Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
336
Views
0
Helpful
4
Replies

Custom Signature

Go to solution
bfl1
Level 1
Level 1

‎01-20-2004 06:35 PM - edited ‎03-09-2019 06:11 AM

Can someone help me with this?

I am trying to create a custom signature with the following characteristics...

Option 1:

Source Sequence number is 0

Flags are Syn/Ack

Destination Port 80

MinHits 5

Option 2

Source Port 80

Flag RST

Sequence number = 1

TCP ZeroWindow

MinHits 5

I've tried using the signature wizard but can't find the right combination.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
mcerha
Level 3
Level 3

‎01-21-2004 02:08 PM

We don't currently support looking for specific sequence numbers or window sizes. We are in the process of planning additional engine parameters to deal with this. To create custom signatures that match close to your specifications, you could do this with ATOMIC.TCP.

Option 1

TcpFlags SYN|ACK

Mask FIN|SYN|RST|PSH|ACK|URG

DstPort 80

MinHits 5

Option 2

TcpFlags RST

Mask FIN|SYN|RST|PSH|ACK|URG

SrcPort 80

MinHits 20

If needed, you can add the SrcIpAddr / DstIpAddr parameters to limit these to certain addresses.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
bfl1
Level 1
Level 1

‎01-20-2004 09:20 PM

Here is what I tried, in order to achieve option 2 - it didn't work:

Sweep.port.tcp signature

Mask: SYN/FIN/RST

TcpFlags: RST

MinHit: 5

Protocol: TCP

Unique: 5

PortRange: 1

InvertedSweep: True

This isn't firing...

0 Helpful

Go to solution
bfl1
Level 1
Level 1

‎01-21-2004 08:20 AM

I finally have it working, but not quite the way I want it.

ATOMIC.TCP

FlipAddr: True

Mask: FIN/SYN/RST

MinHits: 20

Protocol: TCP

SrcIPAddr: 10.10.10.5

ScrIpMask: 255.255.255.255

SrcPort: 80

TcpFlags: RST

If I don't specifiy the source, it fires often - due to the fact it's going to see more than 20 RST packets to various hosts. I would like to use a state based signature, so I don't have to specificy the source.

I'm trying to get it to fire when the IDS system sees an IP address sending multiple RST packets to another machine with the source coming from TCP 80.

0 Helpful

Go to solution
mcerha
Level 3
Level 3

‎01-21-2004 02:08 PM

We don't currently support looking for specific sequence numbers or window sizes. We are in the process of planning additional engine parameters to deal with this. To create custom signatures that match close to your specifications, you could do this with ATOMIC.TCP.

Option 1

TcpFlags SYN|ACK

Mask FIN|SYN|RST|PSH|ACK|URG

DstPort 80

MinHits 5

Option 2

TcpFlags RST

Mask FIN|SYN|RST|PSH|ACK|URG

SrcPort 80

MinHits 20

If needed, you can add the SrcIpAddr / DstIpAddr parameters to limit these to certain addresses.

0 Helpful

Go to solution
bfl1
Level 1
Level 1
In response to mcerha

‎01-21-2004 10:11 PM

Thank you for your guidance... FYI: This signature helps identify when a port scan is taking place using the nmap idle feature. If this signature fires at the same time the TCP SYN PORT Sweep, then the source (since flipaddress is true) is the one probing the zombie's IPID. I've tested it several times and it works well... I have to keep the minhits high, around 20-30, and define the source as the web servers and it works great. Thanks for your help!

0 Helpful
Customers Also Viewed These Support Documents