Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
588
Views
0
Helpful
3
Replies

Possible to construct an alarm to look for oversized DNS?

a.arndt
Level 3
Level 3

‎09-19-2005 10:53 AM - edited ‎03-10-2019 01:38 AM

Let me begin by stating that I am running Cisco IDS Version 4.1(5)S190 on an IDS-4235 sensor...

I have a requirement to identify any UDP port 53 traffic emanating from my network where the overall UDP packet size exceeds 1024 bytes.

I’ve tried to use the “MinUDPLength” variable field in the Atomic.UDP engine to define the minimum length, but I found out the hard way that this would give me any packets that were less than 1024 bytes in length. Needless to say, I swamped myself with useless alerts...

Anyway, is there anyway to accomplish the task using the signature engines available to a Cisco IDS/IPS end-user, or am I looking at asking Cisco for a new signature?

Here’s the parameters the signature must cover:

Protocol - UDP

Severity – HIGH

AlarmThrottle – FireAll

Criteria – UDP packet with length is greater than 1024 bytes (current variables in Atomic.UDP don’t let me look for this)

SrcIpAddr - X.Y.0.0

SrcIpMask - 255.255.0.0

SrcPort – 53

Any suggestions?

TIA,

Alex Arndt

Labels:
0 Helpful
3 Replies 3

aroethli
Level 1
Level 1

‎09-20-2005 06:42 AM

Alex,

Our suggestion for Cisco IDS Version 4.1 applications would be to investigate using the string.udp engine. For 5.x applications, an engine such as atomic-ip may be a better choice.

Try using string.udp with the following parameters:

Direction - From Service

EndMatchOffset - 1025

* You may have to tune this parameter to get the exact desired result. But initially setting this value to 1025 should select the 1025th byte for inspection, meaning anything over 1024 would match the RegEx below.

RegexString - [\x00-\xFF]

* What we are doing here is saying "match anything" at the first byte after 1024 bytes into the packet in combination with the EndMatchOffset parameter value above.

ServicePorts - 53

You could also use MinMatchLength as an alternative, but this would require the use of a RegEx with a wildcard match such as ".*" or similar that could be resource intensive.

Please feel free to let us know if this works as expected for your application, and if you have any other questions.

Al Roethlisberger

IPS Signature Development Team

0 Helpful

a.arndt
Level 3
Level 3
In response to aroethli

‎09-20-2005 08:10 AM

Awesome! Thank you very much.

I'll try it out and provide some feedback as soon as possible/practical.

Alex Arndt

0 Helpful

a.arndt
Level 3
Level 3
In response to aroethli

‎09-21-2005 05:48 AM

I tried what you suggested. Unfortunately, I am not getting the expected results. Upon deployment, I was inundated with alarms, all apparently containing normal DNS activity that was much smaller than the >1024 bytes I want.

Before making the post, I modified the EndMatchOffset value in the signature from the suggested 1025 bytes to 1032 bytes, just to see if it had an impact. The short answer is yes. It reduced the number of alarms I've received, but the ones I'm getting still appear to be much smaller than anticipated.

I've attached some sample alarms for you to look at, just so you can see that the DNS activity collected. I built the alarm with the PacketCapture variable set to "true" to help with troubleshooting, so you'll se that those packets that triggered the alarm and quickly see that they are too small.

Please let me know if you have any suggestions...

TIA,

Alex Arndt

Preview file
5 KB
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card