04-29-2007 10:25 PM - edited 03-10-2019 03:35 AM
hello all,
i've created new customer signature to reset for tcp string with testattack.
for testing, i've configured telnet password using testattack on router's line vty.
i've tried to connect to the router with testattack password.
i can see the popup message on the IEV but the telnet session can't disconnect.
i gueess, the telnet sessio shoud be disconnect due to the signature.
how can i configure to accoplish this test?
IPS : Cisco Intrusion Prevention System, Version 5.1(4)S257.0
Decoded Alarm Context on IEV :
Decoded alarm context(signature name='My sig' Evend ID=~~~~
-snip
From attacker : P ANSI testattc
Logg from IPS device Manager :
evIdsAlert: eventId=1177883105267717064 vendor=Cisco severity=high
originator:
hostId: SEIPS
appName: sensorApp
appInstanceId: 347
time: 2007년 4월 29일 (일) 오후 10시 06분 55초 offset=0 timeZone=UTC
signature: description=My Sig id=60000 version=custom
subsigId: 0
sigDetails: My Sig Info
interfaceGroup:
vlan: 0
participants:
attacker:
addr: 192.168.1.100 locality=OUT
port: 2269
target:
addr: 192.168.2.100 locality=OUT
port: 23
actions:
tcpResetSent: true
context:
fromTarget:
000000 FF FB 01 FF FB 03 FF FD 18 FF FD 1F 0D 0A 0D 0A ................
000010 55 73 65 72 20 41 63 63 65 73 73 20 56 65 72 69 User Access Veri
000020 66 69 63 61 74 69 6F 6E 0D 0A 0D 0A 50 61 73 73 fication....Pass
000030 77 6F 72 64 3A 20 FF FA 18 01 FF F0 word: ......
fromAttacker:
000000 FF FD 01 FF FD 03 FF FB 18 FF FB 1F FF FB 1F FF ................
000010 FA 1F 00 50 00 1E FF F0 FF FA 18 00 41 4E 53 49 ...P........ANSI
000020 FF F0 74 65 73 74 61 74 74 61 63 ..testattac
riskRatingValue: 75
interface: ge0_0
protocol: tcp
reagards,
John.
04-30-2007 06:02 AM
Are you inline or promiscuous? If promiscuous, how are you configured (tap,hub,span,etc) and what hardware?
05-05-2007 03:52 AM
Hello,
the ips configured promiscuous mode.
i also setup span on switch.
only one interface which is gigatbit 0 is using for sinffing interface.
i didn't configure alternate tcp reset interface on ips.
reagards,
john.
05-07-2007 05:45 AM
My understanding is that not all switches support ingress forwarding. Those that do appear to require specific span configuration settings. Here's how you do it with the 2940 for example:
01-05-2008 02:12 AM
Hi,
I am having the same problem with TCP Reset. Can u pls explane in which scenerio should we need this ingress vlan and encapsulation information.
Will be appreciated if u can give me an idea.
Thanks and Regards
adnan
01-05-2008 10:16 AM
I had this issue when I was preparing for my
CCIE security back in 2006 with IDS version
4.1 so it may or may not apply to your
situation. I was using Cisco IDS 4.1 with
Catalyst 3550s:
RouterA is connected to F0/1 and vlan 4
IDS sensing interface is connected to F0/2
IDS C&C is connected to F0/3 vlan 2
IDS Sensing interface is connected F0/5
RouterX is connected to F0/4 vlan 3
objective: From RouterX, telnet to RouterA.
When prompt for username, type username.
When prompt for password, enter "abcd".
At that time, the IDS will send a tcp reset
to RouterX thus reset the connection.
On the catalyst 3550:
monitor session 1 source vlan 4
monitor session 1 destination interface f0/5 ingress vlan 4
that will do the trick.
what I also found out from my preparation of
the lab is that is that the IDS will send
reset about 80% of the time. It did not work
the other 20% of the time, even though I
clearly saw it sent tcp reset in the IDS
event viewer. I also confirmed this
by running tcpdump on the IDS itself (yes,
with a trick you can do this). I could
not figure out why it behaved this way.
I passed the lab shortly after that so I
never followed up with it. However, if you
see a reset in the IEV but the connection
itself is not reset, probably a bug.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide