Re: [OSL | CCIE_Security] IPS Signature

[Brian Hooker]

To trigger when ananthan issues a command I'm thinking something like this.

Regex string ananthan.*[cC][oO][nN][fF]

This should allow to capture the user login name, password or other commands, 
then the command you're looking for.

Brian Hooker, CCIE# 12748

Date: Thu, 19 Apr 2012 11:34:53 +0800
From: Ananthan <yanant...@gmail.com>
To: Eugene Pefti <eug...@koiossystems.com>
Cc: "ccie_security@onlinestudylist.com"
        <ccie_security@onlinestudylist.com>
Subject: Re: [OSL | CCIE_Security] IPS Signature
Message-ID:
        <CAObwR76b8LmpOqnmQd7YFTa+B6kpwCwvyXA1R2HQYVL0Kj=o...@mail.gmail.com>
Content-Type: text/plain; charset="windows-1252"

Hi Eugene,
Thanks for the update... One more clarification..
If this ticket triggered when the command originated by username
"ananthan"   how we can configure ?



On Tue, Apr 17, 2012 at 9:13 AM, Eugene Pefti <eug...@koiossystems.com>wrote:

>  Example: you want to block/drop all packets with ?configure? command
> aimed to configure IOS devices and carried over Telnet. You create a custom
> signature matching for first  4 characters of the ?configure? command - conf
> ****
>
> ** **
>
> Signature Name ? Stop_Bad_Command****
>
> Signature engine ? String TCP****
>
> Event Action ? Deny attacker inline and produce alert****
>
> Specify Min Match Length ? Yes****
>
> Min Match Length ? 4****
>
> Regex String ? [cC][oO][nN][fF]****
>
> Service port ? 23****
>
> Direction ? To Service****
>
> ** **
>
> ** **
>
> Eugene****
>
> ** **
>
> ** **
>
> ** **
>
> *From:* ccie_security-boun...@onlinestudylist.com [mailto:
> ccie_security-boun...@onlinestudylist.com] *On Behalf Of *Ananthan
> *Sent:* 15 April 2012 21:36
> *To:* ccie_security@onlinestudylist.com
> *Subject:* [OSL | CCIE_Security] IPS Signature****
>
> ** **
>
> Hi Experts,
>
> I need to configure one signature that trigger when the specific user give
> a specific command. How can i configure? Could you please any suggestion ?
> -Ananthan****
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: 
</archives/ccie_security/attachments/20120419/34b48ac5/attachment-0001.html>

------------------------------

Message: 5
Date: Thu, 19 Apr 2012 04:28:48 +0000
From: Eugene Pefti <eug...@koiossystems.com>
To: Ananthan <yanant...@gmail.com>
Cc: "ccie_security@onlinestudylist.com"
        <ccie_security@onlinestudylist.com>
Subject: Re: [OSL | CCIE_Security] IPS Signature
Message-ID: <984ff654-f72e-4bab-9941-60246a31f...@koiossystems.com>
Content-Type: text/plain; charset="windows-1252"

There's no difference whether you configure the regex for "ananthan" or 
"configure" for the TCP string engine. The signature will fire once there's a 
match

Sent from iPhone

On Apr 18, 2012, at 8:35 PM, "Ananthan" 
<yanant...@gmail.com<mailto:yanant...@gmail.com>> wrote:

Hi Eugene,
Thanks for the update... One more clarification..
If this ticket triggered when the command originated by username "ananthan"   
how we can configure ?



On Tue, Apr 17, 2012 at 9:13 AM, Eugene Pefti 
<eug...@koiossystems.com<mailto:eug...@koiossystems.com>> wrote:
Example: you want to block/drop all packets with ?configure? command aimed to 
configure IOS devices and carried over Telnet. You create a custom signature 
matching for first  4 characters of the ?configure? command - conf

Signature Name ? Stop_Bad_Command
Signature engine ? String TCP
Event Action ? Deny attacker inline and produce alert
Specify Min Match Length ? Yes
Min Match Length ? 4
Regex String ? [cC][oO][nN][fF]
Service port ? 23
Direction ? To Service


Eugene



From: 
ccie_security-boun...@onlinestudylist.com<mailto:ccie_security-boun...@onlinestudylist.com>
 
[mailto:ccie_security-boun...@onlinestudylist.com<mailto:ccie_security-boun...@onlinestudylist.com>]
 On Behalf Of Ananthan
Sent: 15 April 2012 21:36
To: ccie_security@onlinestudylist.com<mailto:ccie_security@onlinestudylist.com>
Subject: [OSL | CCIE_Security] IPS Signature

Hi Experts,

I need to configure one signature that trigger when the specific user give a 
specific command. How can i configure? Could you please any suggestion ?
-Ananthan

-------------- next part --------------
An HTML attachment was scrubbed...
URL: </archives/ccie_security/attachments/20120419/cc70b3ef/attachment.html>

End of CCIE_Security Digest, Vol 70, Issue 40
*********************************************

CONFIDENTIALITY NOTICE:
This electronic mail message is intended exclusively for
recipient to which it is addressed. The contents of this message
and any attachments may contain confidential and privileged
information. Any unauthorized review, use, print, storage, copy,
disclosure or distribution is strictly prohibited. If you have
received this message in error, please advise the sender
immediately by replying to the message's sender and delete all
copies of this message and its attachments without disclosing
the contents to anyone, or using the contents for any purpose.
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit 
www.ipexpert.com

Are you a CCNP or CCIE and looking for a job? Check out 
www.PlatinumPlacement.com