IPS - alarm on specific tcp port scan

subaa · ‎04-19-2005

Hi there,

My problem is:

I want to create a rule on IPS 5.x, in which a TCP high port rage sweep triggers a low alarm, but if the sweep includes tcp 2400 port, than I receive a high level alarm. But in the same time I don't want any alarms, if theres is a full 3-way handshake to tcp 2400 ports . Is it possible at all?

Thanks,

Aa

wsulym · ‎04-19-2005

The short answer is no, it's not possible.

We do not have a way to raise or lower alarm severity or change the event action (in your case to not produce and alert) based on conditions in the signature.

Signatures are basically a set of criteria to match, and once the match is made, an action (produce alert for instance) occurs. The severity is set, it's changeable by the end user, but can't be changed based on criteria in a signature.

Hope that helps.

Walter.

subaa · ‎04-19-2005

The short answer is no, it does not help thanks... Shortly because it was not an answer to my question ;-)

After further investigation I found the so-called META engine, in which there is a "component list", in which you can define more signatures. The alarm is fired if all the selected events match.

Unfortunately the component list doesn't allow you to add a custom signature the the list, so I had to clone the "normal" tcp port sweep engine (to keep teh original), than modify the original 3001 engine to fire on tcp port 2400 mathces. Then I added this signature and TCP high port sweep signature to the component list.

In this way it works. If anyone can suggest an easier way - Welcome! But now I think that can be a useful info for others also.

Bests,

Aa