https://community.cisco.com/t5/network-access-control/custom-signature-to-detect-telnet-authentication-failure/m-p/13991#M6917 <HTML><HEAD></HEAD><BODY><P>Your sensor version is the first 3.0 release. You will need to update to</P><P>get the latest signatures and get the enhancements to ATOMIC.TCP</P><P>which include the SinglePacketRegex parameter.</P><P></P><P>Typically, you will want to watch for the notification about the Signature Update and Service Pack releases because the new signature sets will give you better intrusion coverage and the service packs fix bugs and give you new features.</P><P></P><P>The "string match" signature for this is good, but it does not count the failed</P><P>logins across different connections.</P><P></P><P>Good luck,</P><P>-JK</P></BODY></HTML> Fri, 12 Apr 2002 13:46:24 GMT jakasper 2002-04-12T13:46:24Z https://community.cisco.com/t5/network-access-control/custom-signature-to-detect-telnet-authentication-failure/m-p/13988#M6914 <P>I created a custom signature to detect telnet authentication failure. It belongs to STRING.TCP engine.</P><P></P><P>Here are the signature's parameters:</P><P>SID 20005, Engine: STRING.TCP</P><P>1 - AlarmThrottle = FireAll </P><P> 2 - ChokeThreshold = </P><P> 3 - Direction = ToService </P><P> 4 - FlipAddr = True </P><P> 5 - MaxInspectLength = </P><P> 6 - MinHits = 1 </P><P> 7 - MinMatchLength = </P><P> 8 - MultipleHits = </P><P> 9 * RegexString = * </P><P> 10 - ResetAfterIdle = 15 </P><P> 11 - ServicePorts = 23 </P><P> 12 - SigComment = </P><P> 13 - SigName = telnet failure on port 23 </P><P> 14 - SigStringInfo = </P><P> 15 - StripTelnetOptions = </P><P> 16 - ThrottleInterval = 15 </P><P> 17 - WantFrag = </P><P></P><P>Address mapping</P><P>20005 * * 10.70.75.140</P><P></P><P>Then I tried to telnet to 10.70.75.140 with two login failures. But there was no alarms in the logfile of sensor.</P><P>Is there something wrong?</P> Fri, 21 Feb 2020 17:59:31 GMT https://community.cisco.com/t5/network-access-control/custom-signature-to-detect-telnet-authentication-failure/m-p/13988#M6914 thanhlv 2020-02-21T17:59:31Z https://community.cisco.com/t5/network-access-control/custom-signature-to-detect-telnet-authentication-failure/m-p/13989#M6915 <HTML><HEAD></HEAD><BODY><P>You can use the ATOMIC.TCP engine to write three different kinds of telnet</P><P>login failures. The STRING.TCP sigs will count MinHits only on one TCP stream (connection) and will not catch repeated login failures across different</P><P>connections. With ATOMIC.TCP, you can set the StorageKey parameter to one of DUAL, DST, or SRC. These will give you alarms when there are multiple failures: between two hosts (DUAL), to a server (SRC), or from a client (DST).</P><P>I have tested the following DUAL signature tonight:</P><P></P><P>AlarmInterval 60</P><P>AlarmThrottle FireAll</P><P>ChokeThreshold ANY </P><P>Mask ACK</P><P>MinHits 3</P><P>SigName 3 telnet login failures between 2 hosts in less than 60 seconds.</P><P>SinglePacketRegex [Ll]ogin incorrect</P><P>SrcPort 23</P><P>StorageKey DUAL</P><P>TcpFlags ACK</P><P></P><P>Note that when using SigWizMenu, you can either put the value ANY for ChokeThreshold, or choose to 'delete' its value.</P><P></P><P>The AlarmInterval value is the number of seconds it will count for login failures.</P><P>If the count reaches MinHits, the alarm will be fired. Change this value if you want to count for a longer or shorter time for failures.</P><P></P><P>You may want to make 3 separate signatures, one DUAL as above, and</P><P>the others StorageKey SRC and StorageKey DST if you want to experiment with the different counting techniques.</P><P></P><P>Your STRING.TCP signature was close, but needed a RegexString of</P><P>[Ll]ogin incorrect and Direction FromService (because the match happens on the server's failure response.</P><P></P><P>You also may want to check the "Login incorrect" response on the servers you</P><P>are protecting and make sure it doesn't use a different response string.</P><P></P><P>Let us know how it goes,</P><P>-JK</P></BODY></HTML> Fri, 12 Apr 2002 05:19:11 GMT https://community.cisco.com/t5/network-access-control/custom-signature-to-detect-telnet-authentication-failure/m-p/13989#M6915 jakasper 2002-04-12T05:19:11Z https://community.cisco.com/t5/network-access-control/custom-signature-to-detect-telnet-authentication-failure/m-p/13990#M6916 <HTML><HEAD></HEAD><BODY><P>Thank you very much for your clear explanations the difference between STRING.TCP engine and ATOMIC.TCP engine. It helps me a lot.</P><P></P><P>But I don'nt know if there is any difference between the version of the Sensor that I and you are using.</P><P></P><P>When I created a new custom signature belonging to ATOMIC.TCP engine, there were no parameters: StorageKey, RegexString and SourcePort. I am using Sensor 4210 ver 3.0(1)S4 and Unix Director 2.2.3.</P><P></P><P>Using the nrConfigure, there is a place for me to add a new RegexString. I added a new RegexString with some parameters as Mr Jakasper directed:</P><P>-String: [Ll]ogin incorrect</P><P>-Occurrences:3</P><P>-Port: 23</P><P>-Direction: To &amp;From</P><P></P><P>Then when I tried to telnet to a machine with 3 times failure, I found an alarm in the log file in Sensor indicating this event.</P><P></P><P>I wonder why a signature in the ATOMIC.TCP does not has the parameter specifying ServicePorts?</P><P></P><P>Besides that there is no place for me to tell a particular RegexString just fires on a specific machine, not all in the protected network.</P><P></P><P></P></BODY></HTML> Fri, 12 Apr 2002 09:14:07 GMT https://community.cisco.com/t5/network-access-control/custom-signature-to-detect-telnet-authentication-failure/m-p/13990#M6916 thanhlv 2002-04-12T09:14:07Z https://community.cisco.com/t5/network-access-control/custom-signature-to-detect-telnet-authentication-failure/m-p/13991#M6917 <HTML><HEAD></HEAD><BODY><P>Your sensor version is the first 3.0 release. You will need to update to</P><P>get the latest signatures and get the enhancements to ATOMIC.TCP</P><P>which include the SinglePacketRegex parameter.</P><P></P><P>Typically, you will want to watch for the notification about the Signature Update and Service Pack releases because the new signature sets will give you better intrusion coverage and the service packs fix bugs and give you new features.</P><P></P><P>The "string match" signature for this is good, but it does not count the failed</P><P>logins across different connections.</P><P></P><P>Good luck,</P><P>-JK</P></BODY></HTML> Fri, 12 Apr 2002 13:46:24 GMT https://community.cisco.com/t5/network-access-control/custom-signature-to-detect-telnet-authentication-failure/m-p/13991#M6917 jakasper 2002-04-12T13:46:24Z