TCP Hijack on IDS signature
Someone has a lot of experience with the 'TCP Hijack' signature on the IDS sensors? I checked the NSDB and docs IDS for the engine in question, but neither go into details on how to determine if alerts are false or true positives.
Any comments would be much appreciated.
Thank you very much
Matt
Under the version of Cisco IDS 3.x, Hamid 3250 only looked at a few ports (TCP 21, 23, 513 and 514, if I remember correctly).
With the introduction of version 4.x, the signature was no longer limited to these ports. Thus, at least here, we were see a large number of "false positives" involving the web proxy traffic and NetBIOS traffic. BTW, I have no idea if the signature has been coupled to the ports under version 5.x (someone?).
The logic that we apply to all alarm hamid 3250 we see here is based on two factors: intent and feasibility.
Although it is theoretically possible to divert most oriented session TCP connections between a client and a server, there are some that simply make no sense.
If you take alarms involving TCP port 80, what would be the point to divert someone connecting to a web server? Anything sensitive that someone could do this using a browser is done via HTTPS (SSL/TLS aka), so Cryptography will eliminate the threat of hijacking it. So now you re left with web access unsecure. what you are more likely to find if divert you this? Someone looking at the comic strip Dilbert, or something as I imagine... I think you will agree that, therefore, there is no intention at all.
As with any attack of diversion, the feasibility is quite low. Most of these attacks requires that the hijacker be in the same domain as the intended victim. That being said, it goes without saying that you aren t also see cache poisoning attacks ARP or TCP Syn flooding (or another DoS attack against the victim), you aren t see a valid hijack alarm. Of course, the problem here is that these activities usually occur in an area that is not supervised by a NIDS, then you will need other corroborating data to see (HIDS/NNIDS, router logs).
In all cases, these alarms are not very useful on their own. When they become valuable, in my opinion, is when they appear in concert with other alarms (e.g. Hamid 7105 - imbalance of ARP requests).
I hope this helps.
Alex Arndt
Tags: Cisco Security
Similar Questions
-
Does anyone know the PIX IDS signatures to block Ping scans and Port scans?
Do the substitution of signatures IDS ACL defined previously? For example; I want to allow people to ping - me (I allowed icmp echo in my ACL), but I want to drop Ping Sweeps and Port scans.
Gracias.
PIX IDS signatures are all listed here:
http://www.Cisco.com/univercd/CC/TD/doc/product/iaabu/PIX/pix_62/syslog/pixemsgs.htm#1032267
You will notice that it isn't sigs for the port scans and ping sweeps, mainly because it does not detect the PIX. This would imply the PIX to keep track of all the pings or connection attempts and try to understand that if a scanning goes, this is not what the PIX is designed for.
If you want to see these then a NID system is the best way to go. IDS PIX is very limited and don't look for a very small subset of the signatures, and most of these signatures simply consist of a package, do not try to reconstitute several packages to different hosts or ports.
-
Can I update (IDS) signatures to a router with IOS/FW/IDS?
I have a router with IOS FW/IDS version 12.2.3 3725. Can I update the IDS signatures?
Sorry, but isn't the answer. IOS IDS signatures are hard coded in the code of IOS. They are rarely updated. All you can really do is allow them or not and some simple check of what they catch.
HTH,
Travis
-
Explanations of IPS/IDS signatures?
Anyone know where I can find an explanation of the individual signatures that are used in a 4215?
Thanks in advance!
Hello
All Signatures IDS/IPS can be found in the section My SDN. You can click on any of the Signature ID or release and enter the details of the information.
You can visit my SDN (required ORC) at http://tools.cisco.com/MySDN/Intelligence/searchSignatures.x?currentPage=1&st=sd&so=d
Hope that helps,
Please rate if this can help.
Kind regards
Samuel Wilson
-
WLC v4.2.112.0 - IDS Signatures - Deauth/Auth and flooding of the Assoc
Hi all
My apologies if this has already asked. There seems to be several posts with people getting critical alarms and they are due to bugs in Cisco?
Couple of points.
I am under the above version and I'm getting a lot of IDS Deauth Auth and Assoc alarms on WLCs/WCS.
How can I find out if these are some releated bug or not?
Also, does anyone know how these three and the other signature attack work? IE, a deauth is a number of deauth messages sent to an access point, but how much is sent before the WLC reports on them? That is to say, what are the criteria to generate the IDS alarms. Also for other signature attacks?
It doesn't seem to be too docs on the web?
Many thx and sincere friendships,
Ken
Ken:
It is a region that has been a bit murky documentation. There have been a number of requests for better documentation, but we are still waiting to see.
Surprisingly, one of the best forms of
"documentation" is by examining the signature file wireless IDS which has a few comments and explains how settings work. You can see what a little enlightening.
In addition, when it comes to false alarms, we have seen a number of them in various flavors. Here are a few thoughts:
If you run "containment" or rogue APs, wireless ID system currently interprets its own messages of containment as a false-positive/attack. This is a known bug ( CSCsj06015 ) that says: it is fixed, but to my knowledge continues to be a problem.
Here is a link to the bug:
Also, when some brands of customers go out of scope, a string of messages disassociation is sent via the Russia Federation to ensure that the RF connection is broken. However, the number of these legitimate trusts sometimes exceeds the allowed value in the signature CODES of Cisco Wireless file and the WLC erroneously interprets as a false positive / attack, whereas in fact, it's a normal approval. The number of detections per second value can be adjusted (in fact, the proposed TAC make some changes here - but this really needs to be better set at the factory to prevent them to ancestral). One of the links below explains the methodology to change wireless IDs. The most recent versions of the WCS/WLC are supposed to allow a change of parameter/GUI based these parameters vs export/edition/download the signature file wireless IDS on/in each WLC.
For your reading pleasure, here are some links that you might find useful who discuss various wrinkles in wireless IDs:
Thank you
John
(Don't forget to rate helpful messages)
-
Hello
Some exist tool to develop signatures for new protocols in Cisco IDS?
Thank you
Leandro.
I do not exactly understand your question, but here's a link to the documentation about the writing of signatures for the Cisco IDS devices. I hope this helps.
-
Available to multiple IDS signature appearances?
My wife and I need digitally sign a Bank document. The document requires us to both full signatures and original place in several places. Given that I have received the document in electronic format, I electronically sign documents.
I use Acrobat 9 Pro on Windows XP 32-bit (my work computer), and I've never used before digital signatures, so I started by creating an ID for myself. I used the following steps:
- I created my ID with my contact information (name, e-mail address, etc.).
- I asked a strong password for the signature.
- I created an appearance that contained the current date and a JPEG of my signature.
- I created a different appearance which contained just my initials.
- I created a last appearance which contained just my name.
- I saved the key to a PFX file.
I then started the same steps to create an ID for my wife (on the same Windows account and without close Acrobat). I thought that when I created a new ID that Acrobat creates an ID without appearances. Instead, all appearances, I created for my ID was available for the ID of my wife, too. So, I was able to place a signature to aid ID of my wife but the image was my signature.
I missed something? Appearances stored with the ID, and if so, how Acrobat separate them among the ID? I looked through the help of Acrobat, but the only site that I found one spoke creation of appearances, and he did not work with more than one.
Any help is appreciated. Thanks in advance.
Matthew
Hi Matthew,
Acrobat (and when I say Acrobat I mean really both Acrobat and Reader) save the appearances and the digital ID files in the space of the user as assigned by the operating system. If you do not log on when you start the computer (which is just, it starts and you find yourself on the desktop) then there is probably only one user, which was created when you set up the computer. If you have a log on screen when you select a user name and type a password then there is probably accounts for you and your wife. Anyone logged in as this is where the files will be stored. Specifically, I am referring to C:\Documents and Settings\
\Application Data\Adobe\Acrobat\9.0\Security wherewill depend on the journal in the name. I hope this helped,
Steve
-
IPS/IDS events generated with IP < n/a > instead of #. ###. ###. ###
Hello
I see the events in SecMon with the IP of victim or an attacker of
. How can I filter these events?
I can't implement an action event filter in the IDM as the
is not acceptable as a victim or abuser IP. It's weird that a signature for TCP traffic generates the src or dst as
as in the IP header, there is a src & the dst field... Name of the GIS: TCP Hijack
SIG ID: 3250
Severity: high
Risk assessment: 85
GIS version: 212
Attack type: General attack
Operating system family: General OS
OPERATING SYSTEM:
Protocol: tcp
Details of the Protocol: TCP
Service:
Forward address:
<> Attacker Port:
<> Attacking Loc: OUT
Unreliable attacker: false
The victim address: 198.133.219.25
Port of the victim:
<> Thank you
JP
These were not the Analytic events, were they? Those who might summarize on the source or target with the reverse being labeled as "0.0.0.0". Can you look on the sensor to the raw event and see if that information is present?
-
Our 50 CS-MARS is 4.2.6. Is it possible to update the signatures thereon?
Yes, until you reach at least some version of MARCH. And even then, only Cisco IDS signature updates are performed without the upgrade of version.
-
VMS IDS MC - error sensor software update
Hi, we are security monitor and evaluate/test VMS IDS MC.
We have encountered a problem when you try to update the software of the sensor.
The Admin of the IDs MC > System Configuration > updated IDS Signatures network:
After choosing to apply one of the following updated files (I tried everything)
IDSSk9-sp - 3.0 - 5 - S17.bin
IDSSk9-sp - 3.1 - 2 - S23.bin
IDSSk9-sp - 3.1 - 3 - S31.bin
ID - sig - 3.1 - 3 - S40.bin
I got the following error message (before I have a chance to choose the sensor):
"Failed to update the object. An unexpected exception occurred during validation of the
content of the signature update package. Detail = error opening the zip file.
Same message in the report of the subsystem for the Java System Services.
Our version of the software is:
Common services 1.0
IDS MC 1.0
Security Monitor 1.0
JRE 1.2.2 (V2.1)
Any idea or suggestion how to solve this problem. Thank you.
Hi TSUI
You must have the .zip files the * / updates of the directory of the IDS MC/s lun. But you copied files *.bin which is not supported with IDS MC/s lun. *.Bin files are for the Director of Unix.
You can get the files generated from the following location
http://www.Cisco.com/cgi-bin/tablebuild.pl/Mgmt-CTR-IDs
which is used to update the sensor of the IDS MC/s lun.
Concerning
V
-
I understand that drop a package prevents the connection broke in your network, and a TCP Reset resets the connection in both directions.
Which is not functionally pretty much the same thing? Whatever it is, you end the connection, right?
Since TCP Reset only works on TCP traffic, why even use it? Is not abandoning the connection good enough take care of this?
A question to be considered is that of system resources.
If the ear falls the connection (or packets), the connection is not able to continue.
BUT the client and the server think that the connection is still ongoing and will return packets and conserve system resources open until a possible time-out occurs.
With TCP Reset, another part of the client and the server knows the connection has been reset and may release the system resources and stop making resends.
However, the TCP Reset by itself, does not guarantee that the connection will disappear.
TCP Reset is a better estimate for the sequence of numbers for the connection to be reset. You are indeed to misuse of the connection, and diversion does not always work (especially in fast connections).
If all you are worried for prevents an attack then drop packets works very well.
But if you are worried about dropping the attacks but also to free up system resources (particularly a web server that can be constantly attacked in the case of worms) I would recommend that you use the action down and restore actions.
SIDE NOTE:
Version 4.1 of the ID software support TCP resets, but does not support the actions of moving.
SPI version 5.0 (forthcoming) will support a new InLine feature that supports drop as actions (the so-called deny actions in IPS v5.0). So in 5.0, you can do the two rejections of an action and a tcp reset action on signatures which often fire. This way your servers won't be wasting resources on connections that have already been removed by the PPE.
-
Hi all
Im trying to figure out how to get network scans and backs attacks appears in my syslog for my CIsco ASA 5520 server.
Just with the support of IPS based on the device I can't get something appears on my syslog server?
Network scans do not seem to be part of the standard IDS signatures since it's just a network port scan?
Any direction on this would be appreciated.
Concerning
I don't know how to directly detect the scans of the ASA. I've seen some detection indirect scan performed on firewall logs in a SIM custom (Intelitactics) by correlation.
You can better served asking that question in the forum of firewall.
-Bob
-
Are different from the signature IDS and IPS signatures, then?
If Yes, where can I get the latest signatures to the IPS?
Also, how should I do to update the IPS signatures on my router 7206VXR with these latest signatures?
Thank you
Yes and no
IDS stands for Intrusion detection system
IPS stands for intrusion prevention
The main difference is that the IDS systems monitor attacks but cannot remove the packages in the attack, while the IPS systems can monitor and also give up the packages during the attack in order to avoid the attack.
In the past, all Cisco products were IDS sensors. This includes devices and modules.
Even the IOS software running on the Cisco routers who did an analysis of the signing was called ID (although technically, it could reduce the attacks and could be considered as IPS)
Recently (last summer) the code of IOS has been enhanced to do additional signatures and even provided the ability to add new signatures without loading a new IOS (new signatures are in a configuration xml file).
When this feature has been added to the IOS team decided to start calling this IPS signatures because they wanted to emphasize the fact that the IOS router may drop packets and avoid the attack.
The base IOS image comes with a default set of IPS signatures.
New IPS signatures can also be loaded onto the router.
These new xml configuration files are available on CCO.
New files:
http://www.Cisco.com/cgi-bin/tablebuild.pl/iOS-sigup
Old files (archives):
http://www.Cisco.com/cgi-bin/tablebuild.pl/iOS-sigup-arch (currently empty since only one or 2 have been published so far)
So, the answer might be a sort of Yes, from the point of view IOS. Old IDS signatures are the initial signatures hardcoded in the old images of IOS. The signatures of the IPS are new signatures in the new IOS images that can be added via a configuration xml file.
Technically the difference is mainly in the age of the naming convention. The old stuff is called IDS and news are now called IPS.
To load these new files, you must run recent firewall IOS Images, and then follow the instructions in the read me files.
At the same time the ID modules and devices through a code for IPS functionality changes.
This new feature is not yet available. But after the release of new signature updates will be called IPS signatures.
However these IPS signature on the devices and modules updates will always also IDS signatures when it is configured to monitor only.
So from the module and unit point of view, the answer is NO, there is really no difference between IDS and IPS signatures. The difference with IDS and IPS is not signatures but what happens when the signature is detected (only monitor with an alert or alert monitor but also drop the package in order to avoid the attack).
-
problem update service pack on ID MC
I just upgraded to version 4.0 and installed the latest version of the software for IDS MC ver 1.1.1. I can't the MC or sensors upgrade to the latest service packs.
in the Configuration-> updates-> network update IDS Signatures, I chose IDS-K9-sp-4.0-2-S42.zip, then click on apply.
I have the following message:
Apply the IDS-K9-sp-4.0-2-S42.zip update to the Management Center.
Then I click Finish.
Immediately after that it bings me back to the Apply button without making any change. Ive checked the log Audit and nothing shows in there also.
Ive tried also to update a test probe that I have, and it seems to skip step 2 (request for passwd) and translates the same.
Advice/ideas would be appreciated...
Thank you.
Shawn
Well, then, I remove the sensor and add it back just to check and restart the connectivity and try the same update.
Thank you
Christophe
-
PIX does not allow packets loarge
I can ping with l - 992, but fail with-l 993.
Ping 172.16.17.1 with 992 bytes of data:
Reply from 172.16.17.1: bytes = 992 time = 1ms TTL = 254
Reply from 172.16.17.1: bytes = 992 time = 1ms TTL = 254
Reply from 172.16.17.1: bytes = 992 time = 1ms TTL = 254
Reply from 172.16.17.1: bytes = 992 time = 1ms TTL = 254
Ping statistics for 172.16.17.1:
Packets: Sent = 4, received = 4, lost = 0 (0% loss),
Time approximate round trip in milli-seconds:
Minimum = 1ms, Maximum = 1ms, average = 1ms
Ping 172.16.17.1 with 993 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Ping statistics for 172.16.17.1:
Packets: Sent = 4, received = 0, lost = 4 (100% loss),
I also see that attached to the devices in the DMZ are taken excessively long time.
The MTU size on all interfaces is always the default value of 1500.
Hi Jimmysturn:
Which is likely happened here is that you have ID political attack linked to your external interface with the action 'drop' or 'reset' all packages that match the signature in the category of the attack.
Signature 2151 (large ICMP) will drop packets hit the PIX off interface or those who pass through the PIX outside interface when you ping with large packet size (+ 993 bytes):
From your post, you must have had the following policy of IDS on your PIX:
IP audit name attackpolicy attack action fall
(or
IP audit name attackpolicy action fall attack alarm
or
attack IP audit name attackpolicy raz action alarm
or both)
If you want to ping with big package, there are several things you can do:
(1) remove the policy of "attackpolicy" completely from your external interface. It will turn off all of the IDS signatures in the category of the attack.
Carefully look at this and see if it's what you want to do.
To achieve the above, issue the following command:
"no interface verification ip outside of attackpolicy"
(2) turn off the signature 2151 by running the command:
"disable signature verification ip 2151.
That would disable only the big signing of ICMP attack while leaving the other signatures of attacks in the category of GIS attack ON.
(3) set signature action to open a session (a syslog server or the internal buffer) large ICMP packets instead of dropping. Again, this should be determined carefully as option 1.
To achieve the above goal, issue the following command:
IP audit alarm action name attackpolicy attack
It will be useful.
Please indicate the position accordingly if you find it useful.
Sincerely,
Binh
Maybe you are looking for
-
This i one of the given installation oshiba wit files has 350 with Vista. s hat it one what do I do Now that my machine is win 7 do I need this or y at - it an equivalent that I can downlod and if so where?
-
Display on my screen has turned 90% left on satellite
Greetings from Scotland. I have a problem with my laptop screen and I was wondering if someone can help me. The display on my screen has turned 90% left, so the top of the page is to the left of the screen to the right of the screnn instead of up and
-
Cannot install itunes for windows - error: Apple Application Support is required to run Itunes Helper. Uninstall and reinstall (as I did twice)
-
Hi all I have a problem with my RV110W router. I would like to configure access QuickVPN. The manual is pretty simple: enable management to users to create, install the client and that of it, should work. But isn't. It does not work. Few questions. R
-
64-bit LEGO Mindstorms NXT pilot
During the installation of the driver 64 bits for Lego Mindstorms NXT, it stops and I get the following message. "Installation ended prematurely because of an error". Has anyone else had this issue and know a solution.