white space is \x20, you may try that one
it should be "to service" the service is your router Telnet daemon is
listening on port 23, attacker is sending TO service, router is sending
FROM service.
A.
On 8/19/2012 4:03 PM, Bruno Silva wrote:
\s is the space I guess...And why should it be "to service"?
Bruno.
2012/8/19 Mike Rojas <[email protected]
<mailto:[email protected]>>
Hey,
What is that "\s"? Also, it should be "to service"
Mike.
------------------------------------------------------------------------
Date: Sun, 19 Aug 2012 03:00:32 -0300
Subject: Re: [OSL | CCIE_Security] IPS Question
From: [email protected] <mailto:[email protected]>
To: [email protected] <mailto:[email protected]>
CC: [email protected] <mailto:[email protected]>;
[email protected] <mailto:[email protected]>;
[email protected]
<mailto:[email protected]>
ok, if I'm not wrong, this is the way the signature is:
signature 60007 0
status
enabled true
retired false
exit
alert-severity high
alert-frequency
summury-mode fire-all
exit
exit
engine string-tcp
regex [Ss][Hh][Oo][Ww]\s[Rr][Uu][Nn]*
direction from-service
service-port 23
event-action rules produce-alert|reset-tcp-connection
thanks,
Bruno
2012/8/19 Alexei Monastyrnyi <[email protected]
<mailto:[email protected]>>
Hi Bruno,
this Telnet behavior is not specific to Cisco gear.
I had no problem matching any specific regex with a regular
TCP string engine. That is why I asked to see your
configuration. Just do show conf on IPS and copy-paste that
specific signature.
Cheers
A.
On 8/19/2012 2:30 PM, Bruno Silva wrote:
Hi Alexei,
The reason that I am asking this is because I was testing
and capturing the traffic but aparently the telnet between
cisco equipments sends each char at the time, for
example...If I'm connecting and sending the show run, on
the capture I'll have one packet for each char, like:
1 for "s", 1 for "h", 1 for "o", 1 for "w", 1 for "r", 1
for "u" and 1 for "n"...If I build a regular expression
matching some general stuff line: show run*...I'll always
match the "show run", but the problem is, IF I type "show
r", hit "enter" and miss the whole string I can back to
the previus miss-typed words and complete it and it will
never match so the signature will never work for ALL types
of words...What I am asking is...Is there any way of
matching it diferently? For example, matching the prompt
sent from the destination to the source telling the
command is successfull?
thanks,
Bruno.
2012/8/19 Alexei Monastyrnyi <[email protected]
<mailto:[email protected]>>
no need for multi-string IMO, string TCP is working
fine with this type of scenario, have been tested many
times
A.
On 8/19/2012 9:34 AM, Fawad Khan wrote:
I suggest to use multi string signature for this
request or meta signature. I don't have acces to
ips else I'll post the config.
On Saturday, August 18, 2012, Alexei Monastyrnyi
wrote:
Yeah, the reason I was asking for a config is
that I could not understand what type if
engine Bruno was using.
Bruno,
you should be fine with TCP string engine
catching that line. TCP string engine would
try to match it across several IP packets.
This is the major difference between atomic
engines and string-like engines. In atomic one
the string you match has to be in a single IP
packet.
Now, things which I can see go wrong are:
- you are not using TCP string engine
- your regex is lame
- you are trying to match traffic gong in the
wrong direction. You shoudl match in direction
from attacker to victim.
- accordingly TCP port should be 23 TO the service
Len us know how you go.
HTH
A.
On 8/19/2012 8:45 AM, Mike Rojas wrote:
I think this one depends so much in how
the command is placed,
Mainly because you can do sh run, show
running-config, sh runn, etc. Now, I have
seen that some types of telnet clients,
send character per character making it
difficult to the IPS
to catch the string.
My advice here, get and IP logging, open
it with wireshark, see how the string is
being sent and then create the string tcp
signature.
Mike.
------------------------------------------------------------------------
Date: Sun, 19 Aug 2012 08:16:20 +1000
From: [email protected]
To: [email protected]
CC: [email protected]
Subject: Re: [OSL | CCIE_Security] IPS
Question
could you post your signature config in text?
On 8/18/2012 4:12 PM, Bruno Silva wrote:
Hi Guys,
I was studying some IPS functions and I came
accross the regex session, which is no news to me but, I was wondering if I had
the following cenario:
R1 ------ IPS ------ASA1
Suppose I want to reset a telnet connection from R1 to
ASA1 when the user types show running-config how would I do that? I tried a lot of
regular expressions but I wasn`t able to do it...Mainly because when the user is typping,
it`s already sending the characters to the destination so if I do a common regular
expression the session is not reseted or I can just sneak a way in to it doing stuff like
typing show r and hitting "enter", comming back to the previous string and
completing it, or even worst, I can type (space) show runn and it will still work. Can
any of you guys think of a way of doing it?
If it was another device I would do this with
expect, because I would expect the prompt to change and then reset the
connection, but I don`t think the Cisco IPS has this function does it?
What do you guys think?
Thank you very much,
Bruno.
_______________________________________________
For more information regarding industry leading CCIE
Lab training, please visitwww.ipexpert.com <http://www.ipexpert.com>
Are you a CCNP or CCIE and looking for a job? Check
outwww.PlatinumPlacement.com <http://www.PlatinumPlacement.com>
_______________________________________________
For more information regarding industry
leading CCIE Lab training, please visit
www.ipexpert.com <http://www.ipexpert.com>
Are you a CCNP or CCIE and looking for a
job? Check out www.PlatinumPlacement.com
<http://www.PlatinumPlacement.com>
--
FNK, CCIE Security#35578
--
Bruno Silva
Network Consultant
Cisco CCNA/CCDA/CCNP/CCDP/CCSP Certified
Arcsight Professional Certified - ACIA/ACSA
--
Bruno Silva
Network Consultant
Cisco CCNA/CCDA/CCNP/CCDP/CCSP Certified
Arcsight Professional Certified - ACIA/ACSA
--
Bruno Silva
Network Consultant
Cisco CCNA/CCDA/CCNP/CCDP/CCSP Certified
Arcsight Professional Certified - ACIA/ACSA
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
Are you a CCNP or CCIE and looking for a job? Check out
www.PlatinumPlacement.com
