Filtering of IP addresses on an IDS/IPS signature
Forgive me, I'm pretty green when it comes to signatures manipulting IDS/IPS.
Is there a way to filter an IP or a subnet of a signature of IDS/IPS?
Senario:
We have 2 ASAs with IPS and IDS 2 4260 modules, we use IPS Manager Express 6.1 to manage. I get a mail server is triggering signature 5748-x because its sending a helo instead of a noop verb. It is very good for this paticular mail server. So I would remove its IP address or its signature of the filter IP address therefore in this case does not the signature. However, I don't want to disable the signature in the case where he is somewhere else.
any help is greatly appreciated.
e-
You will need to use a filter event action. See (for version 6):
http://www.Cisco.com/en/us/docs/security/IPS/6.0/Configuration/Guide/IDM/dmEvtRul.html
Tags: Cisco Security
Similar Questions
-
IDS/IPS signatures for monitor audio/video streaming applications
Hi people,
Can someone Advisor on the names or signatures that could be used successfully to control the use of streaming on the network applications. The plan must feed to MARS and then create reports on streaming applications use to use it later for the creation of a security policy preventing the theft of bandwidth.Perhaps suggestions on how to create a custom signature to monitor the audio and video streams would be appreciated.
Eugene
Hello Eugene,
It is possible to matching strings video specified in your capture by examining the Type of content. Run after the connection with a TCP reset or refuse the inline package will keep the video of the game - which will save bandwidth that the video would have used otherwise. However, it is important that we establish the role of the IPS appliance. The IPS is designed to detect and limit the attacks by matching known traffic patterns. For TCP, this obligation can also include some that drop a bag to disrupt a flow. The IPS is not fundamentally designed to monitor flow and provide a number of bytes for a particular protocol so that the use of protocols analysis can be performed.
The signature below will drop packets with the flv-application Content-Type, which will keep the video that you have tested on break.com of play. Each video streaming site works differently. A screenshot of each video streaming site will have to be examined and another custom signature written, if you want to block all. Also, keep in mind that many sites offer different options for streaming videos. It may ask you to take multiple shots at each site - one for each method of streaming.
signature-60001 0
alert-severity average
GIS-description
Flv-application TCP SIG - name string
output
engine-tcp chain
products-event-action alert | Reset tcp-connection
Regex-string flv-application
service port 80
the service management
output
alert frequency
Summary-fire-all mode
output
output
status
enabled true
output
outputThank you
Blayne Dreier
IDS Cisco TAC team
* Please check our Podcast *.
TAC security show: http://www.cisco.com/go/tacsecuritypodcast
-
Changes in prices for the contracts of Support for Cisco IDS/IPS
Nice day
My boss asked me if there is no value added regarding Cisco's recent move to charge separately for hardware and software support for IDS/IPS product line.
Other than what is obvious (need software support for updates of signature, need of material support in case something breaks), I'm having a hard time to provide a response.
Can anyone suggest what is the increased value, other than annual recurrent costs more we get as a result of this change of license?
Also, was there any release press or other notice to the client about this change?
I am at a loss...
Alex Arndt
Alex,
Cut through the spin and the hype... the software support allows us to finance a development team dedicated to signature, which has improved our signature rejection rates and response times. In addition, it is allowing us to expand our coverage to keep IDS 4.1 to get the support of the signature. It is contrary to our previous policy which would have seen 4.1 updates to signature cut shortly after 5.0 released.
A side effect of this is that our development team is now free to focus on the development of the feature, and you will see more updates, more often.
Can't comment on press releases and others, they make your head spin my ;)
Scott
-
Get a Smartnet contract also gives you updated signature IDS/IPS?
One of my clients is looking into getting an ASA5510 with module AIP - SSM. I realize that with IDS/IPS systems, it is * essential * to keep files up-to-date signatures. Buying me the Smartnet contract for the bundle gives updates signature files, or is there another package that I need to buy?
I see references to the "Cisco Services for IPS", but this seems to be mainly for routers/IOS firewall/IDS packages.
There is not a Smartnet contract for the ASA/AIP-SSM bundle.
The only contract SmartNET SSM packages with the CSC - SSM and not the AIP - SSM.
When buying a bundle ASA/AIP-SSM, you'll need to buy a package maintenance contract. Package maintenance contracts are Cisco Service for the IPS markets and include the support of signature for the AIP - SSM and the software and hardware in support of ASA and AIP - SSM (software and hardware support, is what it is normally part of SmartNET).
Packages you will need to purchase a maintenance contract Service Cisco IPS using one of the formats following part numbers:
CON-SUw-ASxAyKz
The 'w' will be 1,2,3 or 4 depending on the level of service.
The 'x' will be either 1 for the 5510, 2 for the 5520 or 4 for the 5540.
'Y' will be 10 for the AIP-SSM-10 or 20 for the AIP-SSM-20.
The z will be 8 or 9 depending on the level of encryption.
Thus, for example:
CON-SU2-AS2A20K9 - would be 8 X 5 X 4 support for the ASA 5520 bundled with the AIP-SSM-20 with the top encryption.
NOTE: There is also SP contracts for purchase by service providers who follow a slightly different format.
There are a few users who have purchased the ASA and the AIP - SSM separately.
When purcahsed separately you would need to purchase a contract SmartNET for the ASA and a separate Department of Cisco for IPS for the AIP - SSM maintenance contract.
Maintenane AIP - SSM contract will be in the following format:
CON-SUw-ASIPyK9
The 'w' will be 1,2,3 or 4 depending on the level of service.
'Y' will be 10 for the AIP-SSM-10 or 20 for the AIP-SSM-20.
Thus, for example:
CON-SU2-ASIP20K9 would be 8 X 5 X 4 support for the AIP-SSM-20.
What you find is that buying a separate SmartNET for the ASA and Service Cisco IPS for the AIP - SSM will be more expensive than buying a single Cisco IPS's Service to the ASA/AIP-SSM bundle. This is because there is a discount when buying by the beam.
-
Detection of injections SQL with IDS/IPS on cisco ASA?
Hello
Is it possible to detect or prevent attacks by injecting SQL using Cisco IDS / IPS on ASA or with regular expressions?
Is any signature available in IDS/IPS for this? And what is effective, is in terms of the generation of correct alarms?
Thanks in advance
Deepak,
We have several signatures to detect generic SQL injection attacks in the family x-5930 of signatures.
-
Need for an IDS/IPS system for LAN users
Hello
I need to have an IDS/IPS for my users the in my network. We have 3xcisco 6509 to access with 4 level switch VLAN and am looking for a system to detect activities such as ports, IP scan analysis and... local network by desktop.
Please advise me.
Thank you
Mike
Hello
VLAN span is good, no problems at all but I wouldn't recommend 100% to go to IPS mode instead of ID. Safer and more restrictive, way
Concerning
-
2651XM IPS Signature Update?
Hello
I have a 12.4 (25) running to 2651XM 256 MB / 32 MB and I want to update the IPS signature file. I see that the last update for 256MB.sdf made since August 2008. The recent IPS that I found is IPS-GIS-S518-req - E4.pkg of
I tried the command
property intellectual ips homeless location flash:\\IPS-sig-S518-req-E4.pkg
&
property intellectual ips homeless flash location: IPS-GIS-S518-req - E4.pkg
but when I apply an IPS for an interface and execution "show ip IP addresses of all the ' no signature doesn't load and I get the message"invalid token ".
I tried to see if the latest SDM will help too but nothing.
My question is, what am I doing wrong or missing? My router is too old to be able to get the latest signature files?
Advice or tips to the right direction is appreciated.
Thank you
You have a version of IOS, which includes the old version of the IOS IPS feature (known as v4). This version only supports signature updates using the SDF formatted files. These files are is more updated.
The updated signature file you found (ending in .pkg) is accompanied by appliances Cisco IPS signature update package and is not compatible with the IOS IPS feature set.
The current IOS IPS feature (called v5) also uses the .pkg files. You have to pass your 2651 IOS to a version of the T train such as version 12.4 (24) T2 for the newest IOS IPS.
You can find more information about the features of IOS IPS here:
http://www.Cisco.com/go/iosips
To get started with IOS IPS v5:
http://www.Cisco.com/en/us/products/ps6634/products_tech_note09186a008097db66.shtml
Scott
-
Question about IPS signature updates.
I installed ASA5510 (with AIP10) on our customer site. But I can't find out how to upgrade the IPS signature. Automatic update is possible? i.e. through CCE id.
Our client is not MC IDS. What should we do? Let me know, please.
Without MC there are no automatic updates directly from CEC. However, you can configure a local server (SSH or FTP) and copy packages to update signature for this EAC server. Then, you can run a manual upgrade of IDM (https://1.2.3.4) or the CLI (session in the ASA SSM card) or set up a schedule of automatic upgrade that will modernize the sensor on the local server periodically. To configure the auto updates, IDM would be the easiest to use. If you want to do a manual upgrade here is an example for the CLI:
session # 1
# conf t
# ssh host 1.2.3.4
# upgrade scp:[email protected]/ * ///home/user/upgrades/ IPS-sig-S192-minreq-5.0-1.pkg
-
IPS Signature Update S480?
I noticed that the software for the update of the E4 engine has been recorded for all IPS devices, but no corresponding signature (yet). Also, I see that IPS for MARCH updates now have an update for S480 available, but no corresponding signature for IPS.
Is this just a confusion with release dates? Or am I just missing where are S480 signatures? In addition, S480 will be the first set of sigs out for E4 engine?
Anyone who had seen?
Yes, you are absolutely right. Engine E4 is the latest version of IP addresses, and it comes with signature # 480 as the first signature packet.
-
Hello
In database verification IPS signature, I noticed that there is an engine named column.
A few signatures are other atomic IP normalizer, I don't know if there is a third value.
But what the values mean?
Another question, if a signature Action is set to "block the attacker inline" it doesn't block the attacker IP address for a right to an hour?
Also is there a way to know, IPS, which are the Group of IP addresses blocked for an hour and when?
First of all, let me clarify the differences between the actions of blocking and to refuse :
block - relies on an external device, such as a firewall or a router, to implement the action via a shun or entry ACL
deny - executes the action directly on the sensor IPS, requires that the sensor is configured for inline operation
All the output in the output of 'see the network access statistics' refers to the actions of block . "AllowSensorBlock" is a parameter that allows the sensor IPS add IP of its management to a blocking action sought; This is not usually recommended. To set the time-out for the blocks to stay active you'd use the 'global-block-timeout' command in the CLI:
sensor# configure terminal
sensor(config)# service event-action-rules rules0
sensor(config-rul)#
sensor(config-rul)# general
sensor(config-rul-gen)# global-block-timeout 30
The timeout is specified in minutes. -
Hi guys,.
We recently bought a Cisco ISR 2921 and its documents, it is written that this product has a license for IOS IPS Signatrue file, but there is no IOS IPS GIS file on the Flash memory product. and while I'm trying to download the Cisco GIS file, it fails.
Can someone tell me where is another way to download the GIS?
900 active signatures is quite much for a system that has no dedicated IPS-resources.
But you can control who and how many signatures get activated on your router:
In the following example, I first turn off all the signatures and enable those for web servers. So just decide what signatures you need. But don't forget to monitor your router resources.
GW #conf t
Enter configuration commands, one per line. End with CNTL/Z.
GW (config) #ip ips signature-category
GW(config-IPS-Category) #?
Category of IPS signature configuration commands:
keyword category
exit the Mode of category
No Negate or default configuration of a command values
GW (config-ips-category) #category?
adware/spyware Adware/Spyware (many subcategories)
all the categories
Attack attack (many subcategories)
configurations Configurations (many subcategories)
DDoS DDoS (many subcategories)
back, back (many subcategories)
email (many subcategories)
messagerie_instantanee Instant Messaging (many subcategories)
ios_ips IOS IPS (many subcategories)
L2/l3/l4_protocol Protocol L2/L3/L4 (many subcategories)
network_services Network Services (many subcategories)
operating systems (many subcategories)
other_services other Services (many subcategories)
P2P P2P (many subcategories)
recognition recognition (many subcategories)
Press releases (many subcategories)
specially_licensed_signature specially authorized Signature (many subcategories)
Telepresence telepresence (many subcategories)
uc_protection CPU Protection (many subcategories)
virus/worms/trojans worms/viruses/Trojans (many subcategories)
webserver Web Server (many subcategories)
GW (config-ips-category) #category all the
GW (config-ips-category-action) #retire true
GW (config-ips-category-action) #exit
GW (config-ips-category) #category webserver
GW(config-IPS-Category-action) #?
Category configuration Options:
alert-severity alarm Severity Rating
Activate category activated signatures
event - action
output of the Mode share of category
Fidelity-side rating loyalty Signature
No Negate or default configuration of a command values
retirement pension category Signatures
GW (config-ips-category-action) false #retired
GW (config-ips-category-action) #exit
GW (config-ips-category) #exit
You want to accept these changes? [confirm]
GW (config) #.
GW (config) #exit
GW #sh ip configuration IP addresses | s State IPS Signature
State of the IPS Signature
Active Signatures total: 131
Total of inactive Signatures: 4370
GW #.
I have not followed the thread and responded to your first message to have line breaks in this post.
-
Hello
I want to set the IPS signature so that he could make an exception of ip addresses.
the signature is 13004 (this is the signature of scan UDP) I ciscoworks in my network that scans the network using UDP, I don't want to disable the signature I just want to add the ciscoworks ip address to the list (if it exists), I have configured the alert to be sent to my email and I got a lot of those emails that said
high 13004-0 "AD - external UDP Scanner" x.y.z.w/src_port(*) 0.0.0.0/dest_port(*)
Thank you
Alakabeer-
You want to configure an event rule Action for this signature with the IP address of your Ciscoworks host in the event Action Variable:
-Bob
-
IPS Signature update occurs, IPS Vesion: 7.0000 E4
Hi team,
Recently we started to notice that the automatic update IPS signature is not the case, then we download the signature and update manually, even
Current version of IPS: 7.1 (7) E4
Last Signature, we tried: 922.0,.
We are able to ping the IP Address of the Cisco server: 72.163.4.161, in the accompaniment of the last Signature of 7.0000 E4 version note is not included, we face the problem because of this?
Please ask your expert advice on this subject,
Thank you
Vishnu
You must have IPS 7.1 (11) E4 or E4 5,0000 or later in order to update since the beginning of this year when Cisco spent the SHA2 certificates.
Reference: http://www.cisco.com/c/en/us/support/docs/field-notices/640/fn64080.html
If you use an old IPS Manager Express (IME), you will also need to upgrade for full management.
-
The following document lists three types of signatures of spyware for Cisco IDS Version 4.1. These are available on IOS IPS for new 2800 routers?
Cisco IDS Active Update Bulletin #114 [Intrusion Detection System Solution] - Cisco Systems
Yes,
I just looked in the files of the latest signature S128 for IOS IPS and these documents are available.
They are, however, disabled by default. So you will have to edit the file and allow it before applying the S128 to the router.
You can make this change by hand or through SDM V2.0:
http://www.Cisco.com/en/us/products/sw/secursw/ps5318/products_user_guide_book09186a0080327f8b.html
(NOTE: I was told that you can change the sigs by SDM V2.0, but there is no specific instructions in the user guide).
The IOS IPS signature updates are found here:
http://www.Cisco.com/cgi-bin/tablebuild.pl/iOS-sigup
If you download and unzip the S128. You can edit the file virtualSensor.xml (another name for the attack file - drop.sdf) and find the 3 signatures you mentioned.
-
Hi guys,.
I need list of PDF complete cisco ips signatures.
Can someone help me find a link or a pdf?
Thank you all,
JV
Hello
I couldn't find any method to export the list of signatures. This could be because there are thousands of them.
However, you can use the following link to find signatures of details.
http://Tools.Cisco.com/Security/Center/home.x
SPSP
Maybe you are looking for
-
HP pavilion dv6: admin password
I forgot the password to an old computer I had cleaned up and now it says "System Disable 58274609" how to do this and the factory restore. I have tried F11 and F10.
-
The contacts are not loading after OS updated to Version 6.0 of Marshmallow
Hi all I use Note K4. I've updated the Version of the OS to Version 6.0. After updating the Version of the OS the soft Contacts does not work. It lists progressdialog for longer and longer. It loads evertime. But no contacts appear. Also, I am trying
-
problem updating code eorror. Windows Update error 80070103
I TRIED EIGHT TIMES TO MAKE THIS UPDATE. HERE ARE THE DETAILS. I GET AN ERROR CODE, "WindowsUpdate_80070103" "WindowsUpdate_dt000" nVidia - showing - NVIDIA GeForce 6150SE nForce 430 Download size: 110.5 MB
-
How I passed the region page to a start page on my HP Pavilion 23-g119 AiO PC
I just bought a HP Pavilion AiO 23-g119 PC and I don't know if the keyboard or mouse works, but I can't get past the page 'region '.
-
Audio on videos is suddenly does not work
I have a 8 GB Sansa View I had for about 4 months now. I used it perfectly to play music and videos before with absolutely no problem until today. Last night, I hooked to my computer via the USB cord and let the Sansa Media Converter to add that more