12-01-2005 02:17 PM - edited 03-10-2019 01:47 AM
Hi.
Someone knows a simple example to configure and test the custom signature feature of IDS MC in the IOS IPS devices?
I searched about it, and I found an example in Sensor device about configure an alarm when telnet is detected, but I didn´t can do it in a IOS IPS device because are not the same parameters.
Thanks.
Solved! Go to Solution.
12-16-2005 01:28 AM
IOS IPS works on traffic that is flowing THROUGH the router and not on traffic that is flowing TO or FROM the router.
You should try to telnet to a device across on the other side of the router instead of the router interface. Also an interface passing by the IOS IPS interface is not enough since IOS IPS does not work like an IDS sniffing traffic on the lan segment. The traffic has to flow through the router.
12-01-2005 02:43 PM
What traffic are you trying to make a custom signature for?
12-01-2005 02:50 PM
Hi.
I would like to test with telnet traffic, just to generate an alarm if someone is trying to access the device via telnet.
Or any custom signature that I can to test easily.
Thanks.
12-10-2005 01:11 AM
Just create a custom signature (TCP Packet Signature) for Telnet port and select regex string as something you want (You can put it as simple as '974312magr' and enable it
Then telnet to that machine, on the user logon prompt type the above value.
Hope this helps.
Cheers,
Rajesh
12-12-2005 03:13 PM
Hi.
I tried your advice, but it doesn´t work. The signature that I created is:
Signature Type
----------------------------------------
Signature Type: ATOMIC.TCP
Signature Identification
----------------------------------------
Signature Name: Telnet test
Alert Notes:
User Notes:
Engine-Specific Parameters
----------------------------------------
TCP Packet Regular Expression: test
Source Port:
Range of Source Ports:
Destination Port: 23
Range of Destination Ports:
TCP URG Flag: x
TCP ACK Flag: x
TCP PSH Flag: x
TCP RST Flag: x
TCP SYN Flag: x
TCP FIN Flag: x
Alert Response
----------------------------------------
Enable: true
Severity of the Alert: High
Selected: true
Action to Take in Response: Alarm,Drop
Alert Behavior
----------------------------------------
Alert Behavior: Default
I deployed the configuration in the device. The signature appears in my IOS IPS device. I telnet to the IPS interface, I typed test in username and password, and the connection was not blocked. I logged in the device, I type test again and doesn´t happened. After that, I tried telnet another interface passing by the IOS IPS interface.
Do you know why or have an other idea?
Thanks.
12-16-2005 01:28 AM
IOS IPS works on traffic that is flowing THROUGH the router and not on traffic that is flowing TO or FROM the router.
You should try to telnet to a device across on the other side of the router instead of the router interface. Also an interface passing by the IOS IPS interface is not enough since IOS IPS does not work like an IDS sniffing traffic on the lan segment. The traffic has to flow through the router.
12-16-2005 03:09 PM
Hi.
I used the String.tcp engine. I tested passing through of the IOS IPS device, and it was successful.
Thanks.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide