topic Re: Cisco IDS-4230 - TCP Reset Problem in Network Security

Cisco IDS-4230 - TCP Reset Problem

zahid.hassan — Sun, 10 Mar 2019 09:13:09 GMT

Dear All,

I am testing a custom signature on Cisco a 4230 running Version 4.1(4)S91.

I am seeing alerts on the IEV but not getting any connection resets.

Signature config output:

IDS-1# sh configuration | include SIGID 20000

signatures SIGID 20000 SubSig 0

IDS-1# sh configuration | begin SIGID 20000

signatures SIGID 20000 SubSig 0

AlarmSeverity high

AlarmThrottle FireAll

EventAction log|reset

RegexString

testattack

ServicePorts 23

Debug IP Packet Detail on the routers are also not showing

any RST flags being sent from the IDS sniffing interface.

Any pointers or comments would be highly appreciated.

Regards,

Zahid

Re: Cisco IDS-4230 - TCP Reset Problem

gfullage — Mon, 03 Jan 2005 22:17:22 GMT

RST's will be sent out the sniffing interface, with the MAC/IP address of the intended victim, so if the switch has been set up with a SPAN port you have to make sure of two things:

# Disable learning on the SPAN port, since the Sensor is going to spoof the source IP and MAC address of the destination of the original packet, so the switch has to allow this through.

# Allow input on the SPAN port so the switch will accept the RST packet, since normally they are only one way.

* set span | learning disable inpkts enable

or on an IOS switch (2950, 3550, etc), do:

* monitor session 1 source vlan 40 rx

* monitor session 1 destination int fa0/5 ingress vlan 40

Re: Cisco IDS-4230 - TCP Reset Problem

zahid.hassan — Tue, 04 Jan 2005 10:24:53 GMT

Hi,

Thanks for the explaination.

Just to rule out any issues with SPAN, I have terminated both the IDS sniffing and the router interface on a hub.

Is there an IDS command that I use to see

if the it has sent out a RST for a particulater signature ?

Regards,

Zahid

Re: Cisco IDS-4230 - TCP Reset Problem

gfullage — Tue, 04 Jan 2005 23:31:31 GMT

From the CLI of the sensor, do a "sho event", this will show all new events as the sensor detects them (CTRL-C to exit when you're done). When it detects your custom signature you should see something like the following (obviously the sig and IP address parameters will be different):

evAlert: eventId=1049973625558217119 severity=high

originator:

hostId: 4230-2

appName: sensorApp

appInstanceId: 1096

time: 2005/01/05 09:38:25 2005/01/05 09:48:25 AEST

interfaceGroup: 0

vlan: 0

signature: sigId=3338 sigName=Windows LSASS RPC Overflow subSigId=0 version=S91 LSASS RPC Overflow over SMB

participants:

attack:

attacker: proxy=false

addr: locality=IN 10.67.44.203

port: 9403

victim:

addr: locality=IN 10.67.20.20

port: 445

actions:

tcpResetSent: true

alertDetails: Traffic Source: int0 ;

Re: Cisco IDS-4230 - TCP Reset Problem

zahid.hassan — Wed, 05 Jan 2005 22:09:10 GMT

Hi,

One more question.

Will need a third interface on the IDS for TCP RST to work ?

The IDS (Cisco 4230) that I am working on has only two interfces, one command and control and a sniffing interface ?

Thanks.

Zahid