Help me decipher this IDS alert.

[cross6]

IDS_4210_207 reported a medium severity alert at 09:32:18 on 07/27/2006
Signature: IDS Evasive Double Encoding (5250:0)
Attacker: 70.x.x.x ---> Victim: 209.225.0.36 Alert details: Traffic Source: int0 ; Actions taken: None
NSDB:



Shows coming from my gateway ip to this 209.x.x.x IP.


Doing a nslookup gives me this info:


IP Address Contact Information

OrgName: Savvis
OrgID: SAVVI-2
Address: 3300 Regency Parkway
City: Cary
StateProv: NC
PostalCode: 27511
Country: US

ReferralServer: rwhois://rwhois.savvis.net:4321/

NetRange: 209.225.0.0 - 209.225.95.255
CIDR: 209.225.0.0/18, 209.225.64.0/19
NetName: SAVVIS
NetHandle: NET-209-225-0-0-1
Parent: NET-209-0-0-0-0
NetType: Direct Allocation
NameServer: DNS01.SAVVIS.NET
NameServer: DNS02.SAVVIS.NET
NameServer: DNS03.SAVVIS.NET
NameServer: DNS04.SAVVIS.NET
Comment:
RegDate:
Updated: 2004-10-07

OrgAbuseHandle: ABUSE11-ARIN
OrgAbuseName: Abuse
OrgAbusePhone: +1-877-393-7878
OrgAbuseEmail: abuse@savvis.net

OrgNOCHandle: NOC99-ARIN
OrgNOCName: Network Operations Center
OrgNOCPhone: +1-800-213-5127
OrgNOCEmail: ipnoc@savvis.net

OrgTechHandle: UIAA-ARIN
OrgTechName: US IP Address Administration
OrgTechPhone: +1-800-213-5127
OrgTechEmail: ipadmin@savvis.net

# ARIN WHOIS database, last updated 2006-07-26 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.





Any idea who that is? Spyware on my network trying to phone home?

 

[n0cmonkey]

What IDS (Cisco?)? Does it include payload?
Some more info

I don't think Savvis is involved in spyware, but I could be mistaken.

 

[cross6]

Originally posted by: n0cmonkey
What IDS (Cisco?)? Does it include payload?
Some more info

I don't think Savvis is involved in spyware, but I could be mistaken.

Cisco 4210, yeah I pulled up that page in cisco works, I'm just trying to find out why I have something talking to that ip.

 

[n0cmonkey]

tcpdump/wireshark(ethereal) might help.

 

[nweaver]

savvis is a datacenter, we have 250ish machines hosted in 5 datacenters...that could be one of my boxes! (runs to check IP's)

 

[w0ss]

I know when I ran a snort box some alerts sound bad but are nothing. Snort would highlight the part of the packet that generated the alert. I used to get the same alert when I would visit some sites. Not spam or bad sites just a normal site that someone didnt setup properly.