IPS not detecting packets Entering & Exiting Same Interface

shahedvoicerite · ‎12-21-2006

Hi,

Consider scenario :-

Host A--->Router B--->Router C

All are in the same subnet

Router C also has an active interface on another subnet.

When I telnet from A to C (interface with ip address in another subnet),

I force traffic from A to C to pass through B, by setting static routes AND ** DISABLING IP REDIRECTS ***

Trafic flows from A to B IN through Fa0/0, and OUT again through Fa0/0 from B to C

I have ACL's (permit/log) that show this flow !!!!

I also have IPS enabled in/out on Fa0/0 on router B.

However, traffic flowing through Router B, which enters / exits the same interface, does not get picked up by IPS. (I trigger signatures)

Is this normal ?? Or am I missing something ?

smalkeric · ‎01-03-2007

This module describes how to configure the Cisco IOS Intrusion Prevention System (IPS), which helps to protect a customer's network from internal and external attacks and threats. Cisco IOS IPS restructures and replaces the existing Cisco IOS Intrusion Detection System (IDS).

http://www.cisco.com/en/US/products/ps6350/products_configuration_guide_chapter09186a00804453cf.html

mhellman · ‎01-03-2007

I don't use the router IPS, but I'll give it a shot;-) I don't understand the network config. I'll try to redraw the network to see if I understand what you're saying:

Host A

(NET1/IP1)

|

-------- (NET1/IP3) Router C (NET2/IP4)---

|

(NET1/IP2)

Router B

Host A uses Router B as its gateway to NET2 and since redirects are disabled on router B, all traffic from Host A to IP4 flows through router B. If the diagram above is correct though, return traffic from router C will not be routed through Router B because the destination is on the same network as router C. How are you getting return traffic to flow through router B?

Based on the following doc:

http://www.cisco.com/application/pdf/en/us/guest/products/ps6634/c1244/cdccont_0900aecd80327257.pdf

If you're attempting to fire atomic signatures (single packet) then signatures should still fire anyway when inspected inbound. If you're attempting to trigger a stateful signature then this would be a plausible explanation.

shahedvoicerite · ‎01-04-2007

Hi,

Yes, your understanding of my network setup is correct.

Yes, return traffic does not go through B, but that is not the issue here, as I am trying to pickup STRING.TCP packets, which I believe as you mention are ATOMIC.

i.e a telnet connection from A to C, and if I type the word "ATTACK" in the session :-

Router B should detect the string match and drop the connection.

The telnet packets I believe with the word "ATTACK" in this case wold go from A->B inbound and B->C outbound on the same FastEthernet port.

I have the ips detection enabled both inbound and outbound on the Fa0/x port.

Thanks

mhellman · ‎01-04-2007

Have you gotten a trace to ensure that the characters you typed in actually resulted in the string ATTACK being sent in a single packet? I think you'll find that this is not the case with telnet. My recollection is that each letter you type will be sent in a separate packet.

shahedvoicerite · ‎01-04-2007

Hi again,

No, I dont have a trace :-(

Perhaps you may be right about the "statefull" versus "stateless" inspection problem going on in my case.

I am going to experiment, by setting a route map on the target router (C) and force traffic back through (B).

I will also try other real "ATOMIC" tests.

Thanks.