EventAction Changes On It's Own

tscislaw_2 · ‎11-01-2004

IDS4210 currently on S119.

I set signature 4701 (MSSQL Control Overflow) to ShunHost.

Check back a day or so later when attacks come in and see that no shun is requested.

Check the signature configuration and see that EventAction has changed to ZERO.

Whassup with that?

I'm the only security admin here that would change anything so it's doing it on it's own.

Suggestions?

marcabal · ‎11-01-2004

We have never seen the sensor change the event action of a signature completely on it's own.

There is usually something else causing the configuration to be reset.

Some possibilities:

1) If the change is made directly on the sensor, but a config is later pushed from IDS MC; then IDS MC will overwrite the change and set it back to the default. (If you are using IDS MC for configuraiton, then check in IDS MC and see what the signature is configured for)

2) If the change was made in the CLI; was the changed properly applied. There may have been an error when the change was made in the CLI. Always verify with "show conf" that the configuration change actually made it into the sensor configuration.

3) There is a small possibility of a bug in the signature update program. I have heard of a bug in IDS MC where the signature update process was unintentionally causing all signatures to revert to their defaults. This would be a bug in IDS MC and would need to be fixed. There was also a bug in one of the sensor signature updates that caused all signatures to revert to defaults. This signature was update was pulled from CCO. Later signature updates do not have this problem.

(GO back and check to see if a signature update was applied that may have changed the configuration.)

Some things to try:

1) Make the change on the sensor, and use "show conf" to verify that the change is in the sensors configuration.

2) Daily check to see if the configuraiton has been modified.

3) If the configuration has been modified then use the "show event status past 23:59:00" command to look at all of the status events in the past 24 hours (or the "show event status " to look at events since the designated date/time). Look for any status events showing a configuration change to the sensor, or a signature update on the sensor.

4) If it was a configuration change then find out who made the change and if the event action was accidentally being removed. If it was a signature update, then use the downgrade command to remove the signature update and see if the configuration reverts to having the event action being set.

tscislaw_2 · ‎11-05-2004

Looks like it is changing when signature files are updated. Why only that one signature?

marcabal · ‎11-05-2004

This sounds like it may be a bug.

I would recommend contacting the TAC

They can walk through some steps with you to verify whether or not it is a bug, and if so then check in which portion of the system that the bug is in.

Be prepared with the following when you contact the TAC:

The output of "show conf" on the sensor CLI just prior to the sensor signature update.

A screen shot of IDM or IDS MC (depending on which one you are using for configuration) just prior to the signature update.

A IDM/IDS MC screen shot, or a copy of the CLI session where the upgrade is performed and status returned so it can be checked for any errors or warnings.

Don't make any other changes before gathering the following:

Another copy of "show conf" from the CLI to verify the signature settings.

Another copy of the screen shots from IDM or IDS MC where the signature was configured.

NOTE: Both the CLI "show conf" output and the IDM/IDS MC screen are needed. This is to determine whether the bug is being introduced on the sensor itself (by looking at the "show conf" output). Or is being introduced in IDM or IDS MC (by looking at their screen shots).