Re: Event filter question Nachi Worm ICMP Echo Request (2156)

5creedus · ‎07-14-2005

The intent is to only see this alert when the source is my IP space. Is it possible to create 2 seperate event filters for this sig? I'd like one sig to filter events when my IP space when it is the destination and the other would allow alerts when my IP space is the source. Would they need to be in some order like access lists i.e. allow specific icmp then deny other icmp?

marcabal · ‎07-15-2005

Yes this is possible.

In version 4,x create a filter that matches SIGID 2156, and also matches $IN for the source and $OUT for the destination and set Exception to True for that filter.

The create a second filter to match SIGID 2156 and leave the address fields defaulted so that all addresses will be matched and leave Exception as the default False.

The first filter line will allow the 2156 to fire when the source is IN your network and the destination is OUT of your netowrk.

The second will prevemt the signature 2156 for firing on any other address combinations like:

Source IN and Destination IN

Source OUT and Destination IN

Source OUT and Destination OUT

(Note: You asked that no alarms be generated for Destination IN, but also assume you don't want alarms for source OUT and destination OUT either)

NOTE: In version 4.x the order of the 2 filters is unimportant. The Exclusion TRUE filter will always override all Exclusion FALSE filters so the Exclusion TRUE filter will always cause the signature to fire.

In version 5.x the ordering of the filters is important.

In version 5.x create a filter that matches SIGID 2156, and also matches $IN for the source and $OUT for the destination, leave the Actions to Subtract field blank (so not actions are removed) and set Stop On Match to True for that filter.

Then create a second filter to match SIGID 2156 and leave the address fields defaulted so that all addresses will be matched and select ALL Actions in the Actions To Subtract field.

The first filter line will allow the 2156 to fire when the source is IN your network and the destination is OUT of your netowrk.

This is because that first filter will be matched and no actions will be removed (like produceAlert). The Stop On Match being True will prevent the checking of the next filter.

The second will prevemt the signature 2156 for firing on any other address combinations like:

Source IN and Destination IN

Source OUT and Destination IN

Source OUT and Destination OUT

(Note: You asked that no alarms be generated for Destination IN, but also assume you don't want alarms for source OUT and destination OUT either)

NOTE: In version 5.x the order of the 2 filters is important. The sensor will start at the top of the filter list. If that filter matches it will remove the actions in the Actions To Subtract field and then check the Stop On Match field.

If Stop On Match is true then it stops processing the rest of the filter lines.

But if Stop On Match is false then it will continue processing the rest of the filter lines.

If the second filter had come first then it would have been matched even on the Source IN Destination OUT alerts and would have removed all actions and prevented the sig from firing. So the ordering is important.

Also be aware that if Stop On Match was accidentally set to false on the first filter, then the sensor would have continued and also matched the second filter and would have removed all actions because of the second filter.

5creedus · ‎07-15-2005

Thanks, especially the part about order for ver 4 vs ver 5. Yes your assumption is correct about no alarms.