08-19-2011 12:09 PM - edited 03-10-2019 05:27 AM
The documentation for Signature 1306 states "This signature will NOT function in promiscuous mode." So if this signature is reported by a device which is running in promiscuous mode, what does that mean? Something is causing it to trigger - so there is some function happening.
08-19-2011 01:35 PM
I have forwarded your question to our development team and will let you know of their reply.
08-21-2011 12:36 PM
This is Advanced and very good techcy Q
cisco have solution i think i m also expecting the solution.
08-22-2011 07:15 AM
I'm afraid our developers need more information to go on. Do you have any context buffers related to the firings? How often is the signature going off?
08-22-2011 11:39 AM
It's been firing about once every 15 minutes, mostly between 2 specific hosts. I turned on Verbose reporting and the Context tab is still greyed-out but here is the trigger packet:
Event ID 1310150219844925712
Severity low
Host ID ids
Application Name sensorApp
Event Time 08/22/2011 08:02:37
Sensor Local Time 08/22/2011 08:02:37
Signature ID 1306
Signature Sub-ID 0
Signature Name TCP Option Other
Signature Version S272
Signature Details TCP Option Other Detected
Interface Group vs0
VLAN ID 0
Interface ge0_0
Attacker IP x.x.x.44
Protocol tcp
Attacker Port 15627
Attacker Locality OUT
Target IP y.y.y.19
Target Port 389
Target Locality OUT
Target OS unknown unknown (relevant)
Actions
Risk Rating TVR=medium ARR=relevant
Risk Rating Value 60
Threat Rating 60
Reputation
Context Data
Packet Data Ether: ---- Ethernet2 OSI=2 Frame #1 Captured on 2011-08-22 08:02:37.469 ----
Ether:
Ether: dst = 0:xx:xx:xx:xx:1a
Ether: src = 0:xx:xx:xx:xx:c
Ether: proto = 0x800 "(IP) Internet protocol (v4 or v6)"
Ether:
IPv4: ---- IPv4 RFC=791 OSI=3 ----
IPv4:
IPv4: ver = 4 "Internet Protocol version 4"
IPv4: hlen = 5 (20 bytes) "No IP options present"
IPv4: tos = 00000000 0x0
IPv4: 000..... 0x0 = [precedence] "Routine"
IPv4: ...0.... 0x0 = [delay] "Normal delay"
IPv4: ....0... 0x0 = [throughput] "Normal throughput"
IPv4: .....0.. 0x0 = [reliability] "Normal reliability"
IPv4: ......00 0x0 = [reserved]
IPv4: len = 76 (56 bytes of data)
IPv4: id = 0xeee7
IPv4: flags = 010 0x2 (bit fields)
IPv4: 0.. 0x0 = [reserved]
IPv4: .1. 0x1 = [df] "Do not fragment"
IPv4: ..0 0x0 = [mf] "no more fragments"
IPv4: offset = 0 (0 bytes)
IPv4: ttl = 59 (hops)
IPv4: protocol = 6 "(TCP) Transmition Control Protocol (RFC793)"
IPv4: checksum = 0x9b6a
IPv4: saddr = x.x.x.44
IPv4: daddr = y.y.y.19
IPv4:
TCP: ---- TCP RFC=793 OSI=4 ----
TCP:
TCP: sport = 15627
TCP: dport = 389
TCP: seq = 960416709
TCP: ack = 0
TCP: hlen = 14 (56 bytes)
TCP: res = 0
TCP: code = 000010 0x2
TCP: 0..... 0x0 = [urg]
TCP: .0.... 0x0 = [ack]
TCP: ..0... 0x0 = [psh]
TCP: ...0.. 0x0 = [rst]
TCP: ....1. 0x1 = [syn] "Syncronize Sequence Numbers"
TCP: .....0 0x0 = [fin]
TCP: win = 5840 (bytes)
TCP: crc = 0x371c (CRC-16)
TCP: urg = 0 (byte offset)
TCP:
TCP: Options: (36 bytes)
TCP: Opt #1: Maximum Segment Size(2) = 1418
TCP: Opt #2: SACK Premitted(4)
TCP: Opt #3: Time Stamp(8): tsval = 202581282, tsecr = 0
TCP: Opt #4: NOP(1) skipped 1 byte
TCP: Opt #5: Window Scale(3) = 2
TCP: Opt #6: {'' size=-1)(76)TCP: len = 10 (bytes)
TCP: value = 1.1.x.x.x.203.0.5
TCP: Opt #7: {'' size=-1)(76)TCP: len = 4 (bytes)
TCP: value = 12.5
TCP: Opt #8: NOP(1) skipped 1 byte
TCP: Opt #9: No more options(0)TCP:
Event Summary 0
Initial Alert
Summary Type
Final Alert
Event Status New
Event Notes
08-24-2011 01:34 PM
Thank you for the information. Could you also provide a show tech? If it does not fit here, you can send it to nicksmi@cisco.com or ahazlewo@cisco.com.
02-19-2014 01:33 AM
Hi,
Has there been any progress with regards to this issue, as I have an IPS in promiscuous mode, and this signature fires continuously between a myriad of source and destination devices. I am spanning 2 VLANs to the IPS for detection.
Thanking you.
Julian
02-19-2014 08:33 AM
I will forward your question to the team that maintains normalizer signatures.
02-19-2014 01:10 PM
This is a little bit confusing, but the normalizer in promiscuous mode will still fire alerts for normalizer sigs that have produce-alert set. Sig 1306 has produce-alert set:
event-action: produce-alert default: produce-alert|modify-packet-inline
02-20-2014 01:44 AM
Hi Andy,
My concern is with regards to the amount of alerts I receive, and from the various sources it comes from, so cant really filter anything.
Is there nothing that can be done regarding the alerts.
02-20-2014 08:46 AM
You can remove the produce-alert action from the signature from IDM/IME/CSM or via the CLI:
sust-4260-19# conf t
sust-4260-19(config)# service signature-definition sig0
sust-4260-19(config-sig)# signatures 1306 0
sust-4260-19(config-sig-sig)# engine normalizer
sust-4260-19(config-sig-sig-nor)# show settings
normalizer
-----------------------------------------------
event-action: produce-alert|modify-packet-inline
...
sust-4260-19(config-sig-sig-nor)# event-action modify-packet-inline
sust-4260-19(config-sig-sig-nor)# exit
sust-4260-19(config-sig-sig)# exit
sust-4260-19(config-sig)# exit
Apply Changes?[yes]:
Processing config: -
02-21-2014 02:47 AM
Thanks Andy.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide