cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
523
Views
0
Helpful
4
Replies
Highlighted
Beginner

Custom Signature for Maximum Connections

Hi, is there any signature for check the maximum number of connection that an attacker host can open to an Victim port? or I need to make a costom signature for that?

Everyone's tags (5)
1 ACCEPTED SOLUTION

Accepted Solutions
Beginner

Custom Signature for Maximum Connections

Hi,

You can definitly do that on the IPS, you would do this by making an atomic-ip signature looking for a tcp packet with only the SYN flag set to destination port 443. You would then add an event-count for the number of connections you need. Depending on the placement however this will flood the alarm channel with alerts, because outbound traffic etc will trigger this. Also obviously, this can be problematic with NAT.

I'm sure one of the ASA guys on these forums could give a much better answer than me as far as configuring the ASA.

From what i understand IIS has Dynamic IP filtering or something that can be used for this, although i've never set that up myself.

Thanks

Neil

View solution in original post

4 REPLIES 4
Beginner

Custom Signature for Maximum Connections

Hi,

You are looking to stop concurrent connections, right?

There are definitly better solutions for this than an IPS signature, I would bet on the ASA or even something server side for this.

That said, perhaps you could use event-count with AxBx with an atomic-ip signature looking for SYN packets. This would only work if the connections happened to be within the designated time frame. The IPS is unable to hold state about every connection passing through it for a long period of time.

Hope this is helpful.

Regards,

Neil Archibald

IPS Signature Team

Beginner

Custom Signature for Maximum Connections

Hi, thanks for the fast answer, the idea is block the IP address of an attacker if it want to open multiple connections to an IIS on port 443 on a period of short time, I believed that the best way to do that is using a signature (or custom signature) on IPS. Can you explain me how do that using ASA? (if it´s posible)

Thanks

Beginner

Custom Signature for Maximum Connections

Hi,

You can definitly do that on the IPS, you would do this by making an atomic-ip signature looking for a tcp packet with only the SYN flag set to destination port 443. You would then add an event-count for the number of connections you need. Depending on the placement however this will flood the alarm channel with alerts, because outbound traffic etc will trigger this. Also obviously, this can be problematic with NAT.

I'm sure one of the ASA guys on these forums could give a much better answer than me as far as configuring the ASA.

From what i understand IIS has Dynamic IP filtering or something that can be used for this, although i've never set that up myself.

Thanks

Neil

View solution in original post

Beginner

Custom Signature for Maximum Connections

Hi, I did a test with a custom signature that check TCP SYN Flag and work like a charm...

Thanks for your help!!!

CreatePlease to create content
Content for Community-Ad
FusionCharts will render here