Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

IDS custom signature and connection reset

Unanswered Question
Mar 13th, 2008
User Badges:

Test bed configuration consists of Catalyst 6500 and 4255 IDS vith SW version 6.0. The traffic is captured using VLAN capture feature and send to the sensing interface Gi0/0 on IDS. The reset interface is Gi0/3, connected back to the Cat6K.

Vlan 140 with IP interface is defined on the switch. There is a host connected to that Vlan. A custom signature defines that telnet to that host is not legal and the reset action is defined IDS.

When the telnet is started to that host from anywhere in the network, the connection is reset. BUT the event counter gone mad constantly increasing.

What we suspect to happen is that the reset packet from IDS that is destined for te secured host, triggers the event again what causes new resets. It is some kind of a loop situation.

Is there any feature or technique to overcome such situation ?

IDS should recognize its own reset packets !

Thanks for any hint.

Best regards

Metod Platise

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
rhermes Thu, 03/13/2008 - 14:53
User Badges:
  • Gold, 750 points or more

You need to write your custom signature so it triggers on more than an IP address and port number. Try triggering on SYN or ACK (if telnet is really enabled on the host).

mplatise Fri, 03/14/2008 - 06:45
User Badges:

Thank you for ideas.

In fact, any traffic to that host except specific application is not permited.

Just IP and port would not suffice, because the reset would contain both parameters.

We mada a workaround applying port ACL on the switch where IDS reset interface is connected ( IOS version ...XH)and filter reset packets to that host.



mhellman Fri, 03/14/2008 - 05:55
User Badges:
  • Blue, 1500 points or more

You didn't provide the details on the custom sig. You might try an atomic IP signature. layer 4 protocol = tcp. tcp flags = SYN. tcp mask = Ack|Fin|Psh|Rst|Syn|Urg. destination port = 23. specify ip address = .

This should only fire on the initial SYN packet and the RST packets won't match.


This Discussion