Cuz the packets are going to port 23 (which is the service you are matching) directly to the router.
Some examples explain some exercises where you need to match when the attacker is trying to play a brute force attack over the telnet connection. You know that there were 3 failed attempts cuz the router at the third attempt will send "%Bad passwords" That is matched from Services cuz it comes sourced from port 23 (which is the service that you are safe guarding) Mike Date: Sun, 19 Aug 2012 03:03:42 -0300 Subject: Re: [OSL | CCIE_Security] IPS Question From: [email protected] To: [email protected] CC: [email protected]; [email protected]; [email protected] \s is the space I guess...And why should it be "to service"? Bruno. 2012/8/19 Mike Rojas <[email protected]> Hey, What is that "\s"? Also, it should be "to service" Mike. Date: Sun, 19 Aug 2012 03:00:32 -0300 Subject: Re: [OSL | CCIE_Security] IPS Question From: [email protected] To: [email protected] CC: [email protected]; [email protected]; [email protected] ok, if I'm not wrong, this is the way the signature is: signature 60007 0statusenabled trueretired falseexitalert-severity high alert-frequency summury-mode fire-allexitexitengine string-tcpregex [Ss][Hh][Oo][Ww]\s[Rr][Uu][Nn]*direction from-serviceservice-port 23event-action rules produce-alert|reset-tcp-connection thanks,Bruno 2012/8/19 Alexei Monastyrnyi <[email protected]> Hi Bruno, this Telnet behavior is not specific to Cisco gear. I had no problem matching any specific regex with a regular TCP string engine. That is why I asked to see your configuration. Just do show conf on IPS and copy-paste that specific signature. Cheers A. On 8/19/2012 2:30 PM, Bruno Silva wrote: Hi Alexei, The reason that I am asking this is because I was testing and capturing the traffic but aparently the telnet between cisco equipments sends each char at the time, for example...If I'm connecting and sending the show run, on the capture I'll have one packet for each char, like: 1 for "s", 1 for "h", 1 for "o", 1 for "w", 1 for "r", 1 for "u" and 1 for "n"...If I build a regular expression matching some general stuff line: show run*...I'll always match the "show run", but the problem is, IF I type "show r", hit "enter" and miss the whole string I can back to the previus miss-typed words and complete it and it will never match so the signature will never work for ALL types of words...What I am asking is...Is there any way of matching it diferently? For example, matching the prompt sent from the destination to the source telling the command is successfull? thanks, Bruno. 2012/8/19 Alexei Monastyrnyi <[email protected]> no need for multi-string IMO, string TCP is working fine with this type of scenario, have been tested many times A. On 8/19/2012 9:34 AM, Fawad Khan wrote: I suggest to use multi string signature for this request or meta signature. I don't have acces to ips else I'll post the config. On Saturday, August 18, 2012, Alexei Monastyrnyi wrote: Yeah, the reason I was asking for a config is that I could not understand what type if engine Bruno was using. Bruno, you should be fine with TCP string engine catching that line. TCP string engine would try to match it across several IP packets. This is the major difference between atomic engines and string-like engines. In atomic one the string you match has to be in a single IP packet. Now, things which I can see go wrong are: - you are not using TCP string engine - your regex is lame - you are trying to match traffic gong in the wrong direction. You shoudl match in direction from attacker to victim. - accordingly TCP port should be 23 TO the service Len us know how you go. HTH A. On 8/19/2012 8:45 AM, Mike Rojas wrote: I think this one depends so much in how the command is placed, Mainly because you can do sh run, show running-config, sh runn, etc. Now, I have seen that some types of telnet clients, send character per character making it difficult to the IPS to catch the string. My advice here, get and IP logging, open it with wireshark, see how the string is being sent and then create the string tcp signature. Mike. Date: Sun, 19 Aug 2012 08:16:20 +1000 From: [email protected] To: [email protected] CC: [email protected] Subject: Re: [OSL | CCIE_Security] IPS Question could you post your signature config in text? On 8/18/2012 4:12 PM, Bruno Silva wrote: Hi Guys, I was studying some IPS functions and I came accross the regex session, which is no news to me but, I was wondering if I had the following cenario: R1 ------ IPS ------ASA1 Suppose I want to reset a telnet connection from R1 to ASA1 when the user types show running-config how would I do that? I tried a lot of regular expressions but I wasn`t able to do it...Mainly because when the user is typping, it`s already sending the characters to the destination so if I do a common regular expression the session is not reseted or I can just sneak a way in to it doing stuff like typing show r and hitting "enter", comming back to the previous string and completing it, or even worst, I can type (space) show runn and it will still work. Can any of you guys think of a way of doing it? If it was another device I would do this with expect, because I would expect the prompt to change and then reset the connection, but I don`t think the Cisco IPS has this function does it? What do you guys think? Thank you very much, Bruno. _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com -- FNK, CCIE Security#35578 -- Bruno Silva Network Consultant Cisco CCNA/CCDA/CCNP/CCDP/CCSP Certified Arcsight Professional Certified - ACIA/ACSA -- Bruno Silva Network Consultant Cisco CCNA/CCDA/CCNP/CCDP/CCSP Certified Arcsight Professional Certified - ACIA/ACSA -- Bruno Silva Network Consultant Cisco CCNA/CCDA/CCNP/CCDP/CCSP Certified Arcsight Professional Certified - ACIA/ACSA
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
