cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1033
Views
0
Helpful
4
Replies

Custom Signature for Maximum Connections

fsanchez
Level 1
Level 1

Hi, is there any signature for check the maximum number of connection that an attacker host can open to an Victim port? or I need to make a costom signature for that?

1 Accepted Solution

Accepted Solutions

Hi,

You can definitly do that on the IPS, you would do this by making an atomic-ip signature looking for a tcp packet with only the SYN flag set to destination port 443. You would then add an event-count for the number of connections you need. Depending on the placement however this will flood the alarm channel with alerts, because outbound traffic etc will trigger this. Also obviously, this can be problematic with NAT.

I'm sure one of the ASA guys on these forums could give a much better answer than me as far as configuring the ASA.

From what i understand IIS has Dynamic IP filtering or something that can be used for this, although i've never set that up myself.

Thanks

Neil

View solution in original post

4 Replies 4

nearchib
Level 1
Level 1

Hi,

You are looking to stop concurrent connections, right?

There are definitly better solutions for this than an IPS signature, I would bet on the ASA or even something server side for this.

That said, perhaps you could use event-count with AxBx with an atomic-ip signature looking for SYN packets. This would only work if the connections happened to be within the designated time frame. The IPS is unable to hold state about every connection passing through it for a long period of time.

Hope this is helpful.

Regards,

Neil Archibald

IPS Signature Team

Hi, thanks for the fast answer, the idea is block the IP address of an attacker if it want to open multiple connections to an IIS on port 443 on a period of short time, I believed that the best way to do that is using a signature (or custom signature) on IPS. Can you explain me how do that using ASA? (if it´s posible)

Thanks

Hi,

You can definitly do that on the IPS, you would do this by making an atomic-ip signature looking for a tcp packet with only the SYN flag set to destination port 443. You would then add an event-count for the number of connections you need. Depending on the placement however this will flood the alarm channel with alerts, because outbound traffic etc will trigger this. Also obviously, this can be problematic with NAT.

I'm sure one of the ASA guys on these forums could give a much better answer than me as far as configuring the ASA.

From what i understand IIS has Dynamic IP filtering or something that can be used for this, although i've never set that up myself.

Thanks

Neil

Hi, I did a test with a custom signature that check TCP SYN Flag and work like a charm...

Thanks for your help!!!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: