Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1059
Views
0
Helpful
4
Replies

Cisco IDS-4230 - TCP Reset Problem

zahid.hassan
Level 1
Level 1

‎01-03-2005 08:59 AM - edited ‎03-10-2019 01:13 AM

Dear All,

I am testing a custom signature on Cisco a 4230 running Version 4.1(4)S91.

I am seeing alerts on the IEV but not getting any connection resets.

Signature config output:

IDS-1# sh configuration | include SIGID 20000

signatures SIGID 20000 SubSig 0

IDS-1# sh configuration | begin SIGID 20000

signatures SIGID 20000 SubSig 0

AlarmSeverity high

AlarmThrottle FireAll

EventAction log|reset

RegexString

testattack

ServicePorts 23

Debug IP Packet Detail on the routers are also not showing

any RST flags being sent from the IDS sniffing interface.

Any pointers or comments would be highly appreciated.

Regards,

Zahid

Labels:
0 Helpful
4 Replies 4

gfullage
Cisco Employee
Cisco Employee

‎01-03-2005 02:17 PM

RST's will be sent out the sniffing interface, with the MAC/IP address of the intended victim, so if the switch has been set up with a SPAN port you have to make sure of two things:

# Disable learning on the SPAN port, since the Sensor is going to spoof the source IP and MAC address of the destination of the original packet, so the switch has to allow this through.

# Allow input on the SPAN port so the switch will accept the RST packet, since normally they are only one way.

* set span | learning disable inpkts enable

or on an IOS switch (2950, 3550, etc), do:

* monitor session 1 source vlan 40 rx

* monitor session 1 destination int fa0/5 ingress vlan 40

0 Helpful

zahid.hassan
Level 1
Level 1
In response to gfullage

‎01-04-2005 02:24 AM

Hi,

Thanks for the explaination.

Just to rule out any issues with SPAN, I have terminated both the IDS sniffing and the router interface on a hub.

Is there an IDS command that I use to see

if the it has sent out a RST for a particulater signature ?

Regards,

Zahid

0 Helpful

gfullage
Cisco Employee
Cisco Employee
In response to zahid.hassan

‎01-04-2005 03:31 PM

From the CLI of the sensor, do a "sho event", this will show all new events as the sensor detects them (CTRL-C to exit when you're done). When it detects your custom signature you should see something like the following (obviously the sig and IP address parameters will be different):

evAlert: eventId=1049973625558217119 severity=high

  originator:

    hostId: 4230-2

    appName: sensorApp

    appInstanceId: 1096

  time: 2005/01/05 09:38:25 2005/01/05 09:48:25 AEST

  interfaceGroup: 0

  vlan: 0

  signature: sigId=3338 sigName=Windows LSASS RPC Overflow subSigId=0 version=S91 LSASS RPC Overflow over SMB

  participants:

    attack:

      attacker: proxy=false

        addr: locality=IN 10.67.44.203

        port: 9403

      victim:

        addr: locality=IN 10.67.20.20

        port: 445

  actions:

    tcpResetSent: true

  alertDetails: Traffic Source: int0 ;

0 Helpful

zahid.hassan
Level 1
Level 1
In response to gfullage

‎01-05-2005 02:09 PM

Hi,

One more question.

Will need a third interface on the IDS for TCP RST to work ?

The IDS (Cisco 4230) that I am working on has only two interfces, one command and control and a sniffing interface ?

Thanks.

Zahid

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card