Filtering custom signature

giovanni · ‎06-11-2001

Hi guys!

I've created a custom TCP and UDP connection signature for port 113 (ident/auth service).

I want to exclude some of my internal IP addresses from firing this because it's routinely and legitimately used (e.g. SMTP server).

Unfortunately this seems to be impossible because the filtering tab doesn't provide a subsignature for my custom signature. The best I can do is exclude all TCP and UDP connections.

Any suggestions? Or do you think this is worth including in a future release?

Ciao,

Giovanni

giovanni · ‎06-11-2001

Following up on this.

The exclusion of the TCP connection events doesn't seem to work at all. I've added this to packetd.conf (via CSPM):

RecordOfExcludedNetAddress 3000 * aaa.bbb.ccc.ddd 255.255.255.255 2

and I still get all the TCP conn alarms to the host, both the default ones and the one I created for port 113.

Is this a known bug, or am I missing something?

Giovanni

marcabal · ‎06-11-2001

RecordOfExcludedNetAddress should not be using a * to wildcard the subsignature.

Was this created manually or through CSPM? If through CSPM then you need to let the TAC know so that a DDTS can be created.

The correct entry for what you want would be:

RecordOfExcludedNetAddress 3000 113 aaa.bbb.ccc.ddd 255.255.255.255 2

You could also use the RecordOfExcludedPattern (This token is the advanced filtering and does use * for wildcarding)

RecordOfExcludedPattern 3000 113 * aaa.bbb.ccc.ddd

giovanni · ‎06-11-2001

The entry was created by CSPM by selecting the signature "3000 TCP Connections" and the "All Subsignatures" option. If this syntax is not legal the all subsig option should not be there, surely?

There remains also the problem of excluding from CSPM port 113 or other custom ports created by the user, which are not put in the list.

Ciao,

Giovanni

marcabal · ‎06-11-2001

I will look into this in our lab later this afternoon, or tomorrow morning and get back to you tomorrow.

Marco

marcabal · ‎06-11-2001

I have tested this in the lab and you are correct that CSPM is not able to Exclude the 113 subsignature for signature 3000, and the exlcusion for all subsigs does not work for Simple

Filtering.

At this point you will have to either wait for a fix in CSPM or manually add the following configuration line to the bottom of packetd.conf yourself (Note: this has to be manually added

every time CSPM pushes a new configuration to the sensor)

RecordOfExcludedPattern 3000 113 * aaa.bbb.ccc.ddd

I have created the following 2 DDTS Issues:

CSCdu45962: CSPM 2.3i can not filter user added TCP and UDP connection sigs

-------------------------------------------------------------

Symptom:

User attempts to filter certain addresses for a TCP or UDP port connection

signature which the user added. The port, however, does not appear in

the list of subsignatures which can be excluded.

Condition:

The CSPM configuration GUI will generate a list of TCP ports when the

user selects to filter the 3000 TCP Connection signature. (Problem

also exists for the 4000 UDP connection signature.)

The list generated, however, is not based on the signature template

applied to the sensor. The user has the ability to add new TCP ports

and UDP ports to the list of connection signatures. These new

ports (sub signatures) should be in the list of SubSignatures when the

3000 (or 4000) signature is selected in the Filtering or Advanced Filtering

tabs.

To replicate:

1) Open the Default Signature template (or another template)

2) Click on the Connection Signatures tab

3) Add a new connection signature for TCP port 113 and name it

Connection request- ident/auth

4) Click OK to save the changes

5) Click on the sensor

6) Click on the Filtering Tab

7) Click to Add a new filter

8) Select the 3000 signature

9) The Connection request- ident/auth should show up as a SubSignature

if the GUI was working correctly, instead ONLY the default sub signatures

are listed.

CSCdu46008: CSPM 2.3i - simple filtering - all sibsignatures should be 0 subsig

Symptom:

User attempts to use the Simple Filtering (on the Filtering Tab) to

exclude "All SubSignatures" for a signature that has multiple subsignatures

(the 3000 signature for example.

The sensor continues to fire the signature even after the configuration

is applied.

Condition:

The user selects the Filtering Tab and clicks Add to create a new

Simple Filter.

The user selects the signature and then selects "All SubSignatures".

The resulting line in packetd.conf on the sensor has:

RecordOfExcludedNetAddress [signature] * [address] [netmask] [1|2|3]

The "*" in the second field should be a zero "0" instead of "*", and the

selection should have said "0 SubSignature" instead of "All SubSignatures"

The RecordOfExcludedNetAddress with a "*" wildcarding the subsignature

is not understood by the sensor.

WorkAround:

Instead of using the Simple Filtering the user should upgrade to the

latest signature update available, and then user Advanced Filtering to

exclude the signature.

The Advanced Filtering tab uses the RecordOfExcludedPattern configuration

token instead of the RecordOfExcludedNetAddress token.

The later sensor versions do understand the RecordOfExcludedPattern

token with the "*" used to wildcard for All SubSignatures.

Steps:

Highlight the Simple Filter and Delete it.

Click on the Advanced Filter tab.

Click Add to add a new Advanced Filter.

Select the desired signature.

Select the "All SubSignatures" option

Select the source and destination address parameters.

The resulting line in packetd.conf will look like:

RecordofExcludedPattern [signature] * [sourceaddresses] [destinationaddresses]