cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
984
Views
5
Helpful
6
Replies

Custom signature example in IOS IPS devices.

974312magr
Level 1
Level 1

Hi.

Someone knows a simple example to configure and test the custom signature feature of IDS MC in the IOS IPS devices?

I searched about it, and I found an example in Sensor device about configure an alarm when telnet is detected, but I didn´t can do it in a IOS IPS device because are not the same parameters.

Thanks.

1 Accepted Solution

Accepted Solutions

IOS IPS works on traffic that is flowing THROUGH the router and not on traffic that is flowing TO or FROM the router.

You should try to telnet to a device across on the other side of the router instead of the router interface. Also an interface passing by the IOS IPS interface is not enough since IOS IPS does not work like an IDS sniffing traffic on the lan segment. The traffic has to flow through the router.

View solution in original post

6 Replies 6

jwalker
Level 3
Level 3

What traffic are you trying to make a custom signature for?

Hi.

I would like to test with telnet traffic, just to generate an alarm if someone is trying to access the device via telnet.

Or any custom signature that I can to test easily.

Thanks.

Just create a custom signature (TCP Packet Signature) for Telnet port and select regex string as something you want (You can put it as simple as '974312magr' and enable it

Then telnet to that machine, on the user logon prompt type the above value.

Hope this helps.

Cheers,

Rajesh

Hi.

I tried your advice, but it doesn´t work. The signature that I created is:

Signature Type

----------------------------------------

Signature Type: ATOMIC.TCP

Signature Identification

----------------------------------------

Signature Name: Telnet test

Alert Notes:

User Notes:

Engine-Specific Parameters

----------------------------------------

TCP Packet Regular Expression: test

Source Port:

Range of Source Ports:

Destination Port: 23

Range of Destination Ports:

TCP URG Flag: x

TCP ACK Flag: x

TCP PSH Flag: x

TCP RST Flag: x

TCP SYN Flag: x

TCP FIN Flag: x

Alert Response

----------------------------------------

Enable: true

Severity of the Alert: High

Selected: true

Action to Take in Response: Alarm,Drop

Alert Behavior

----------------------------------------

Alert Behavior: Default

I deployed the configuration in the device. The signature appears in my IOS IPS device. I telnet to the IPS interface, I typed test in username and password, and the connection was not blocked. I logged in the device, I type test again and doesn´t happened. After that, I tried telnet another interface passing by the IOS IPS interface.

Do you know why or have an other idea?

Thanks.

IOS IPS works on traffic that is flowing THROUGH the router and not on traffic that is flowing TO or FROM the router.

You should try to telnet to a device across on the other side of the router instead of the router interface. Also an interface passing by the IOS IPS interface is not enough since IOS IPS does not work like an IDS sniffing traffic on the lan segment. The traffic has to flow through the router.

Hi.

I used the String.tcp engine. I tested passing through of the IOS IPS device, and it was successful.

Thanks.

Review Cisco Networking for a $25 gift card