Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1276
Views
0
Helpful
4
Replies

Custom Signature for Maximum Connections

Go to solution
fsanchez
Level 1
Level 1

‎02-18-2013 07:01 AM - edited ‎03-10-2019 05:54 AM

Hi, is there any signature for check the maximum number of connection that an attacker host can open to an Victim port? or I need to make a costom signature for that?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
nearchib
Level 1
Level 1
In response to fsanchez

‎02-18-2013 01:46 PM

Hi,

You can definitly do that on the IPS, you would do this by making an atomic-ip signature looking for a tcp packet with only the SYN flag set to destination port 443. You would then add an event-count for the number of connections you need. Depending on the placement however this will flood the alarm channel with alerts, because outbound traffic etc will trigger this. Also obviously, this can be problematic with NAT.

I'm sure one of the ASA guys on these forums could give a much better answer than me as far as configuring the ASA.

From what i understand IIS has Dynamic IP filtering or something that can be used for this, although i've never set that up myself.

Thanks

Neil

View solution in original post

0 Helpful
4 Replies 4

Go to solution
nearchib
Level 1
Level 1

‎02-18-2013 12:01 PM

Hi,

You are looking to stop concurrent connections, right?

There are definitly better solutions for this than an IPS signature, I would bet on the ASA or even something server side for this.

That said, perhaps you could use event-count with AxBx with an atomic-ip signature looking for SYN packets. This would only work if the connections happened to be within the designated time frame. The IPS is unable to hold state about every connection passing through it for a long period of time.

Hope this is helpful.

Regards,

Neil Archibald

IPS Signature Team

0 Helpful

Go to solution
fsanchez
Level 1
Level 1
In response to nearchib

‎02-18-2013 12:28 PM

Hi, thanks for the fast answer, the idea is block the IP address of an attacker if it want to open multiple connections to an IIS on port 443 on a period of short time, I believed that the best way to do that is using a signature (or custom signature) on IPS. Can you explain me how do that using ASA? (if it´s posible)

Thanks

0 Helpful

Go to solution
nearchib
Level 1
Level 1
In response to fsanchez

‎02-18-2013 01:46 PM

Hi,

You can definitly do that on the IPS, you would do this by making an atomic-ip signature looking for a tcp packet with only the SYN flag set to destination port 443. You would then add an event-count for the number of connections you need. Depending on the placement however this will flood the alarm channel with alerts, because outbound traffic etc will trigger this. Also obviously, this can be problematic with NAT.

I'm sure one of the ASA guys on these forums could give a much better answer than me as far as configuring the ASA.

From what i understand IIS has Dynamic IP filtering or something that can be used for this, although i've never set that up myself.

Thanks

Neil

0 Helpful

Go to solution
fsanchez
Level 1
Level 1
In response to nearchib

‎02-21-2013 07:56 AM

Hi, I did a test with a custom signature that check TCP SYN Flag and work like a charm...

Thanks for your help!!!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card