cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1303
Views
0
Helpful
6
Replies

Failed Telnet cannot monitor in IPS

ericohermoso
Level 1
Level 1

Hello,

I just created a new and simple  signature. signature 60002 for failed telnet. My setup is Promiscous mode .

signature 60002

engine string-tcp

service-ports 23

direction from-service

regex-string % Bad passwords

alert-frequency fire-all

Did I miss something here? There is no events generated in my IPS

thank you.

6 Replies 6

mkodali
Cisco Employee
Cisco Employee

Did you check the built in sig 6251 subsig 0 on the sensor for this particular purpose. I know this signature works.

=======================

qsensor-204# conf t

qsensor-204(config)# ser sig sig0

qsensor-204(config-sig)# si 6251 0

qsensor-204(config-sig-sig)# sh set

  

   sig-id: 6251

   subsig-id: 0

     engine

      -----------------------------------------------

         string-tcp

            -----------------------------------------------

            regex-string: [Ll]ogin[ ]incorrect

            service-ports: 23-23

            direction: from-service

==============

Have not tried the regex you have suggested in the question though.

thx

Madhu

Hello,

This signature is enabled by default so in my opinion, once there is a failed telnet then automatically IPS will generate an events. I checked it again but there is no events generated.

thank you.

Yes it is enabled by default and fires on 3rd attempt of failed logins. If you can provide a pcap of the traffic that you are passing to generate this traffic we can analyze the reason for false negative. Also if you can let us know the sensor model and the software version that would help.

thx

Madhu

Hello,

Sensor model is  IPS4270

version : 7.0(2)E3

Promiscous mode.

Switch type : 3750

thank you

  I had a 4270 running 7.0(2)E3 version sniffing traffic in both promiscuous and inline modes and I could see the below sig fire :

-------

evIdsAlert: eventId=1292419721230871357 severity=informational vendor=Cisco
  originator:
    hostId: qsensor-8094
    appName: sensorApp
    appInstanceId: 460
  time: 2010/12/15 15:19:09 2010/12/15 15:19:09 UTC
  signature: description=Telnet Authorization Failure id=6251 created=20010202 type=anomaly version=S2
    subsigId: 0
    sigDetails: Failed Telnet Attempts
    marsCategory: Penetrate/GuessPassword/System/Non-root
  interfaceGroup: vs0
  vlan: 0
  participants:
    attacker:
      addr: locality=OUT 10.20.2.2
      port: 32770
    target:
      addr: locality=OUT 10.20.2.3
      port: 23
      os: idSource=learned relevance=relevant type=linux
  context:
    fromTarget:
000000  FF FD 18 FF FD 20 FF FD  23 FF FD 27 FF FB 03 FF  ..... ..#..'....
000010  FD 1F FF FD 21 FF FE 22  FF FB 05 FF FA 20 01 FF  ....!.."..... ..
000020  F0 FF FA 27 01 FF F0 FF  FA 18 01 FF F0 FF FD 01  ...'............
000030  FF FB 01 52 65 64 20 48  61 74 20 4C 69 6E 75 78  ...Red Hat Linux
000040  20 72 65 6C 65 61 73 65  20 39 20 28 53 68 72 69   release 9 (Shri
000050  6B 65 29 0D 0A 4B 65 72  6E 65 6C 20 32 2E 34 2E  ke)..Kernel 2.4.
000060  32 30 2D 38 20 6F 6E 20  61 6E 20 69 36 38 36 0D  20-8 on an i686.
000070  0A 6C 6F 67 69 6E 3A 20  75 73 65 72 31 0D 0A 50  .login: user1..P
000080  61 73 73 77 6F 72 64 3A  20 0D 0A 4C 6F 67 69 6E  assword: ..Login
000090  20 69 6E 63 6F 72 72 65  63 74 0D 0A 0D 0A 6C 6F   incorrect....lo
0000A0  67 69 6E 3A 20 75 73 65  72 31 0D 0A 50 61 73 73  gin: user1..Pass
0000B0  77 6F 72 64 3A 20 0D 0A  4C 6F 67 69 6E 20 69 6E  word: ..Login in
0000C0  63 6F 72 72 65 63 74 0D  0A 0D 0A 6C 6F 67 69 6E  correct....login
0000D0  3A 20 75 73 65 72 31 0D  0A 50 61 73 73 77 6F 72  : user1..Passwor
0000E0  64 3A 20 0D 0A 4C 6F 67  69 6E 20 69 6E 63 6F 72  d: ..Login incor
0000F0  72 65 63 74                                       rect
    fromAttacker:
000000  FF FD 03 FF FB 18 FF FB  1F FF FB 20 FF FB 21 FF  ........... ..!.
000010  FB 22 FF FB 27 FF FD 05  FF FC 23 FF FA 1F 00 50  ."..'.....#....P
000020  00 18 FF F0 FF FA 20 00  39 36 30 30 2C 39 36 30  ...... .9600,960
000030  30 FF F0 FF FA 27 00 FF  F0 FF FA 18 00 56 54 31  0....'.......VT1
000040  30 30 FF F0 FF FC 01 FF  FD 01 75 73 65 72 31 0D  00........user1.
000050  00 61 64 66 61 64 66 0D  00 75 73 65 72 31 0D 00  .adfadf..user1..
000060  61 64 66 61 64 66 0D 00  75 73 65 72 31 0D 00 61  adfadf..user1..a
000070  64 66 66 0D 00                                    dff..
  riskRatingValue: attackRelevanceRating=relevant targetValueRating=medium 35
  threatRatingValue: 35
  interface: ge3_1
  protocol: tcp

---------

The trigger traffic is shown below :

--------

[root@qaips-attacker root]# telnet 10.20.2.3
Trying 10.20.2.3...
Connected to 10.20.2.3.
Escape character is '^]'.
Red Hat Linux release 9 (Shrike)
Kernel 2.4.20-8 on an i686
login: user1
Password:
Login incorrect

login: user1
Password:
Login incorrect

login: user1
Password:
Login incorrect

--------------

I think we have to look at the traffic capture that sensor is inspecting, to debug this further.

thx

Madhu

Hello,

Thanks for the reply,

Just check in using inline mode and make a new signature for string tcp. I can get events. But when i change to promiscous mode i cannot get any events. Anyway I will check again the signature 6251.

thank you.

Review Cisco Networking for a $25 gift card