IDS custom signature and connection reset

Unanswered Question
Mar 13th, 2008

Test bed configuration consists of Catalyst 6500 and 4255 IDS vith SW version 6.0. The traffic is captured using VLAN capture feature and send to the sensing interface Gi0/0 on IDS. The reset interface is Gi0/3, connected back to the Cat6K.

Vlan 140 with IP interface is defined on the switch. There is a host connected to that Vlan. A custom signature defines that telnet to that host is not legal and the reset action is defined IDS.

When the telnet is started to that host from anywhere in the network, the connection is reset. BUT the event counter gone mad constantly increasing.

What we suspect to happen is that the reset packet from IDS that is destined for te secured host, triggers the event again what causes new resets. It is some kind of a loop situation.

Is there any feature or technique to overcome such situation ?

IDS should recognize its own reset packets !

Thanks for any hint.

Best regards

Metod Platise

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
rhermes Thu, 03/13/2008 - 14:53

You need to write your custom signature so it triggers on more than an IP address and port number. Try triggering on SYN or ACK (if telnet is really enabled on the host).

mplatise Fri, 03/14/2008 - 06:45

Thank you for ideas.

In fact, any traffic to that host except specific application is not permited.

Just IP and port would not suffice, because the reset would contain both parameters.

We mada a workaround applying port ACL on the switch where IDS reset interface is connected ( IOS version ...XH)and filter reset packets to that host.

Regards

Metod

mhellman Fri, 03/14/2008 - 05:55

You didn't provide the details on the custom sig. You might try an atomic IP signature. layer 4 protocol = tcp. tcp flags = SYN. tcp mask = Ack|Fin|Psh|Rst|Syn|Urg. destination port = 23. specify ip address = .

This should only fire on the initial SYN packet and the RST packets won't match.

Actions

This Discussion