cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1739
Views
0
Helpful
11
Replies

Signature 1306 - promiscuous mode

mark.barrett
Beginner
Beginner

The documentation for Signature 1306 states "This signature will NOT function in promiscuous mode." So if this signature is reported by a device which is running in promiscuous mode, what does that mean? Something is causing it to trigger - so there is some function happening.

11 Replies 11

nicksmi
Cisco Employee
Cisco Employee

I have forwarded your question to our development team and will let you know of their reply.

This is Advanced and very good techcy Q

cisco have solution i think i m also expecting the solution.

I'm afraid our developers need more information to go on.  Do you have  any context buffers related to the firings?  How often is the signature  going off?

It's been firing about once every 15 minutes, mostly between 2 specific hosts. I turned on Verbose reporting and the Context tab is still greyed-out but here is the trigger packet:

Event ID 1310150219844925712

Severity low

Host ID ids

Application Name sensorApp

Event Time 08/22/2011 08:02:37

Sensor Local Time 08/22/2011 08:02:37

Signature ID 1306

Signature Sub-ID 0

Signature Name TCP Option Other

Signature Version S272

Signature Details TCP Option Other Detected

Interface Group vs0

VLAN ID 0

Interface ge0_0

Attacker IP x.x.x.44

Protocol tcp

Attacker Port 15627

Attacker Locality OUT

Target IP y.y.y.19

Target Port 389

Target Locality OUT

Target OS unknown unknown (relevant)

Actions

Risk Rating TVR=medium ARR=relevant

Risk Rating Value 60

Threat Rating 60

Reputation

Context Data

Packet Data Ether: ---- Ethernet2 OSI=2 Frame #1 Captured on 2011-08-22 08:02:37.469 ----

Ether:

Ether: dst = 0:xx:xx:xx:xx:1a

Ether: src = 0:xx:xx:xx:xx:c

Ether: proto = 0x800 "(IP) Internet protocol (v4 or v6)"

Ether:

IPv4: ---- IPv4 RFC=791 OSI=3 ----

IPv4:

IPv4: ver = 4 "Internet Protocol version 4"

IPv4: hlen = 5 (20 bytes) "No IP options present"

IPv4: tos = 00000000 0x0

IPv4: 000..... 0x0 = [precedence] "Routine"

IPv4: ...0.... 0x0 = [delay] "Normal delay"

IPv4: ....0... 0x0 = [throughput] "Normal throughput"

IPv4: .....0.. 0x0 = [reliability] "Normal reliability"

IPv4: ......00 0x0 = [reserved]

IPv4: len = 76 (56 bytes of data)

IPv4: id = 0xeee7

IPv4: flags = 010 0x2 (bit fields)

IPv4: 0.. 0x0 = [reserved]

IPv4: .1. 0x1 = [df] "Do not fragment"

IPv4: ..0 0x0 = [mf] "no more fragments"

IPv4: offset = 0 (0 bytes)

IPv4: ttl = 59 (hops)

IPv4: protocol = 6 "(TCP) Transmition Control Protocol (RFC793)"

IPv4: checksum = 0x9b6a

IPv4: saddr = x.x.x.44

IPv4: daddr = y.y.y.19

IPv4:

TCP: ---- TCP RFC=793 OSI=4 ----

TCP:

TCP: sport = 15627

TCP: dport = 389

TCP: seq = 960416709

TCP: ack = 0

TCP: hlen = 14 (56 bytes)

TCP: res = 0

TCP: code = 000010 0x2

TCP: 0..... 0x0 = [urg]

TCP: .0.... 0x0 = [ack]

TCP: ..0... 0x0 = [psh]

TCP: ...0.. 0x0 = [rst]

TCP: ....1. 0x1 = [syn] "Syncronize Sequence Numbers"

TCP: .....0 0x0 = [fin]

TCP: win = 5840 (bytes)

TCP: crc = 0x371c (CRC-16)

TCP: urg = 0 (byte offset)

TCP:

TCP: Options: (36 bytes)

TCP: Opt #1: Maximum Segment Size(2) = 1418

TCP: Opt #2: SACK Premitted(4)

TCP: Opt #3: Time Stamp(8): tsval = 202581282, tsecr = 0

TCP: Opt #4: NOP(1) skipped 1 byte

TCP: Opt #5: Window Scale(3) = 2

TCP: Opt #6: {'' size=-1)(76)TCP: len = 10 (bytes)

TCP: value = 1.1.x.x.x.203.0.5

TCP: Opt #7: {'' size=-1)(76)TCP: len = 4 (bytes)

TCP: value = 12.5

TCP: Opt #8: NOP(1) skipped 1 byte

TCP: Opt #9: No more options(0)TCP:

Event Summary 0

Initial Alert

Summary Type

Final Alert

Event Status New

Event Notes

Thank you for the information.  Could you also provide a show tech?   If it does not fit here, you can send it to nicksmi@cisco.com or ahazlewo@cisco.com.

Hi,

Has there been any progress with regards to this issue, as I have an IPS in promiscuous mode, and this signature fires continuously between a myriad of source and destination devices. I am spanning 2 VLANs to the IPS for detection.

Thanking you.

Julian

I will forward your question to the team that maintains normalizer signatures.

Andy Hazlewood
Beginner
Beginner

This is a little bit confusing, but the normalizer in promiscuous mode will still fire alerts for normalizer sigs that have produce-alert set.  Sig 1306 has produce-alert set:

            event-action: produce-alert default: produce-alert|modify-packet-inline

However, the signature will not completely function in promiscuous mode because it is unable to modify the packets and remove the tcp-option.  So modify-packet-inline does not occur in promiscuous mode.

Hi Andy,

My concern is with regards to the amount of alerts I receive, and from the various sources it comes from, so cant really filter anything.

Is there nothing that can be done regarding the alerts.

You can remove the produce-alert action from the signature from IDM/IME/CSM or via the CLI:

sust-4260-19# conf t

sust-4260-19(config)# service signature-definition sig0

sust-4260-19(config-sig)# signatures 1306 0

sust-4260-19(config-sig-sig)# engine normalizer

sust-4260-19(config-sig-sig-nor)# show settings

   normalizer

   -----------------------------------------------

      event-action: produce-alert|modify-packet-inline

...

sust-4260-19(config-sig-sig-nor)# event-action modify-packet-inline

sust-4260-19(config-sig-sig-nor)# exit

sust-4260-19(config-sig-sig)# exit

sust-4260-19(config-sig)# exit

Apply Changes?[yes]:

Processing config: -

Thanks Andy.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers