\s is the space I guess...And why should it be "to service"?
Bruno.
2012/8/19 Mike Rojas <[email protected]
<mailto:[email protected]>>
Hey,
What is that "\s"? Also, it should be "to service"
Mike.
------------------------------------------------------------------------
Date: Sun, 19 Aug 2012 03:00:32 -0300
Subject: Re: [OSL | CCIE_Security] IPS Question
From: [email protected] <mailto:[email protected]>
To: [email protected] <mailto:[email protected]>
CC: [email protected] <mailto:[email protected]>;
[email protected] <mailto:[email protected]>;
[email protected]
<mailto:[email protected]>
ok, if I'm not wrong, this is the way the signature is:
signature 60007 0
status
enabled true
retired false
exit
alert-severity high
alert-frequency
summury-mode fire-all
exit
exit
engine string-tcp
regex [Ss][Hh][Oo][Ww]\s[Rr][Uu][Nn]*
direction from-service
service-port 23
event-action rules produce-alert|reset-tcp-connection
thanks,
Bruno
2012/8/19 Alexei Monastyrnyi <[email protected]
<mailto:[email protected]>>
Hi Bruno,
this Telnet behavior is not specific to Cisco gear.
I had no problem matching any specific regex with a
regular TCP string engine. That is why I asked to see
your configuration. Just do show conf on IPS and
copy-paste that specific signature.
Cheers
A.
On 8/19/2012 2:30 PM, Bruno Silva wrote:
Hi Alexei,
The reason that I am asking this is because I was
testing and capturing the traffic but aparently the
telnet between cisco equipments sends each char at
the time, for example...If I'm connecting and sending
the show run, on the capture I'll have one packet for
each char, like:
1 for "s", 1 for "h", 1 for "o", 1 for "w", 1 for
"r", 1 for "u" and 1 for "n"...If I build a regular
expression matching some general stuff line: show
run*...I'll always match the "show run", but the
problem is, IF I type "show r", hit "enter" and miss
the whole string I can back to the previus miss-typed
words and complete it and it will never match so the
signature will never work for ALL types of
words...What I am asking is...Is there any way of
matching it diferently? For example, matching the
prompt sent from the destination to the source
telling the command is successfull?
thanks,
Bruno.
2012/8/19 Alexei Monastyrnyi <[email protected]
<mailto:[email protected]>>
no need for multi-string IMO, string TCP is
working fine with this type of scenario, have
been tested many times
A.
On 8/19/2012 9:34 AM, Fawad Khan wrote:
I suggest to use multi string signature for
this request or meta signature. I don't have
acces to ips else I'll post the config.
On Saturday, August 18, 2012, Alexei
Monastyrnyi wrote:
Yeah, the reason I was asking for a
config is that I could not understand
what type if engine Bruno was using.
Bruno,
you should be fine with TCP string engine
catching that line. TCP string engine
would try to match it across several IP
packets. This is the major difference
between atomic engines and string-like
engines. In atomic one the string you
match has to be in a single IP packet.
Now, things which I can see go wrong are:
- you are not using TCP string engine
- your regex is lame
- you are trying to match traffic gong in
the wrong direction. You shoudl match in
direction from attacker to victim.
- accordingly TCP port should be 23 TO
the service
Len us know how you go.
HTH
A.
On 8/19/2012 8:45 AM, Mike Rojas wrote:
I think this one depends so much in
how the command is placed,
Mainly because you can do sh run,
show running-config, sh runn, etc.
Now, I have seen that some types of
telnet clients, send character per
character making it difficult to the IPS
to catch the string.
My advice here, get and IP logging,
open it with wireshark, see how the
string is being sent and then create
the string tcp signature.
Mike.
------------------------------------------------------------------------
Date: Sun, 19 Aug 2012 08:16:20 +1000
From: [email protected]
To: [email protected]
CC: [email protected]
Subject: Re: [OSL | CCIE_Security]
IPS Question
could you post your signature config
in text?
On 8/18/2012 4:12 PM, Bruno Silva wrote:
Hi Guys,
I was studying some IPS functions and I
came accross the regex session, which is no news to me but, I was wondering if
I had the following cenario:
R1 ------ IPS ------ASA1
Suppose I want to reset a telnet connection from R1
to ASA1 when the user types show running-config how would I do that? I tried a lot of
regular expressions but I wasn`t able to do it...Mainly because when the user is typping,
it`s already sending the characters to the destination so if I do a common regular
expression the session is not reseted or I can just sneak a way in to it doing stuff like
typing show r and hitting "enter", comming back to the previous string and
completing it, or even worst, I can type (space) show runn and it will still work. Can
any of you guys think of a way of doing it?
If it was another device I would do this
with expect, because I would expect the prompt to change and then reset the
connection, but I don`t think the Cisco IPS has this function does it?
What do you guys think?
Thank you very much,
Bruno.
_______________________________________________
For more information regarding industry leading
CCIE Lab training, please visitwww.ipexpert.com <http://www.ipexpert.com>
Are you a CCNP or CCIE and looking for a job?
Check outwww.PlatinumPlacement.com <http://www.PlatinumPlacement.com>
_______________________________________________
For more information regarding
industry leading CCIE Lab training,
please visit www.ipexpert.com
<http://www.ipexpert.com> Are you a
CCNP or CCIE and looking for a job?
Check out www.PlatinumPlacement.com
<http://www.PlatinumPlacement.com>
--
FNK, CCIE Security#35578
--
Bruno Silva
Network Consultant
Cisco CCNA/CCDA/CCNP/CCDP/CCSP Certified
Arcsight Professional Certified - ACIA/ACSA
--
Bruno Silva
Network Consultant
Cisco CCNA/CCDA/CCNP/CCDP/CCSP Certified
Arcsight Professional Certified - ACIA/ACSA
--
Bruno Silva
Network Consultant
Cisco CCNA/CCDA/CCNP/CCDP/CCSP Certified
Arcsight Professional Certified - ACIA/ACSA
