I just checked, it does work with ICMP total length but the problem is that we can't provide the range of the size.
With regards Kings On Wed, Feb 17, 2010 at 4:51 PM, Kingsley Charles < [email protected]> wrote: > Thanks Stu. > > For large ICMP packets, the solution tells us to use ip payload length. > Instead of it, can we use "Specify ICMP total length" option. > > > With regards > Kings > > On Wed, Feb 17, 2010 at 2:12 PM, Stuart Hare <[email protected]>wrote: > >> Again, I would not be hung up too much on this as long as your outcome >> provides the required results. >> If the task specifically states to use a particular engine or sig then do, >> if not you need to choose which one you feel best suits your requirements. >> And of course if you are unsure then consult the proctor! >> >> In my lab I must have drove the proctor mad, I went to him double the >> amount anyone else did even to clarify the smallest of detail i thought >> amibiguous. Most of the time his answer was in the form: "...if it does not >> mention it in the task dont worry about it!" >> I found they were more focused on task results for the main items >> >> For Lab3 the Large ICMP question (3.9) asks to use an existing signature >> not create a new one, so uses sig 2151. This is using the atomic.ip engine, >> with icmp as the protocol. So it was more about selecting a suitable >> existing signature. >> Not sure if your referring to the same question as u say yusuf's used the >> atomic ip ???? >> >> Stu >> >> >> >> On Tue, Feb 16, 2010 at 11:45 AM, Kingsley Charles < >> [email protected]> wrote: >> >>> Hi Stu >>> >>> For the ICMP large packet signature, IPexpert has used atomic.icmp engine >>> and for the same question, Yusuf's lab uses atomic.ip. I am sure both will >>> work but in the real lab, how do decide the best approach. >>> >>> Similarly for the http URI match, IPexpert has used string.tcp but we can >>> also use service.http. >>> >>> >>> How to come out of this dilemma in these situations? >>> >>> >>> >>> With regards >>> Kings >>> >>> On Tue, Feb 16, 2010 at 2:34 PM, Stuart Hare <[email protected]>wrote: >>> >>>> Jimmy, >>>> >>>> Each Lab will contain possible solutions for the requested tasks, this >>>> means in most cases that there maybe multiple ways to achieve these tasks, >>>> and you dont have to be spot on with the solution guide all the time. If >>>> you >>>> know of other ways to fulfill the task requirements ending in the same >>>> results then great. >>>> >>>> Also note that these practise labs are not just there to teach you about >>>> technologies, but also to teach you how to get the mind working to cope >>>> with >>>> differing scenarios in the lab environment. I.e. If you are faced with a >>>> task restriction what do you need to do to get round it. >>>> >>>> The VLAN7 question from task 3.9 is a good example of this, provides a >>>> direct restriction for the task but does not give you too much info as that >>>> it gives the solution away. Reading between the lines its asking you to >>>> create an event action filter for this signature to prevent vlan7 from >>>> triggering it. Filters require the definition of IP's for attackers and >>>> victims, so how can I get round this??? Sometimes its difficult to word >>>> these tasks without giving the answers away : ) >>>> >>>> Dont get too hung up on granularity of questions you have stated below, >>>> your main goal should always be to fulfill the requirements of the tasks, >>>> taking into account any specific or prohibited items where stated. For >>>> instance the task you mentioned: >>>> >>>> "Configure the sensor to block traffic between R7 and R8 if it detects >>>> the Code Red Worm traffic hitting a web server on VLAN 8." >>>> This task does not have any restricted items so dont worry if something >>>> else triggers the event. The key is to make sure your configuring the sig >>>> in >>>> the right virtual sensor. >>>> >>>> HTH >>>> >>>> Stu >>>> On Mon, Feb 15, 2010 at 9:07 PM, Jimmy Larsson <[email protected]>wrote: >>>> >>>>> Task 3.9, Bullet #4. I am requested to create a code red >>>>>>> signature looking for regexps in urls. I did a "service http" type but >>>>>>> SG >>>>>>> states doing a "String TCP"-type. Why? Am I wrong? >>>>>>> >>>>>> >>>>>> You can use it. >>>>>> >>>>> >>>>> Thanks. I still try to understand how close to DSG-solution I need to >>>>> be to be "ok". ;) >>>>> >>>>>> >>>>>> >>>>>> >>>>>>> Same tasks states "if it hits a web server on VLAN8". But I cant >>>>>>> see in the SG that this alerts triggers only for traffic to that vlan. >>>>>>> Without doing any per-iprange-specific-thing this would trigger for all >>>>>>> traffic passing thru vs1. right? My idea was to ADD action to that sig >>>>>>> with >>>>>>> something opposite/similar to event action filters, but is there no way >>>>>>> to >>>>>>> do that? >>>>>>> >>>>>> >>>>>> You can filter the vlan traffic on the switch. Irrespective of whether >>>>>> you are using promiscuous or inline, you can configure the switch to >>>>>> control >>>>>> the vlans that are sent for inspection. If you need to control on the >>>>>> IPS, >>>>>> then you can opt for VLAN groups. >>>>>> >>>>>> >>>>> >>>>> Yeah, but that is done by manipulating the total stream of traffic >>>>> going to/thru the ips. I was more looking for a way to do "I have all this >>>>> traffic going into my IPS. I have a signature that triggers on specific >>>>> behavior and takes some actions, like logging. Besides from that I want it >>>>> to also take another action (like alert or drop inline) IF that behavior >>>>> is >>>>> with a specific IP-address as destination IP". >>>>> >>>>> Can that be done? >>>>> >>>>>> >>>>>> >>>>>>> >>>>>>> Next bullet with FTP-signature, same thing. logging all ftp >>>>>>> dele-commands passing thru vs0 will not be as granular as requested, >>>>>>> "...when it detects a file being deleted on the ftp-server 10.4.4.100 >>>>>>> from >>>>>>> vlan5". >>>>>>> >>>>>> >>>>>> Same comment as above. >>>>>> >>>>> >>>>> I don´t understand. Tyson or someone from ipexpert, can you give me >>>>> feedback on this? >>>>> >>>>> >>>>> >>>>>> >>>>>>> >>>>>>> Last bullet. "Do not use IP or IP ranges for defining Vlan 7". I >>>>>>> interprete that as "do not specify it by ip-addresses" which made me >>>>>>> confused. Then I saw that the proposed solution was to define the range >>>>>>> (which we wrent supposed to do?) as a variable and enter the variable >>>>>>> instead of the range itself directly. >>>>>>> >>>>>>> I guess I have problems understanding the scope of some tasks. >>>>>>> >>>>>>> This frustrates me a lot. I struggle all the time trying to >>>>> understand the scope of some tasks within the workbook. I have explained >>>>> my >>>>> thought in this blog post. I´d very much like lots of input on this. >>>>> >>>>> >>>>> http://blogg.kvistofta.nu/todays-question-whats-within-the-scope-of-the-task/ >>>>> >>>>> >>>>> >>>>> >>>>> >>>>>> when verifying the large-icmp-signature I get the same result as >>>>>>> DSG: "!!.!.!.!!..!!!..!!.!.!.!!..!!". But why? I expected to see >>>>>>> ".............". The action is not "deny *some* packets inline". ;-) >>>>>>> >>>>>> >>>>> This confuses me more than anything else right now. I guess I will not >>>>> be able to sleep tonight, when I shut my eyes I will see this annoying >>>>> line >>>>> of random dots and exclamation-marks making fun of me. ;) >>>>> >>>>> Br Jimmy >>>>> >>>>> >>>>> _______________________________________________ >>>>> For more information regarding industry leading CCIE Lab training, >>>>> please visit www.ipexpert.com >>>>> >>>>> >>>> >>>> >>>> -- >>>> Regards, >>>> >>>> Stuart Hare >>>> CCIE #25616 (Security), CCSP, Microsoft MCP >>>> Sr. Support Engineer – IPexpert, Inc. >>>> URL: http://www.IPexpert.com <http://www.ipexpert.com/> >>>> >>> >>> >> >> >> -- >> Regards, >> >> Stuart Hare >> CCIE #25616 (Security), CCSP, Microsoft MCP >> Sr. Support Engineer – IPexpert, Inc. >> URL: http://www.IPexpert.com <http://www.ipexpert.com/> >> > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
