5 Replies Latest reply on May 15, 2015 3:44 PM by nicole pauls

    Why is IP Protocol 103 PIM alerts being triggered

    rdub15

      I am getting repeated security alerts in LEM stating that IP Protocol 103 PIM is being detected as a "non-standard protocol or event" but I'm not sure what is triggering the alert or how to mitigate it. I am aware that PIM is a multicast protocol, and I also know that there is a security vulnerability in some Cisco switch IOS versions involving this protocol  when it is coupled with a few other protocols like SWIPE, but I don't think that my switch is running the vulnerable IOS version : IP Protocol 103 (PIM) Activity: Attack Signature - Symantec Corp.

       

      All of these alerts are being generated from Snort for one particular switch. Is it possible that Snort isn't recognizing the PIM protocol so it is marking it as suspicious?

       

      Has anyone else had this issue, and if so, how did you fix it?