IPS 4240 : TCP Reset didn't work properly

Unanswered Question
Apr 29th, 2007

hello all,

i've created new customer signature to reset for tcp string with testattack.

for testing, i've configured telnet password using testattack on router's line vty.

i've tried to connect to the router with testattack password.

i can see the popup message on the IEV but the telnet session can't disconnect.

i gueess, the telnet sessio shoud be disconnect due to the signature.

how can i configure to accoplish this test?

IPS : Cisco Intrusion Prevention System, Version 5.1(4)S257.0

Decoded Alarm Context on IEV :

Decoded alarm context(signature name='My sig' Evend ID=~~~~

-snip

From attacker : P ANSI testattc

Logg from IPS device Manager :

evIdsAlert: eventId=1177883105267717064 vendor=Cisco severity=high

originator:

hostId: SEIPS

appName: sensorApp

appInstanceId: 347

time: 2007년 4월 29일 (일) 오후 10시 06분 55초 offset=0 timeZone=UTC

signature: description=My Sig id=60000 version=custom

subsigId: 0

sigDetails: My Sig Info

interfaceGroup:

vlan: 0

participants:

attacker:

addr: 192.168.1.100 locality=OUT

port: 2269

target:

addr: 192.168.2.100 locality=OUT

port: 23

actions:

tcpResetSent: true

context:

fromTarget:

000000 FF FB 01 FF FB 03 FF FD 18 FF FD 1F 0D 0A 0D 0A ................

000010 55 73 65 72 20 41 63 63 65 73 73 20 56 65 72 69 User Access Veri

000020 66 69 63 61 74 69 6F 6E 0D 0A 0D 0A 50 61 73 73 fication....Pass

000030 77 6F 72 64 3A 20 FF FA 18 01 FF F0 word: ......

fromAttacker:

000000 FF FD 01 FF FD 03 FF FB 18 FF FB 1F FF FB 1F FF ................

000010 FA 1F 00 50 00 1E FF F0 FF FA 18 00 41 4E 53 49 ...P........ANSI

000020 FF F0 74 65 73 74 61 74 74 61 63 ..testattac

riskRatingValue: 75

interface: ge0_0

protocol: tcp

reagards,

John.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
mhellman Mon, 04/30/2007 - 06:02

Are you inline or promiscuous? If promiscuous, how are you configured (tap,hub,span,etc) and what hardware?

johnyoon75 Sat, 05/05/2007 - 03:52

Hello,

the ips configured promiscuous mode.

i also setup span on switch.

only one interface which is gigatbit 0 is using for sinffing interface.

i didn't configure alternate tcp reset interface on ips.

reagards,

john.

AdnanShahid Sat, 01/05/2008 - 02:12

Hi,

I am having the same problem with TCP Reset. Can u pls explane in which scenerio should we need this ingress vlan and encapsulation information.

Will be appreciated if u can give me an idea.

Thanks and Regards

adnan

cisco24x7 Sat, 01/05/2008 - 10:16

I had this issue when I was preparing for my

CCIE security back in 2006 with IDS version

4.1 so it may or may not apply to your

situation. I was using Cisco IDS 4.1 with

Catalyst 3550s:

RouterA is connected to F0/1 and vlan 4

IDS sensing interface is connected to F0/2

IDS C&C is connected to F0/3 vlan 2

IDS Sensing interface is connected F0/5

RouterX is connected to F0/4 vlan 3

objective: From RouterX, telnet to RouterA.

When prompt for username, type username.

When prompt for password, enter "abcd".

At that time, the IDS will send a tcp reset

to RouterX thus reset the connection.

On the catalyst 3550:

monitor session 1 source vlan 4

monitor session 1 destination interface f0/5 ingress vlan 4

that will do the trick.

what I also found out from my preparation of

the lab is that is that the IDS will send

reset about 80% of the time. It did not work

the other 20% of the time, even though I

clearly saw it sent tcp reset in the IDS

event viewer. I also confirmed this

by running tcpdump on the IDS itself (yes,

with a trick you can do this). I could

not figure out why it behaved this way.

I passed the lab shortly after that so I

never followed up with it. However, if you

see a reset in the IEV but the connection

itself is not reset, probably a bug.

Actions

This Discussion