Kings That is the catch with this question, total length wouldnt satisfy the requirements, as you need to match on a variable payload length, not a matching total length.
Stu On Wed, Feb 17, 2010 at 11:21 AM, Kingsley Charles < [email protected]> wrote: > Thanks Stu. > > For large ICMP packets, the solution tells us to use ip payload length. > Instead of it, can we use "Specify ICMP total length" option. > > > With regards > Kings > > On Wed, Feb 17, 2010 at 2:12 PM, Stuart Hare <[email protected]>wrote: > >> Again, I would not be hung up too much on this as long as your outcome >> provides the required results. >> If the task specifically states to use a particular engine or sig then do, >> if not you need to choose which one you feel best suits your requirements. >> And of course if you are unsure then consult the proctor! >> >> In my lab I must have drove the proctor mad, I went to him double the >> amount anyone else did even to clarify the smallest of detail i thought >> amibiguous. Most of the time his answer was in the form: "...if it does not >> mention it in the task dont worry about it!" >> I found they were more focused on task results for the main items >> >> For Lab3 the Large ICMP question (3.9) asks to use an existing signature >> not create a new one, so uses sig 2151. This is using the atomic.ip engine, >> with icmp as the protocol. So it was more about selecting a suitable >> existing signature. >> Not sure if your referring to the same question as u say yusuf's used the >> atomic ip ???? >> >> Stu >> >> >> >> On Tue, Feb 16, 2010 at 11:45 AM, Kingsley Charles < >> [email protected]> wrote: >> >>> Hi Stu >>> >>> For the ICMP large packet signature, IPexpert has used atomic.icmp engine >>> and for the same question, Yusuf's lab uses atomic.ip. I am sure both will >>> work but in the real lab, how do decide the best approach. >>> >>> Similarly for the http URI match, IPexpert has used string.tcp but we can >>> also use service.http. >>> >>> >>> How to come out of this dilemma in these situations? >>> >>> >>> >>> With regards >>> Kings >>> >>> On Tue, Feb 16, 2010 at 2:34 PM, Stuart Hare <[email protected]>wrote: >>> >>>> Jimmy, >>>> >>>> Each Lab will contain possible solutions for the requested tasks, this >>>> means in most cases that there maybe multiple ways to achieve these tasks, >>>> and you dont have to be spot on with the solution guide all the time. If >>>> you >>>> know of other ways to fulfill the task requirements ending in the same >>>> results then great. >>>> >>>> Also note that these practise labs are not just there to teach you about >>>> technologies, but also to teach you how to get the mind working to cope >>>> with >>>> differing scenarios in the lab environment. I.e. If you are faced with a >>>> task restriction what do you need to do to get round it. >>>> >>>> The VLAN7 question from task 3.9 is a good example of this, provides a >>>> direct restriction for the task but does not give you too much info as that >>>> it gives the solution away. Reading between the lines its asking you to >>>> create an event action filter for this signature to prevent vlan7 from >>>> triggering it. Filters require the definition of IP's for attackers and >>>> victims, so how can I get round this??? Sometimes its difficult to word >>>> these tasks without giving the answers away : ) >>>> >>>> Dont get too hung up on granularity of questions you have stated below, >>>> your main goal should always be to fulfill the requirements of the tasks, >>>> taking into account any specific or prohibited items where stated. For >>>> instance the task you mentioned: >>>> >>>> "Configure the sensor to block traffic between R7 and R8 if it detects >>>> the Code Red Worm traffic hitting a web server on VLAN 8." >>>> This task does not have any restricted items so dont worry if something >>>> else triggers the event. The key is to make sure your configuring the sig >>>> in >>>> the right virtual sensor. >>>> >>>> HTH >>>> >>>> Stu >>>> On Mon, Feb 15, 2010 at 9:07 PM, Jimmy Larsson <[email protected]>wrote: >>>> >>>>> Task 3.9, Bullet #4. I am requested to create a code red >>>>>>> signature looking for regexps in urls. I did a "service http" type but >>>>>>> SG >>>>>>> states doing a "String TCP"-type. Why? Am I wrong? >>>>>>> >>>>>> >>>>>> You can use it. >>>>>> >>>>> >>>>> Thanks. I still try to understand how close to DSG-solution I need to >>>>> be to be "ok". ;) >>>>> >>>>>> >>>>>> >>>>>> >>>>>>> Same tasks states "if it hits a web server on VLAN8". But I cant >>>>>>> see in the SG that this alerts triggers only for traffic to that vlan. >>>>>>> Without doing any per-iprange-specific-thing this would trigger for all >>>>>>> traffic passing thru vs1. right? My idea was to ADD action to that sig >>>>>>> with >>>>>>> something opposite/similar to event action filters, but is there no way >>>>>>> to >>>>>>> do that? >>>>>>> >>>>>> >>>>>> You can filter the vlan traffic on the switch. Irrespective of whether >>>>>> you are using promiscuous or inline, you can configure the switch to >>>>>> control >>>>>> the vlans that are sent for inspection. If you need to control on the >>>>>> IPS, >>>>>> then you can opt for VLAN groups. >>>>>> >>>>>> >>>>> >>>>> Yeah, but that is done by manipulating the total stream of traffic >>>>> going to/thru the ips. I was more looking for a way to do "I have all this >>>>> traffic going into my IPS. I have a signature that triggers on specific >>>>> behavior and takes some actions, like logging. Besides from that I want it >>>>> to also take another action (like alert or drop inline) IF that behavior >>>>> is >>>>> with a specific IP-address as destination IP". >>>>> >>>>> Can that be done? >>>>> >>>>>> >>>>>> >>>>>>> >>>>>>> Next bullet with FTP-signature, same thing. logging all ftp >>>>>>> dele-commands passing thru vs0 will not be as granular as requested, >>>>>>> "...when it detects a file being deleted on the ftp-server 10.4.4.100 >>>>>>> from >>>>>>> vlan5". >>>>>>> >>>>>> >>>>>> Same comment as above. >>>>>> >>>>> >>>>> I don´t understand. Tyson or someone from ipexpert, can you give me >>>>> feedback on this? >>>>> >>>>> >>>>> >>>>>> >>>>>>> >>>>>>> Last bullet. "Do not use IP or IP ranges for defining Vlan 7". I >>>>>>> interprete that as "do not specify it by ip-addresses" which made me >>>>>>> confused. Then I saw that the proposed solution was to define the range >>>>>>> (which we wrent supposed to do?) as a variable and enter the variable >>>>>>> instead of the range itself directly. >>>>>>> >>>>>>> I guess I have problems understanding the scope of some tasks. >>>>>>> >>>>>>> This frustrates me a lot. I struggle all the time trying to >>>>> understand the scope of some tasks within the workbook. I have explained >>>>> my >>>>> thought in this blog post. I´d very much like lots of input on this. >>>>> >>>>> >>>>> http://blogg.kvistofta.nu/todays-question-whats-within-the-scope-of-the-task/ >>>>> >>>>> >>>>> >>>>> >>>>> >>>>>> when verifying the large-icmp-signature I get the same result as >>>>>>> DSG: "!!.!.!.!!..!!!..!!.!.!.!!..!!". But why? I expected to see >>>>>>> ".............". The action is not "deny *some* packets inline". ;-) >>>>>>> >>>>>> >>>>> This confuses me more than anything else right now. I guess I will not >>>>> be able to sleep tonight, when I shut my eyes I will see this annoying >>>>> line >>>>> of random dots and exclamation-marks making fun of me. ;) >>>>> >>>>> Br Jimmy >>>>> >>>>> >>>>> _______________________________________________ >>>>> For more information regarding industry leading CCIE Lab training, >>>>> please visit www.ipexpert.com >>>>> >>>>> >>>> >>>> >>>> -- >>>> Regards, >>>> >>>> Stuart Hare >>>> CCIE #25616 (Security), CCSP, Microsoft MCP >>>> Sr. Support Engineer – IPexpert, Inc. >>>> URL: http://www.IPexpert.com <http://www.ipexpert.com/> >>>> >>> >>> >> >> >> -- >> Regards, >> >> Stuart Hare >> CCIE #25616 (Security), CCSP, Microsoft MCP >> Sr. Support Engineer – IPexpert, Inc. >> URL: http://www.IPexpert.com <http://www.ipexpert.com/> >> > > -- Regards, Stuart Hare CCIE #25616 (Security), CCSP, Microsoft MCP Sr. Support Engineer – IPexpert, Inc. URL: http://www.IPexpert.com
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
