Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
636
Views
5
Helpful
2
Replies

Generated some Dos attacks: no correponding IDS event is generated

marina0211
Level 1
Level 1

‎02-17-2005 05:43 AM - edited ‎03-10-2019 01:16 AM

I installed and configured a Cisco IDS 4250 sensor.

Actually the sniffing interface has been placed on a lan segment residing on the internal network, so, by monitoring IEV logs, I could see lots of events, but all belonging to a few category of signatures, and quite all informational. That's why, In order to generate some more significant network activity to verify correct sensor behaviour, I placed my workstation running a vulnerability assessment tool (ISS Internet Scanner) on the outside vlan (where the sniffing interface resides), and issued several common dos attacks against one workstation residing on one of the inside vlans.

Some example of attacks generated are : SYN flood, Ping of death, UDP bomb, Land, Teardrop. I also generated a lot of tcp scan activity. Using Internet Scanner logs I verified that those attacks reached the destination machine.

The fact is that neither IEV default view nor "sh ev" sensor commands showed any event related to my activity. The only events generated by my workstation during my tests, matched signatures "NET FLOOD UDP" (maybe signame 6910) and signature with sig number 1107 (I don't remember the name). In both cases destination ip is multicast or broadcast address.

I verified that those signatures I was expected to match my attack packets were enabled (I verified so by "sh conf" command), so I don't see any reason why the sensor did not register any event related to the attacks I perpetrated.

Am I missing something ? Have anyone any idea to make me understand why the results are not the ones expected?

Thanks in advance and Regards

Marina

Labels:
0 Helpful
2 Replies 2

marcabal
Cisco Employee
Cisco Employee

‎02-17-2005 09:29 AM

When a user complains that they are only seeing alarms with multicast or broadcast addresses, then this usually points to a sensor connected to a switch where Span has not been configured.

When the sensor is connected to a switch, the switch will normally only send broadcast and multicast (with an occasional unicast) packet to the sensor.

So the sensor is not being sent the packets created by your ISS scanner.

The switch must be configured to copy these packets to your sensor. This switch configuration is normally done through the Span or Monitor command. Check your switch configuration to see how to configure these commands on your switch.

If you are not connecting the sensor to the switch or believe that the Span configuration is correct, then the next step is to run tcpdump on the sensor and verify whether or not the packets are actually being sent to the sensor.

1) In older versions of the sensor you need to configure the sensor to monitor the interface (I think was changed in version 4.1(4) so the interface can still be monitored while tcpdump is used)

2) Create a service account

3) Login to the service account

4) Switch to user root (using same password as service account).

5) Type "ifconfig -a" and determine which interface is your sniffing interface.

6) Run "tcpdump -i " to start seeing packets coming in that interface.

7) Execute the ISS scan.

8) Look through the output of tcpdump to see if those packets are making it to the sensor.

9) If the tcpdump does not see the ISS packets, then either span is misconfigured or the switch is not plugged in where you think it is.

10) If the tcpdump is seeing the packets, then reconfigure the sensor to watch the interface again.

If you have verified that the sensor IS receiving the packets then the next step is to try and generate traffic that triggers specific signatures.

A side note:

Often times scanners can tell you about a vulnerability without actually executing the attack. The scanner checks OS version and patches to see if it is vulnerable, but does not send packets to actually attack the machine. Especially in cases where sending the attack itself would have caused the target machine to crash.

This type of reconaissance is often considered benign and will not trigger the alarm. An actual attack has to be executed against the vulnerability to fire the alarm.

So for your ISS scanner you should see some alarms, but will not likely see alarms for every vulnerability that the ISS notifies you about.

marina0211
Level 1
Level 1
In response to marcabal

‎02-17-2005 10:39 AM

Thank you very much Marcabal, I'll check asap for the info you provided me, and I'll let you know.

Bye

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card