agree, it should work with just " " matching a regular white space :-)
On 20 August 2012 09:15, Mike Rojas <[email protected]> wrote: > > Hey, > > I tried without the X20 and just put a regular space and it work fine. (At > least I didnt used that [x20] and it worked fine) > > Look at the following: > > Password: > R1#sh Running-config > Building configuration... > > > fromAttacker: > 000000 FF FD 03 FF FB 20 FF FB 1F FF FB 21 FF FD 01 FF ..... .....!.... > 000010 FC 18 FF FA 1F 00 50 00 18 FF F0 FF FC 20 63 69 ......P...... ci > 000020 73 63 6F 0D 0A 65 6E 61 0D 0A 63 63 69 65 73 65 sco..ena..cciese > 000030 63 32 30 32 31 0D 0A 73 68 20 52 75 6E 6E 69 6E c2021..*sh > Runnin* > 000040 67 2D 63 6F 6E 66 69 67 *g-config* > > This is My regex, > > [Ss][Hh] [Rr][Uu][Nn][Nn][Ii][Nn][Gg]-[Cc][Oo][Nn][Ff][Ii][Gg] > > Also, attached is how the signature looks like. > > Cheers, > > Mike. > > > > ------------------------------ > Date: Sun, 19 Aug 2012 16:52:30 +1000 > From: [email protected] > To: [email protected] > CC: [email protected]; [email protected]; > [email protected] > > Subject: Re: [OSL | CCIE_Security] IPS Question > > yep, give it a try. > or > you can try to match multiple white spaces like this > > [\x20]+ > > On 8/19/2012 4:16 PM, Bruno Silva wrote: > > Ok, just changed the signature from "from service" to "to service" and > changed the regex as the following: > > signature 60007 0 > status > enabled true > retired false > exit > alert-severity high > alert-frequency > summury-mode fire-all > exit > exit > engine string-tcp > regex [Ss][Hh][Oo][Ww]\x20[Rr][Uu][Nn]* > direction to-service > service-port 23 > event-action rules produce-alert|reset-tcp-connection > > Is that correct? > > 2012/8/19 Alexei Monastyrnyi <[email protected]> > > white space is \x20, you may try that one > > it should be "to service" the service is your router Telnet daemon is > listening on port 23, attacker is sending TO service, router is sending > FROM service. > > A. > > > On 8/19/2012 4:03 PM, Bruno Silva wrote: > > \s is the space I guess...And why should it be "to service"? > > Bruno. > > 2012/8/19 Mike Rojas <[email protected]> > > Hey, > > What is that "\s"? Also, it should be "to service" > > Mike. > > ------------------------------ > Date: Sun, 19 Aug 2012 03:00:32 -0300 > > Subject: Re: [OSL | CCIE_Security] IPS Question > From: [email protected] > To: [email protected] > CC: [email protected]; [email protected]; > [email protected] > > > ok, if I'm not wrong, this is the way the signature is: > > signature 60007 0 > status > enabled true > retired false > exit > alert-severity high > alert-frequency > summury-mode fire-all > exit > exit > engine string-tcp > regex [Ss][Hh][Oo][Ww]\s[Rr][Uu][Nn]* > direction from-service > service-port 23 > event-action rules produce-alert|reset-tcp-connection > > thanks, > Bruno > > 2012/8/19 Alexei Monastyrnyi <[email protected]> > > Hi Bruno, > this Telnet behavior is not specific to Cisco gear. > I had no problem matching any specific regex with a regular TCP string > engine. That is why I asked to see your configuration. Just do show conf on > IPS and copy-paste that specific signature. > > Cheers > A. > > > On 8/19/2012 2:30 PM, Bruno Silva wrote: > > Hi Alexei, > > The reason that I am asking this is because I was testing and capturing > the traffic but aparently the telnet between cisco equipments sends each > char at the time, for example...If I'm connecting and sending the show run, > on the capture I'll have one packet for each char, like: > > 1 for "s", 1 for "h", 1 for "o", 1 for "w", 1 for "r", 1 for "u" and 1 for > "n"...If I build a regular expression matching some general stuff line: > show run*...I'll always match the "show run", but the problem is, IF I type > "show r", hit "enter" and miss the whole string I can back to the previus > miss-typed words and complete it and it will never match so the signature > will never work for ALL types of words...What I am asking is...Is there any > way of matching it diferently? For example, matching the prompt sent from > the destination to the source telling the command is successfull? > > thanks, > Bruno. > > 2012/8/19 Alexei Monastyrnyi <[email protected]> > > no need for multi-string IMO, string TCP is working fine with this type > of scenario, have been tested many times > > A. > > > > On 8/19/2012 9:34 AM, Fawad Khan wrote: > > I suggest to use multi string signature for this request or meta > signature. I don't have acces to ips else I'll post the config. > > On Saturday, August 18, 2012, Alexei Monastyrnyi wrote: > > Yeah, the reason I was asking for a config is that I could not understand > what type if engine Bruno was using. > > Bruno, > you should be fine with TCP string engine catching that line. TCP string > engine would try to match it across several IP packets. This is the major > difference between atomic engines and string-like engines. In atomic one > the string you match has to be in a single IP packet. > > Now, things which I can see go wrong are: > - you are not using TCP string engine > - your regex is lame > - you are trying to match traffic gong in the wrong direction. You shoudl > match in direction from attacker to victim. > - accordingly TCP port should be 23 TO the service > > Len us know how you go. > > HTH > A. > > On 8/19/2012 8:45 AM, Mike Rojas wrote: > > I think this one depends so much in how the command is placed, > > Mainly because you can do sh run, show running-config, sh runn, etc. Now, > I have seen that some types of telnet clients, send character per character > making it difficult to the IPS > to catch the string. > > My advice here, get and IP logging, open it with wireshark, see how the > string is being sent and then create the string tcp signature. > > Mike. > > ------------------------------ > Date: Sun, 19 Aug 2012 08:16:20 +1000 > From: [email protected] > To: [email protected] > CC: [email protected] > Subject: Re: [OSL | CCIE_Security] IPS Question > > could you post your signature config in text? > > On 8/18/2012 4:12 PM, Bruno Silva wrote: > > Hi Guys, > > I was studying some IPS functions and I came accross the regex session, which > is no news to me but, I was wondering if I had the following cenario: > > R1 ------ IPS ------ASA1 > > Suppose I want to reset a telnet connection from R1 to ASA1 when the user > types show running-config how would I do that? I tried a lot of regular > expressions but I wasn`t able to do it...Mainly because when the user is > typping, it`s already sending the characters to the destination so if I do a > common regular expression the session is not reseted or I can just sneak a > way in to it doing stuff like typing show r and hitting "enter", comming back > to the previous string and completing it, or even worst, I can type (space) > show runn and it will still work. Can any of you guys think of a way of doing > it? > > If it was another device I would do this with expect, because I would expect > the prompt to change and then reset the connection, but I don`t think the > Cisco IPS has this function does it? > > What do you guys think? > > Thank you very much, > Bruno. > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com <http://www.platinumplacement.com/> > > > > _______________________________________________ For more information > regarding industry leading CCIE Lab training, please visit > www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com <http://www.platinumplacement.com/> > > > > > -- > FNK, CCIE Security#35578 > > > > > > -- > Bruno Silva > Network Consultant > Cisco CCNA/CCDA/CCNP/CCDP/CCSP Certified > Arcsight Professional Certified - ACIA/ACSA > > > > > > -- > Bruno Silva > Network Consultant > Cisco CCNA/CCDA/CCNP/CCDP/CCSP Certified > Arcsight Professional Certified - ACIA/ACSA > > > > > -- > Bruno Silva > Network Consultant > Cisco CCNA/CCDA/CCNP/CCDP/CCSP Certified > Arcsight Professional Certified - ACIA/ACSA > > > > > > -- > Bruno Silva > Network Consultant > Cisco CCNA/CCDA/CCNP/CCDP/CCSP Certified > Arcsight Professional Certified - ACIA/ACSA > > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
