09-16-2004 05:19 AM - edited 03-09-2019 08:48 AM
Good morning,
I have been asked by management to create a signature that will detect all traffic from a particular IP on our network. This is how I tried to set it up:
String.tcp engine
ServicePorts: 1-65535 (Yes I realize this will cause a significant impact on sensor performance)
StorageKey: =STREAM (took default)
Direction: FromService
Protocol: =TCP
SummaryKey: Axxx (took default)
RegexString: [192][.][168][.][0][.][1]
This has yielded nothing from the desired IP address. I have gotten a few hits from incorrect IPs, but nothing from the one I want. I know the IP address is sending traffic past the sensor as I can see connections to that IP on the firewall. Can someone point out what I am doing wrong please? Is there a better engine to do this with?
Any help would be appreciated!
Thanks,
MJ
Solved! Go to Solution.
09-16-2004 05:56 AM
I believe if you used the atomic IP engine as follows you will get the results you are looking for:
Engine ATOMIC.L3.IP
Protocol =IP
ResetAfterIdle 15
SrcIpAddr 192.168.0.1
SrcIpMask 255.255.255.255
09-16-2004 05:56 AM
I believe if you used the atomic IP engine as follows you will get the results you are looking for:
Engine ATOMIC.L3.IP
Protocol =IP
ResetAfterIdle 15
SrcIpAddr 192.168.0.1
SrcIpMask 255.255.255.255
09-16-2004 09:59 AM
Thank you very much. I have pushed that out to the needed sensor. Now I just have to wait for the user to return to work to test it.
Thanks again,
MJ
09-22-2004 08:48 AM
That worked great. Thank you so much.
MJ
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide