisco be aware of the extent to which this problem exists in the field and, hopefully, will help them prioritize the fix to this problem.
  John

• RTMT sending false Alarms?

  Hello,
  We have randomly receiving following alerts on RTMT
  MGCP DChannel is out-of-service
  Number of registered gateways decreased in consecutive polls.
  Number of registered gateways increased between consecutive polls.
  We have,
  CUCM: 9.1.2.11008-1
  Voice Router: 15.1(2) T1
  I log into the router and the controllers/ports show no errors on that PRI.
  I checked isdn service, status and logs but still no sign of down. 
  Also we can see active calls on that PRI from RTMT.
  Is RTMT sending false Alarms?

  RTMT is probably not sending false alarms. What level do you have your logging set to?

• IOS IPS - Sig 4050 UDP Bomb apparent false alarms?

  Hi,
  I'm trying the IOS IPS solution out in a lab environment and I seem to be getting lots of false alarms on sig 4050 - UDP bomb. Looking at the signature description via go/mysdn, and looking at it's configuration on the router via SDM, I can see it is simply looking for small UDP packets. But I don't know what size (The parameter is named ShortUDPLength and it's set to True).
  All NTP traffic kicks of this signature. Using Ethereal to capture the NTP exchange, I see that the communication in each direction is a single packet. The layer 2 frame lenght is 90 bytes. The UDP data length is 56 bytes. All of this seems fine. The NTP server is a Cisco router. The NTP client is running on a Windows 2000 workstation.
  Also, any TFTP to/from the router with IPS enabled also triggers the alert. Specifically it is the Ack's from the TFTP server that trigger the alert. They are indeed small packets - the UDP data size is only 12 bytes.
  Note, this same traffic does not cause alerts from a 5.0 IPS sensor. Looking at the signature definition on the sensor, it doesn't have a parameter named SnortUDPLength. Instead it has a parameter named udp-length-mismatch which is set to true. This doesn't seem to be keying off of a particular data size, but instead conflicting reports in the UDP header compared to the actual packet size.
  Any information that anyone could provide to shed light on this subject would be appreciated. Such as:
  1) Do you find that IOS IPS sig 4050 false alarms are common?
  2) What is the UDP data length that triggers the alert? It has to be bigger than 90 bytes!
  3) Does Cisco have any recommendations on what to do with this built in signature?
  Thanks,
  KEP

  On the sensor appliance side, the udp-length-mismatch checks for discrepancies between the ip header length and udp length of the packet. You were dead on, the signature triggers when the UDP length specified is less than the IP length specified. I'm not positive of exactly what the IOS ShortUDPLength parameter is.
  You provided some valuable information in that the same traffic doesn't trigger the alerts on the appliance, so we know that this is not the signature, but rather the implementation of it in IOS.
  I'm taking a bit of a leap here not knowing what IOS version you are running, but I'm guessing you may be running into CSCeh32935. The title states multicast, but the bug is not limited to just multicast traffic. This affectes some 12.3T releases and early 12.4. Looks like 12.4(2)T or higher has fixes implemented.
  Since you're in a lab environment, I'd go ahead and upgrade the IOS on the router and see if that doesn't resolve the issue. If it's still there, open up a TAC case, and they'll be able to recreate the issue and file a new bug if neccessary.

• Customizing sensor from filtering false alarms.

  hi,
  How can i filter the false alarms coming out from my dhcp server and dns servers. Iam getting a lot of frag overlap signature alarms.Can anyone help me to avoid these false alarms ? Please help.

  Hi,
  You cna configure event action filter for those host you do not want the sensor to do any further action for the specific signatures.
  This is described here : http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids12/idmguide/dmevtrul.htm#wp1063299
  I hope this helps you.

• WCS IDS False Alarms - NetStumbler Generic Attack

  We have a particular installation where we are seeing four (4) types of IDS errors constantly reappearing:
  "IDS Signature attack detected. Signature Type: Standard"
  "Disassoc flood, Description: Disassociation flood
  "AP impersonation"
  "NetStumbler Generic Attack"
  In the first three alarms, Cisco has acknowledged that there are known issues with false IDS alarms that are supposed to be fixed in an upcoming "BE-MR2" in mid-December, and a new IDS signature in January.
  Is anyone else experiencing the NetStumbler Generic IDS alarm? We see them on a regular basis.
  If so, please reply - as I would like to forward this on to TAC to make sure they get this fixed in the next release.
  We are using WLC-4.x and WCS 4.x with LAP-1131AG access points.
  - John

  The Disassociation attack is a known bug acknowledged by Cisco TAC. (That is not a guarantee that it is a false alarm - that is what has been especially frustrating in troubleshooting these).
  Specifically, though, I am trying to confirm that others are experiencing the NetStumbler attack as we suspect this is another false alarm since it came from the MAC address of a trusted laptop that was confirmed to not be running NetStumbler - and, yes, I realize that the MAC address can be spoofed, but with the high number of false positives on the other types of alarms mentioned earlier, it would seem more likely that the WLC's IDS subsystem needs tweaking.
  I would really like to get this fixed within the next release, and am hoping that additional confirmation may help get Cisco to resolve it more quickly.
  - John

• ANM 5.2.1 Device Down False Alarms

  Hello all,
  I am just checking if anyone out there is facing false alarm issues with ANM 5.2.1. Basically ANM is sending device down (ACE-30 module) messages occasionally, but in real the device has never went down.
  I haven't found any bug related to this issue. Please share your experiences with ANM 5.2.1 ?
  Message:
  ANM Server Host Name        : anm-1
  ANM Server IP Address        : 10.9.20.1
  Device ID                              : AGG-B:3
  Component Name                  : AGG-B:3
  Severity                               : info
  Time                                   : 04-Jan-2013 13:49:59  GST
  Alarm Name                        : Device Status
  Alarm Value                       : Down
  Threshold Assert Value       : Down
  Threshold Group Name         : ANM-Alerts
  Alarm State                       : Active
  Details                           : AGG-B:3's Device Status  reached the Down state defined in threshold group 'ANM-Alerts'
  ACE-30 uptime:
  ACE-B kernel uptime is  267 days 0 hour 13 minute(s) 11 second(s)
  Regards,
  Akhtar

  Yes, me. On 5.2.2 and just a couple of hours ago, the passive sent this:
  Device State and Resource Monitoring Alarm of severity info has occurred.
  ANM Server Host Name               :
  ANM Server IP Address                :
  Device ID                                             : sw000:1
  Component Name                          : sw000:1
  Severity                                               : info
  Time                                                      : 21-Feb-2013 05:40:39 CET
  Alarm Name                                       : Device State and Resource Monitoring
  Alarm Value                                       : Down
  Threshold Assert Value : Down
  Threshold Group Name                : TEST
  Alarm State                                        : Active
  Details                                  : sw000:1's Device State and Resource Monitoring reached the Down state defined in threshold group 'TEST'

• Disassoc flood - false alarms - IDS signature file needs adjustment

  Another interesting observation regarding Disassociation flood wireless IDS alarms:
  When a wireless client goes out of range of an AP, is that it is not uncommon for a burst of 64 disassociation frames to be sent in order to ensure that the client/AP are no longer associated.
  However, the threshold in the WLC's IDS signature file is 50. It is unclear why this value was chosen by the developers. However, at Cisco's recommendation, we have adjusted the signature file to a value of FREQ=80 (instead of 50) for the following alarms:
  Disassociation, Deauth Flood, and Bcast Deauth
  This has resulted in fewer false alarms (except for Bcast deaut which is the result of the WLC alarming on its own containment messages - see previous thread!).
  Additional Note: When making changes to the IDS signature file, it would appear that a REBOOT ended up being necessary in our case in order to get the WLCs to recognize the changes to the IDS signature file. When we merely upgraded the signature file, it did not make a difference.
  Also, it would appear that the name of the signature file is important (since the parsing of the file does not take place unless a specific file name is given).
  - John

  Hi,
  I'm getting a lot of false positive rogue APs (I've checked the MAC addresses and they are definitely ours), is it possible that a similar problem with signatures is causing this?
  Scott

• K8N Neo BIOS 1.5 released -- sorry FALSE ALARM

  I haven't yet tried it, but BIOS 1.5 appears to be posted on LiveUpdate, along with a new version of the LiveUpdate software itself. This is for the K8N Neo; I don't know about the Neo2.
  Anyone tried it yet?

  Well this is weird. It tells me 1.5 is released, I try to install it. It first says it needs to install a new version of LiveUpdate. Fine...reboot...then back to LiveUpdate and there's no new version of the BIOS showing up anymore. Or maybe I was just imagining things. Sorry for the false alarm.

• False alarm error messages when Linking from e-mail to web

  About 30-40% of the time that I try to link to the web from a URL embedded in an e-mail, an error message comes up saying that the program's unable to connect to that particular URL (which it cites). But then it almost always goes ahead and takes me to the right website. Why is this happening and is there a way I can stop it? It's a nuisance to always have to read the alarm and then needlessly worry that the connection to the website cannot be made. Thanks.

  Hi,
  you have something like:
  end_of_data = ' '.
  first_call  = 'X'.
    WHILE end_of_data = ' '.
          CALL FUNCTION 'RSDRI_INFOPROV_READ'
            EXPORTING  i_infoprov             = ....
                       i_th_sfc               = ...
                       i_th_sfk               = ...
                       i_t_range              = ...
                       i_reference_date       = ...
                       i_save_in_table        = ....
                       i_save_in_file         = ....
                       I_USE_DB_AGGREGATION   = ...
                       i_packagesize          = 100000
                       i_authority_check      = ...
            IMPORTING  e_t_data               = .....
                       e_end_of_data          = end_of_data
            CHANGING   c_first_call           = first_call
            EXCEPTIONS illegal_input          = 1
                       illegal_input_sfc      = 2
                       illegal_input_sfk      = 3
                       illegal_input_range    = 4
                       illegal_input_tablesel = 5
                       no_authorization       = 6
                       ncum_not_supported     = 7
                       illegal_download       = 8
                       illegal_tablename      = 9
                       OTHERS                 = 11.
    ENDWHILE.
  hope this helps...
  Olivier.

• Lots of false alarms for "Server Reachability has switched to false..."

  We ran into this issue testing on 2 server but we're now being flooded by alerts for Windows, Linux, and Solaris systems that say
  Server Reachability has switched to false on ServerName
  I have confirmed that every one of the servers is up and reachable (ping, traceroute from both proxy servers)
  One of those unreachable servers is the mail relay that the alert was relayed through!
  I need to know when servers drop off-line but if I can't rely on the test what good is it?
  Any suggestions?

  Try to update a credentail on asset.

• Bitdefender says flex  is a virus? This has to be a postive positive (False alarm)

  Okay I'm experiencing some random acts of weirdness with my anti-virus saying flex is a virus. I'm sure it is just a positive-positive (false, not real) and that bitdefender is just confused. I always try to air on the side of caution so I'm posting the warnings I recieved.
  Virus name exploit.SWF.Gen
  path: flex\frameworks\libs\air\applicationupdater_ui.swc=>library.swf
  Virus name exploit.SWF.Gen
  flex\frameworks\libs\air\applicationupdater_ui.swf
  virus name exploit.SWF.Gen local\temp\adobeupdate\extensions\adobe flash 10 (the rest is so long I can't type it all accurately)
  anyways I just want adobe to know about this and I want to make sure that these are errors from my anti-virus even though I'm pretty darn sure they are.

  Ignore it.
  You do not give the actual address of the warning, but it is almost certainly fake and not going to be helpful. Quite likely it twill try to collect money or download malware.

• Disk Utilization false alarms from EM dbconsole

  Hi,
  I have a 10.2.0.1 instance on Windows XP. EM frequently reports disk problems that don't exist. Example below. The disk is no where near 100% so I don't know where EM is getting this. Has anyone else had this problem? Is this a bug?
  ex.
  Name=op1t1tsr
  Type=Host
  Host=op1t1tsr
  Metric=Disk Utilization (%)
  Disk Device=1 E:
  Timestamp=Jan 27, 2008 2:31:18 AM CST
  Severity=Critical
  Message=Disk Utilization for 1 E: is 99.97%
  Rule Name=Host Availability and Critical States
  Rule Owner=SYSMAN

  No, E: is an internal drive where the datafiles for the database actually reside.
  One twist however, is that my windows roving profile attenpts to map E to another location. On this machine this does not happen since there is a local E driver but I wonder if the EM agent is somehow confused by this. In the Windows explorer the E drive actually displays the mapped location name, but when you drill down you see the local drive.

• HAL won't start (false alarm)

  I recently installed Arch on a new computer.  The install went without a hitch, but once I rebooted into KDE4.1 HAL wouldn't work preventing me from mounting my CD/DVD drives.
  When I boot, it says D-Bus and HAL start OK, but once I get into KDE there's no sign of it.  I tried to start it manualy but it fails, I tried to stop it incase it was already running, and it failed again. I've confirmed D-Bus is working.
  I've checked my fstab, the optical drives where commented out, and I even went so far as to remove them all together but no luck.
  # /etc/fstab: static file system information
  # <file system> <dir> <type> <options> <dump> <pass>
  none /dev/pts devpts defaults 0 0
  none /dev/shm tmpfs defaults 0 0
  UUID=2ed507c6-5ec1-465d-8922-f37e96f39168 /boot ext2 defaults 0 1
  UUID=51324a6c-2243-4359-b055-c7a53031f537 / ext3 defaults,noatime,nodiratime 0 1
  UUID=68274130-ad54-43d7-a71a-6b4cf63b4f16 /home ext3 defaults,noatime,nodiratime 0 1
  UUID=9bc1e8e3-1d97-45bc-9407-5c961d48344e swap swap defaults 0 0
  # /etc/rc.conf - Main Configuration for Arch Linux
  MODULES=(8139cp 8139too mii snd-mixer-oss snd-pcm-oss snd-hwdep snd-page-alloc snd-pcm snd-timer snd snd-hda-intel soundcore !pcspkr)
  DAEMONS=(syslog-ng network netfs crond alsa hal fam kdm)
  Last edited by dmwdp001 (2008-12-08 18:37:12)

  It appears that hal is working, I can plug in a flash drive and It'll work just fine.  It seems the matter is limited to my optical drives.
  I don't know if this is at all relevent, but my optical drives are IDE and I'm running Arch off of a USB drive.
  The output of the command above is:
  13:07:44.511 [i] hald.c:669: hal 0.5.11
  13:07:44.511 [i] hald.c:734: Will not daemonize
  13:07:44.511 [i] hald_dbus.c:5381: local server is listening at unix:abstract=/var/run/hald/dbus-sXWsttPMN0,guid=8baf3246470ecbec7df04676493d6270
  13:07:44.515 [E] ck-tracker.c:367: Error doing GetSeats on ConsoleKit: org.freedesktop.DBus.Error.ServiceUnknown: The name org.freedesktop.ConsoleKit was not provided by any .service files
  13:07:44.515 [E] ck-tracker.c:792: Could not get seats and sessions
  13:07:44.515 [W] hald_dbus.c:5806: Could not initialize seats and sessions fromConsoleKit
  Runner started - allowed paths are '/usr/lib/hal:/usr/lib/hal/scripts:/usr/bin'
  13:07:44.517 [i] hald_runner.c:301: Runner has pid 5688
  13:07:44.517 [i] hald_runner.c:182: runner connection is 0x9e431b0
  13:07:44.523 [W] osspec.c:373: Unable to open /proc/mdstat: No such file or directory
  13:07:44.523 [D] util_helper.c:124: drop_privileges: could not set group id

• False alarming for Archive mode status

  Hi Friends,
       In one of our development system(DB node) we are getting alerts as 'the Archive mode is in OFF state', but when i checked in DB level I can able to see the state as ON. Don't know what the problem is? Can anyone help me to resolve this issue?
  Regards,
  Palaniappan

  Hi Palaniappan,
  Please check the output of below command
  SQL> SELECT LOG_MODE FROM V$DATABASE;
  => Output should be "NOARCHIVELOG"
  SQL> ARCHIVE LOG LIST
  => output should have "DISABLED" under Automatic archival.
  Regards,
  Deepak Kori