IDS signatures

Similar Questions

• PIX IDS signatures

  Does anyone know the PIX IDS signatures to block Ping scans and Port scans?

  Do the substitution of signatures IDS ACL defined previously? For example; I want to allow people to ping - me (I allowed icmp echo in my ACL), but I want to drop Ping Sweeps and Port scans.

  Gracias.

  PIX IDS signatures are all listed here:

  http://www.Cisco.com/univercd/CC/TD/doc/product/iaabu/PIX/pix_62/syslog/pixemsgs.htm#1032267

  You will notice that it isn't sigs for the port scans and ping sweeps, mainly because it does not detect the PIX. This would imply the PIX to keep track of all the pings or connection attempts and try to understand that if a scanning goes, this is not what the PIX is designed for.

  If you want to see these then a NID system is the best way to go. IDS PIX is very limited and don't look for a very small subset of the signatures, and most of these signatures simply consist of a package, do not try to reconstitute several packages to different hosts or ports.

• Can I update (IDS) signatures to a router with IOS/FW/IDS?

  I have a router with IOS FW/IDS version 12.2.3 3725. Can I update the IDS signatures?

  Sorry, but isn't the answer. IOS IDS signatures are hard coded in the code of IOS. They are rarely updated. All you can really do is allow them or not and some simple check of what they catch.

  HTH,

  Travis

• TCP Hijack on IDS signature

  Someone has a lot of experience with the 'TCP Hijack' signature on the IDS sensors? I checked the NSDB and docs IDS for the engine in question, but neither go into details on how to determine if alerts are false or true positives.

  Any comments would be much appreciated.

  Thank you very much

  Matt

  Under the version of Cisco IDS 3.x, Hamid 3250 only looked at a few ports (TCP 21, 23, 513 and 514, if I remember correctly).

  With the introduction of version 4.x, the signature was no longer limited to these ports. Thus, at least here, we were see a large number of "false positives" involving the web proxy traffic and NetBIOS traffic. BTW, I have no idea if the signature has been coupled to the ports under version 5.x (someone?).

  The logic that we apply to all alarm hamid 3250 we see here is based on two factors: intent and feasibility.

  Although it is theoretically possible to divert most oriented session TCP connections between a client and a server, there are some that simply make no sense.

  If you take alarms involving TCP port 80, what would be the point to divert someone connecting to a web server? Anything sensitive that someone could do this using a browser is done via HTTPS (SSL/TLS aka), so Cryptography will eliminate the threat of hijacking it. So now you re left with web access unsecure. what you are more likely to find if divert you this? Someone looking at the comic strip Dilbert, or something as I imagine... I think you will agree that, therefore, there is no intention at all.

  As with any attack of diversion, the feasibility is quite low. Most of these attacks requires that the hijacker be in the same domain as the intended victim. That being said, it goes without saying that you aren t also see cache poisoning attacks ARP or TCP Syn flooding (or another DoS attack against the victim), you aren t see a valid hijack alarm. Of course, the problem here is that these activities usually occur in an area that is not supervised by a NIDS, then you will need other corroborating data to see (HIDS/NNIDS, router logs).

  In all cases, these alarms are not very useful on their own. When they become valuable, in my opinion, is when they appear in concert with other alarms (e.g. Hamid 7105 - imbalance of ARP requests).

  I hope this helps.

  Alex Arndt

• Explanations of IPS/IDS signatures?

  Anyone know where I can find an explanation of the individual signatures that are used in a 4215?

  Thanks in advance!

  Hello

  All Signatures IDS/IPS can be found in the section My SDN. You can click on any of the Signature ID or release and enter the details of the information.

  You can visit my SDN (required ORC) at http://tools.cisco.com/MySDN/Intelligence/searchSignatures.x?currentPage=1&st=sd&so=d

  Hope that helps,

  Please rate if this can help.

  Kind regards

  Samuel Wilson

• WLC v4.2.112.0 - IDS Signatures - Deauth/Auth and flooding of the Assoc

  Hi all

  My apologies if this has already asked. There seems to be several posts with people getting critical alarms and they are due to bugs in Cisco?

  Couple of points.

  I am under the above version and I'm getting a lot of IDS Deauth Auth and Assoc alarms on WLCs/WCS.

  How can I find out if these are some releated bug or not?

  Also, does anyone know how these three and the other signature attack work? IE, a deauth is a number of deauth messages sent to an access point, but how much is sent before the WLC reports on them? That is to say, what are the criteria to generate the IDS alarms. Also for other signature attacks?

  It doesn't seem to be too docs on the web?

  Many thx and sincere friendships,

  Ken

  Ken:

  It is a region that has been a bit murky documentation. There have been a number of requests for better documentation, but we are still waiting to see.

  Surprisingly, one of the best forms of

  "documentation" is by examining the signature file wireless IDS which has a few comments and explains how settings work. You can see what a little enlightening.

  In addition, when it comes to false alarms, we have seen a number of them in various flavors. Here are a few thoughts:

  If you run "containment" or rogue APs, wireless ID system currently interprets its own messages of containment as a false-positive/attack. This is a known bug ( CSCsj06015 ) that says: it is fixed, but to my knowledge continues to be a problem.

  Here is a link to the bug:

  http://Tools.Cisco.com/support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsj06015

  Also, when some brands of customers go out of scope, a string of messages disassociation is sent via the Russia Federation to ensure that the RF connection is broken. However, the number of these legitimate trusts sometimes exceeds the allowed value in the signature CODES of Cisco Wireless file and the WLC erroneously interprets as a false positive / attack, whereas in fact, it's a normal approval. The number of detections per second value can be adjusted (in fact, the proposed TAC make some changes here - but this really needs to be better set at the factory to prevent them to ancestral). One of the links below explains the methodology to change wireless IDs. The most recent versions of the WCS/WLC are supposed to allow a change of parameter/GUI based these parameters vs export/edition/download the signature file wireless IDS on/in each WLC.

  For your reading pleasure, here are some links that you might find useful who discuss various wrinkles in wireless IDs:

  http://forums.Cisco.com/eForum/servlet/NetProf?page=NetProf&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40%5E1%40.1ddf672c/0#selected_message

  http://forums.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Expert%20Archive&topic=Wireless%20-%20Mobility&topicID=.ee7f999&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40%5E1%40%40.2cbf522e/16#selected_message

  http://forums.Cisco.com/eForum/servlet/NetProf?page=NetProf&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40%5E1%40.2cbf520e/1#selected_message

  http://forums.Cisco.com/eForum/servlet/NetProf?page=NetProf&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40%5E1%40.2cbeccbc/0#selected_message

  http://forums.Cisco.com/eForum/servlet/NetProf?page=NetProf&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40%5E1%40.1ddfaecb/1#selected_message

  Thank you

  John

  (Don't forget to rate helpful messages)

• Available to multiple IDS signature appearances?

  My wife and I need digitally sign a Bank document.  The document requires us to both full signatures and original place in several places.  Given that I have received the document in electronic format, I electronically sign documents.

  I use Acrobat 9 Pro on Windows XP 32-bit (my work computer), and I've never used before digital signatures, so I started by creating an ID for myself.  I used the following steps:

  1. I created my ID with my contact information (name, e-mail address, etc.).
  2. I asked a strong password for the signature.
  3. I created an appearance that contained the current date and a JPEG of my signature.
  4. I created a different appearance which contained just my initials.
  5. I created a last appearance which contained just my name.
  6. I saved the key to a PFX file.

  I then started the same steps to create an ID for my wife (on the same Windows account and without close Acrobat).  I thought that when I created a new ID that Acrobat creates an ID without appearances.  Instead, all appearances, I created for my ID was available for the ID of my wife, too.  So, I was able to place a signature to aid ID of my wife but the image was my signature.

  I missed something?  Appearances stored with the ID, and if so, how Acrobat separate them among the ID?  I looked through the help of Acrobat, but the only site that I found one spoke creation of appearances, and he did not work with more than one.

  Any help is appreciated.  Thanks in advance.

  Matthew

  Hi Matthew,

  Acrobat (and when I say Acrobat I mean really both Acrobat and Reader) save the appearances and the digital ID files in the space of the user as assigned by the operating system. If you do not log on when you start the computer (which is just, it starts and you find yourself on the desktop) then there is probably only one user, which was created when you set up the computer. If you have a log on screen when you select a user name and type a password then there is probably accounts for you and your wife. Anyone logged in as this is where the files will be stored. Specifically, I am referring to C:\Documents and Settings\\Application Data\Adobe\Acrobat\9.0\Security where will depend on the journal in the name.

  I hope this helped,

  Steve

• Signatures of MARCH

  Our 50 CS-MARS is 4.2.6. Is it possible to update the signatures thereon?

  Yes, until you reach at least some version of MARCH. And even then, only Cisco IDS signature updates are performed without the upgrade of version.

• VMS IDS MC - error sensor software update

  Hi, we are security monitor and evaluate/test VMS IDS MC.

  We have encountered a problem when you try to update the software of the sensor.

  The Admin of the IDs MC > System Configuration > updated IDS Signatures network:

  After choosing to apply one of the following updated files (I tried everything)

  IDSSk9-sp - 3.0 - 5 - S17.bin

  IDSSk9-sp - 3.1 - 2 - S23.bin

  IDSSk9-sp - 3.1 - 3 - S31.bin

  ID - sig - 3.1 - 3 - S40.bin

  I got the following error message (before I have a chance to choose the sensor):

  "Failed to update the object. An unexpected exception occurred during validation of the

  content of the signature update package. Detail = error opening the zip file.

  Same message in the report of the subsystem for the Java System Services.

  Our version of the software is:

  Common services 1.0

  IDS MC 1.0

  Security Monitor 1.0

  JRE 1.2.2 (V2.1)

  Any idea or suggestion how to solve this problem. Thank you.

  Hi TSUI

  You must have the .zip files the * / updates of the directory of the IDS MC/s lun. But you copied files *.bin which is not supported with IDS MC/s lun. *.Bin files are for the Director of Unix.

  You can get the files generated from the following location

  http://www.Cisco.com/cgi-bin/tablebuild.pl/Mgmt-CTR-IDs

  which is used to update the sensor of the IDS MC/s lun.

  Concerning

  V

• Network scans

  Hi all

  Im trying to figure out how to get network scans and backs attacks appears in my syslog for my CIsco ASA 5520 server.

  Just with the support of IPS based on the device I can't get something appears on my syslog server?

  Network scans do not seem to be part of the standard IDS signatures since it's just a network port scan?

  Any direction on this would be appreciated.

  Concerning

  I don't know how to directly detect the scans of the ASA. I've seen some detection indirect scan performed on firewall logs in a SIM custom (Intelitactics) by correlation.

  You can better served asking that question in the forum of firewall.

  -Bob

• Questions of the IPS?

  Are different from the signature IDS and IPS signatures, then?

  If Yes, where can I get the latest signatures to the IPS?

  Also, how should I do to update the IPS signatures on my router 7206VXR with these latest signatures?

  Thank you

  Yes and no

  IDS stands for Intrusion detection system

  IPS stands for intrusion prevention

  The main difference is that the IDS systems monitor attacks but cannot remove the packages in the attack, while the IPS systems can monitor and also give up the packages during the attack in order to avoid the attack.

  In the past, all Cisco products were IDS sensors. This includes devices and modules.

  Even the IOS software running on the Cisco routers who did an analysis of the signing was called ID (although technically, it could reduce the attacks and could be considered as IPS)

  Recently (last summer) the code of IOS has been enhanced to do additional signatures and even provided the ability to add new signatures without loading a new IOS (new signatures are in a configuration xml file).

  When this feature has been added to the IOS team decided to start calling this IPS signatures because they wanted to emphasize the fact that the IOS router may drop packets and avoid the attack.

  The base IOS image comes with a default set of IPS signatures.

  New IPS signatures can also be loaded onto the router.

  These new xml configuration files are available on CCO.

  New files:

  http://www.Cisco.com/cgi-bin/tablebuild.pl/iOS-sigup

  Old files (archives):

  http://www.Cisco.com/cgi-bin/tablebuild.pl/iOS-sigup-arch (currently empty since only one or 2 have been published so far)

  So, the answer might be a sort of Yes, from the point of view IOS. Old IDS signatures are the initial signatures hardcoded in the old images of IOS. The signatures of the IPS are new signatures in the new IOS images that can be added via a configuration xml file.

  Technically the difference is mainly in the age of the naming convention. The old stuff is called IDS and news are now called IPS.

  To load these new files, you must run recent firewall IOS Images, and then follow the instructions in the read me files.

  At the same time the ID modules and devices through a code for IPS functionality changes.

  This new feature is not yet available. But after the release of new signature updates will be called IPS signatures.

  However these IPS signature on the devices and modules updates will always also IDS signatures when it is configured to monitor only.

  So from the module and unit point of view, the answer is NO, there is really no difference between IDS and IPS signatures. The difference with IDS and IPS is not signatures but what happens when the signature is detected (only monitor with an alert or alert monitor but also drop the package in order to avoid the attack).

• problem update service pack on ID MC

  I just upgraded to version 4.0 and installed the latest version of the software for IDS MC ver 1.1.1. I can't the MC or sensors upgrade to the latest service packs.

  in the Configuration-> updates-> network update IDS Signatures, I chose IDS-K9-sp-4.0-2-S42.zip, then click on apply.

  I have the following message:

  Apply the IDS-K9-sp-4.0-2-S42.zip update to the Management Center.

  Then I click Finish.

  Immediately after that it bings me back to the Apply button without making any change. Ive checked the log Audit and nothing shows in there also.

  Ive tried also to update a test probe that I have, and it seems to skip step 2 (request for passwd) and translates the same.

  Advice/ideas would be appreciated...

  Thank you.

  Shawn

  Well, then, I remove the sensor and add it back just to check and restart the connectivity and try the same update.

  Thank you

  Christophe

• PIX does not allow packets loarge

  I can ping with l - 992, but fail with-l 993.

  Ping 172.16.17.1 with 992 bytes of data:

  Reply from 172.16.17.1: bytes = 992 time = 1ms TTL = 254

  Reply from 172.16.17.1: bytes = 992 time = 1ms TTL = 254

  Reply from 172.16.17.1: bytes = 992 time = 1ms TTL = 254

  Reply from 172.16.17.1: bytes = 992 time = 1ms TTL = 254

  Ping statistics for 172.16.17.1:

  Packets: Sent = 4, received = 4, lost = 0 (0% loss),

  Time approximate round trip in milli-seconds:

  Minimum = 1ms, Maximum = 1ms, average = 1ms

  Ping 172.16.17.1 with 993 bytes of data:

  Request timed out.

  Request timed out.

  Request timed out.

  Request timed out.

  Ping statistics for 172.16.17.1:

  Packets: Sent = 4, received = 0, lost = 4 (100% loss),

  I also see that attached to the devices in the DMZ are taken excessively long time.

  The MTU size on all interfaces is always the default value of 1500.

  Hi Jimmysturn:

  Which is likely happened here is that you have ID political attack linked to your external interface with the action 'drop' or 'reset' all packages that match the signature in the category of the attack.

  Signature 2151 (large ICMP) will drop packets hit the PIX off interface or those who pass through the PIX outside interface when you ping with large packet size (+ 993 bytes):

  From your post, you must have had the following policy of IDS on your PIX:

  IP audit name attackpolicy attack action fall

  (or

  IP audit name attackpolicy action fall attack alarm

  or

  attack IP audit name attackpolicy raz action alarm

  or both)

  If you want to ping with big package, there are several things you can do:

  (1) remove the policy of "attackpolicy" completely from your external interface. It will turn off all of the IDS signatures in the category of the attack.

  Carefully look at this and see if it's what you want to do.

  To achieve the above, issue the following command:

  "no interface verification ip outside of attackpolicy"

  (2) turn off the signature 2151 by running the command:

  "disable signature verification ip 2151.

  That would disable only the big signing of ICMP attack while leaving the other signatures of attacks in the category of GIS attack ON.

  (3) set signature action to open a session (a syslog server or the internal buffer) large ICMP packets instead of dropping. Again, this should be determined carefully as option 1.

  To achieve the above goal, issue the following command:

  IP audit alarm action name attackpolicy attack

  It will be useful.

  Please indicate the position accordingly if you find it useful.

  Sincerely,

  Binh

• Update of signature IDS - MC

  Hello

  I am trying to upgrade my 4250 ID using ID - MC Version 2.01. I downloaded the signature file and placed in the following directory on the server IDS - MC:

  "c:\program files\cscopx\mdc\etc\ids\update.

  I got following error on the progress Viewer when I try to apply this update using ID - MC.

  Local MC: upgrade

  This package seems to be corrupted, or refused permission to read the file. Please check the update package and try the operation again.

  So, I thought maybe corrupted signature file. I have re-download the same signature s146 and I got the same error. I downloaded the same file using different PCs, but I got the same error.

  I checked the file permissions and everything seems OK. I don't know what else to check.

  Altaf

  Hello Altaf,

  try to update with the zip file and not the file pkg. through the mc ID, you must do so only with the zip file... the file pkg can be directly used when you ftp update of the signature to the IDS.

  I hope this helps... all the best...

  REDA

• Get a Smartnet contract also gives you updated signature IDS/IPS?

  One of my clients is looking into getting an ASA5510 with module AIP - SSM. I realize that with IDS/IPS systems, it is * essential * to keep files up-to-date signatures. Buying me the Smartnet contract for the bundle gives updates signature files, or is there another package that I need to buy?

  I see references to the "Cisco Services for IPS", but this seems to be mainly for routers/IOS firewall/IDS packages.

  There is not a Smartnet contract for the ASA/AIP-SSM bundle.

  The only contract SmartNET SSM packages with the CSC - SSM and not the AIP - SSM.

  When buying a bundle ASA/AIP-SSM, you'll need to buy a package maintenance contract. Package maintenance contracts are Cisco Service for the IPS markets and include the support of signature for the AIP - SSM and the software and hardware in support of ASA and AIP - SSM (software and hardware support, is what it is normally part of SmartNET).

  Packages you will need to purchase a maintenance contract Service Cisco IPS using one of the formats following part numbers:

  CON-SUw-ASxAyKz

  The 'w' will be 1,2,3 or 4 depending on the level of service.

  The 'x' will be either 1 for the 5510, 2 for the 5520 or 4 for the 5540.

  'Y' will be 10 for the AIP-SSM-10 or 20 for the AIP-SSM-20.

  The z will be 8 or 9 depending on the level of encryption.

  Thus, for example:

  CON-SU2-AS2A20K9 - would be 8 X 5 X 4 support for the ASA 5520 bundled with the AIP-SSM-20 with the top encryption.

  NOTE: There is also SP contracts for purchase by service providers who follow a slightly different format.

  There are a few users who have purchased the ASA and the AIP - SSM separately.

  When purcahsed separately you would need to purchase a contract SmartNET for the ASA and a separate Department of Cisco for IPS for the AIP - SSM maintenance contract.

  Maintenane AIP - SSM contract will be in the following format:

  CON-SUw-ASIPyK9

  The 'w' will be 1,2,3 or 4 depending on the level of service.

  'Y' will be 10 for the AIP-SSM-10 or 20 for the AIP-SSM-20.

  Thus, for example:

  CON-SU2-ASIP20K9 would be 8 X 5 X 4 support for the AIP-SSM-20.

  What you find is that buying a separate SmartNET for the ASA and Service Cisco IPS for the AIP - SSM will be more expensive than buying a single Cisco IPS's Service to the ASA/AIP-SSM bundle. This is because there is a discount when buying by the beam.