IDS detect YM/ICQ/MSN

logintck · ‎08-11-2004

I would like to setup my IDS (4215) to detect who use ICQ/MSN/YM in office. I think they use these application with port 80.

I enable SIGID [11200,11201 &11202 with port 80)

then wait for whole day, I can't any record from my IDS

==============

signatures SIGID 11200 SubSig 0

AlarmSeverity high

AlarmThrottle FireAll

Enabled True

EventAction log

ServicePorts 5050,80

SigComment

Yahoo Messenger Activity

exit

signatures SIGID 11201 SubSig 0

AlarmSeverity high

AlarmThrottle FireAll

Enabled True

EventAction log

ServicePorts 1863,80

SigComment

MSN Messenger Activity

exit

signatures SIGID 11202 SubSig 0

AlarmSeverity high

AlarmThrottle FireAll

Enabled True

EventAction log

ServicePorts 5190,80

SigComment

AIM / ICQ Messenger Activity

exit

....

EventFilter

Filters DestAddrs $IN Exception True SIGID * SourceAddrs * SubSig *

=================

IS there any problem of my config??

THX for your help

umedryk · ‎08-17-2004

This is very subjective. And not necessary that it should use port 80. It can be any random port.

logintck · ‎08-17-2004

THX for reply

In order to test this setting, I install ICQ in my PC. (with port 80)

but... I use icq to communicate with other.. but in my log of IDS... no record..

Is there any setting I forget to change?

THX

flyingmunk · ‎08-18-2004

What you might want to try, is login to your sensor, with the 'service' account. Run 'tcpdump' on the sniffing interface, and use the 'host' flag, and/or 'port' flag, to verify that the interface is seeing the traffic you want to trigger the alarm on. Having this sniffer trace will help you determine how you need to tune this signature, or if you need to possibly write a custom. sig.

thanks,

chris

logintck · ‎08-20-2004

This is my config... is there any problem??

THX

ccids# show config

! ------------------------------

display-serial

! ------------------------------

service Authentication

general

methods method Local

exit

! ------------------------------

service Host

networkParams

ipAddress 188.99.172.1

defaultGateway 188.99.172.2

hostname ids

telnetOption enabled

accessList ipAddress 188.99.172.0 netmask 255.255.255.0

exit

optionalAutoUpgrade

active-selection none

exit

timeParams

summerTimeParams

active-selection none

exit

! ------------------------------

service Logger

masterControl

enable-debug false

exit

zoneControl zoneName Cid

severity debug

exit

zoneControl zoneName AuthenticationApp

severity warning

exit

zoneControl zoneName Cli

severity warning

exit

zoneControl zoneName ctlTransSource

severity warning

exit

zoneControl zoneName IdapiCtlTrans

severity warning

exit

zoneControl zoneName IdsEventStore

severity warning

exit

zoneControl zoneName MpInstaller

severity warning

exit

zoneControl zoneName tls

severity warning

exit

! ------------------------------

service NetworkAccess

general

enable-acl-logging false

allow-sensor-shun false

shun-enable false

shun-max-entries 100

exit

! ------------------------------

service SshKnownHosts

exit

! ------------------------------

service TrustedCertificates

exit

------------------------------

service WebServer

exit

! ------------------------------

interface group 0

sensing-interface int0

exit

interface sensing int0

exit

! ------------------------------

service virtual-sensor-configuration virtualSensor

tune-micro-engines

systemVariables

WEBPORTS 80,88,90,8000-9900

exit

FragmentReassembly

IPReassembleMode NT

IPReassembleTimeout 120

exit

StreamReassembly

TCP3WayHandshakeRequired True

TCPReassemblyMode strict

TCPOpenEstablishedTimeout 90

TCPEmbryonicTimeout 15

exit

IPLog

NumberOfIPLogFiles 20

MaxOpenIPLogFiles 20

MaxIPLogFileSize 1000000

IPLogPackets 0

IPLogTime 30

IPLogBytes 0

signatures SIGID 2004 SubSig 0

AlarmSeverity high

AlarmThrottle FireAll

Enabled True

EventAction log

MinHits 3

SigComment

Three Echo Requests

exit

signatures SIGID 11202 SubSig 0

AlarmSeverity high

AlarmThrottle FireAll

Enabled True

EventAction log

ServicePorts 5190,80

SigComment

AIM / ICQ Messenger Activity

exit

signatures SIGID 20005 SubSig 0

AlarmSeverity high

Enabled True

EventAction log

Protocol TCP

RegexString

[pP][oO][dD]P

ServicePorts 23

SigName

podPStringTCP

StorageKey STREAM

exit

STRING.UDP

service alarm-channel-configuration virtualAlarm

tune-alarm-channel

systemVariables

IN 188.99.172.0/24

exit

EventFilter

Filters DestAddrs 188.99.172.61 Exception True SIGID * SourceAddrs * SubSig *

a.arndt · ‎08-23-2004

If you've taken the advice to run tcpdump on your sensor while connecting to Yahoo/AIM/ICQ/MSN and you're seeing this traffic go by, but not seeing any alarms, then the issue is not your configuration per se. Based on your initial post, the real issue IMHO is that you haven't necessarily turned on enough signatures.

Take a look at SigID 11206, 11207, 11208 and 11209. These signatures are also designed to look for the applications you listed, but they fire specifically on client software making a DNS query in order to setup communications with the appropriate server for the service being used.

Even better are SigID 11209, 11210 and 11211. These too look for Yahoo/AIM/ICQ/MSN traffic but the important difference is that they are designed to find Yahoo/AIM/ICQ/MSN sent via HTTP proxies, which is what you seemed to be most interested in according to your first post.

My suggestion is to turn on these seven additional signatures and try your tests again. If it's normal Yahoo/AIM/ICQ/MSN traffic (and your sensor is indeed monitoring the correct network segment to see it), SigID 11200, 11201 or 11202 should fire. If it's Yahoo/AIM/ICQ/MSN via HTTP proxy, SigID 11210, 11211 or 11212 will fire. In either case SigID 11206, 11207, 11208 or 11209 will fire, depending on which client is trying to "phone home".

I hope this helps,

Alex Arndt