topic Re: Failed Telnet cannot monitor in IPS in Network Security

Failed Telnet cannot monitor in IPS

ericohermoso — Sun, 10 Mar 2019 12:12:32 GMT

Hello,

I just created a new and simple signature. signature 60002 for failed telnet. My setup is Promiscous mode .

signature 60002

engine string-tcp

service-ports 23

direction from-service

regex-string % Bad passwords

alert-frequency fire-all

Did I miss something here? There is no events generated in my IPS

thank you.

Re: Failed Telnet cannot monitor in IPS

mkodali — Mon, 13 Dec 2010 19:30:39 GMT

Did you check the built in sig 6251 subsig 0 on the sensor for this particular purpose. I know this signature works.

=======================

qsensor-204# conf t

qsensor-204(config)# ser sig sig0

qsensor-204(config-sig)# si 6251 0

qsensor-204(config-sig-sig)# sh set

sig-id: 6251

subsig-id: 0

engine

-----------------------------------------------

string-tcp

-----------------------------------------------

regex-string: [Ll]ogin[ ]incorrect

service-ports: 23-23

direction: from-service

==============

Have not tried the regex you have suggested in the question though.

thx

Madhu

Re: Failed Telnet cannot monitor in IPS

ericohermoso — Tue, 14 Dec 2010 06:09:13 GMT

Hello,

This signature is enabled by default so in my opinion, once there is a failed telnet then automatically IPS will generate an events. I checked it again but there is no events generated.

thank you.

Re: Failed Telnet cannot monitor in IPS

mkodali — Wed, 15 Dec 2010 01:06:13 GMT

Yes it is enabled by default and fires on 3rd attempt of failed logins. If you can provide a pcap of the traffic that you are passing to generate this traffic we can analyze the reason for false negative. Also if you can let us know the sensor model and the software version that would help.

thx

Madhu

Re: Failed Telnet cannot monitor in IPS

ericohermoso — Wed, 15 Dec 2010 06:12:00 GMT

Hello,

Sensor model is IPS4270

version : 7.0(2)E3

Promiscous mode.

Switch type : 3750

thank you

Re: Failed Telnet cannot monitor in IPS

mkodali — Wed, 15 Dec 2010 20:10:38 GMT

I had a 4270 running 7.0(2)E3 version sniffing traffic in both promiscuous and inline modes and I could see the below sig fire :

-------

evIdsAlert: eventId=1292419721230871357 severity=informational vendor=Cisco
originator:
    hostId: qsensor-8094
    appName: sensorApp
    appInstanceId: 460
time: 2010/12/15 15:19:09 2010/12/15 15:19:09 UTC
signature: description=Telnet Authorization Failure id=6251 created=20010202 type=anomaly version=S2
    subsigId: 0
    sigDetails: Failed Telnet Attempts
    marsCategory: Penetrate/GuessPassword/System/Non-root
interfaceGroup: vs0
vlan: 0
participants:
    attacker:
      addr: locality=OUT 10.20.2.2
      port: 32770
    target:
      addr: locality=OUT 10.20.2.3
      port: 23
      os: idSource=learned relevance=relevant type=linux
context:
    fromTarget:
000000 FF FD 18 FF FD 20 FF FD 23 FF FD 27 FF FB 03 FF ..... ..#..'....
000010 FD 1F FF FD 21 FF FE 22 FF FB 05 FF FA 20 01 FF ....!.."..... ..
000020 F0 FF FA 27 01 FF F0 FF FA 18 01 FF F0 FF FD 01 ...'............
000030 FF FB 01 52 65 64 20 48 61 74 20 4C 69 6E 75 78 ...Red Hat Linux
000040 20 72 65 6C 65 61 73 65 20 39 20 28 53 68 72 69   release 9 (Shri
000050 6B 65 29 0D 0A 4B 65 72 6E 65 6C 20 32 2E 34 2E ke)..Kernel 2.4.
000060 32 30 2D 38 20 6F 6E 20 61 6E 20 69 36 38 36 0D 20-8 on an i686.
000070 0A 6C 6F 67 69 6E 3A 20 75 73 65 72 31 0D 0A 50 .login: user1..P
000080 61 73 73 77 6F 72 64 3A 20 0D 0A 4C 6F 67 69 6E assword: ..Login
000090 20 69 6E 63 6F 72 72 65 63 74 0D 0A 0D 0A 6C 6F   incorrect....lo
0000A0 67 69 6E 3A 20 75 73 65 72 31 0D 0A 50 61 73 73 gin: user1..Pass
0000B0 77 6F 72 64 3A 20 0D 0A 4C 6F 67 69 6E 20 69 6E word: ..Login in
0000C0 63 6F 72 72 65 63 74 0D 0A 0D 0A 6C 6F 67 69 6E correct....login
0000D0 3A 20 75 73 65 72 31 0D 0A 50 61 73 73 77 6F 72 : user1..Passwor
0000E0 64 3A 20 0D 0A 4C 6F 67 69 6E 20 69 6E 63 6F 72 d: ..Login incor
0000F0 72 65 63 74                                       rect
    fromAttacker:
000000 FF FD 03 FF FB 18 FF FB 1F FF FB 20 FF FB 21 FF ........... ..!.
000010 FB 22 FF FB 27 FF FD 05 FF FC 23 FF FA 1F 00 50 ."..'.....#....P
000020 00 18 FF F0 FF FA 20 00 39 36 30 30 2C 39 36 30 ...... .9600,960
000030 30 FF F0 FF FA 27 00 FF F0 FF FA 18 00 56 54 31 0....'.......VT1
000040 30 30 FF F0 FF FC 01 FF FD 01 75 73 65 72 31 0D 00........user1.
000050 00 61 64 66 61 64 66 0D 00 75 73 65 72 31 0D 00 .adfadf..user1..
000060 61 64 66 61 64 66 0D 00 75 73 65 72 31 0D 00 61 adfadf..user1..a
000070 64 66 66 0D 00                                    dff..
riskRatingValue: attackRelevanceRating=relevant targetValueRating=medium 35
threatRatingValue: 35
interface: ge3_1
protocol: tcp

---------

The trigger traffic is shown below :

--------

[root@qaips-attacker root]# telnet 10.20.2.3
Trying 10.20.2.3...
Connected to 10.20.2.3.
Escape character is '^]'.
Red Hat Linux release 9 (Shrike)
Kernel 2.4.20-8 on an i686
login: user1
Password:
Login incorrect

--------------

I think we have to look at the traffic capture that sensor is inspecting, to debug this further.

thx

Madhu

Re: Failed Telnet cannot monitor in IPS

ericohermoso — Thu, 16 Dec 2010 08:33:05 GMT

Hello,

Thanks for the reply,

Just check in using inline mode and make a new signature for string tcp. I can get events. But when i change to promiscous mode i cannot get any events. Anyway I will check again the signature 6251.

thank you.