customizing signatures question on AIP-SSM

Unanswered Question
Mar 25th, 2009
User Badges:

Hi all


actually our customer has an AIP-SSM module which is configured in inline mode.some users are appeared as attackers in the IPS event store .

can i deny any unwanted connection for these users without affecting on the legitimate connections of these users like internet browsing ???


i tried to make the signature action to be "deny connection inline" but when the signature fire , the user who has appeared as an attacker is totally blocked and cannot access internet.


anyone face this issue ??

please advice.


regards


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
andrew100 Wed, 03/25/2009 - 07:38
User Badges:

Hi Mohammed,


This requires a bit more information.


Are thee users based on the inside network and they are browsing the internet?


Can i ask which signatures the IPS is firing?


Thanks


Andy

mohamed_makled Wed, 03/25/2009 - 08:30
User Badges:

Dear Andy


Thanks for your reply.

the users are in the inside network and they are browsing internet.

The signatures that is fired by the IPS is:


3002 TCP SYN Port sweep

3010 TCP High Port sweep


regards

Mohamed

andrew100 Wed, 03/25/2009 - 09:03
User Badges:

Hi Mohammed,


Ok - and so what is the source address of the attacker? Is it the internal hosts? one host or many and where are they trying to scan?


Thanks

mohamed_makled Wed, 03/25/2009 - 09:20
User Badges:

Dear Andy


The source addresses of the attackers is the internal users (10.3.40.x)and (10.3.50.x) and the victim is a real ip addresses which is unknown

this signature is fired for some internal users not all.


regards

andrew100 Wed, 03/25/2009 - 09:23
User Badges:

Hi Mohammed,


Have you checked your PC's for Viruses?


They should not be scanning random IP Addresses like that?


Thanks


Andy

mohamed_makled Wed, 03/25/2009 - 09:30
User Badges:

Dear Andy


i already told my customer to do that but the customer request is that the IPS appliance should deny the connection to these unknown real IPs but the IPS appliance deny the users totally where they cannot browse internet.

As i said before the signature action is "deny connection inline"


regrads

andrew100 Wed, 03/25/2009 - 09:35
User Badges:

Hi Mohammed,


Ideally your customer needs to check his machines. The signature can be disabled purely for these hosts, but i wouldn't recommend that as it defeats the point of having the IPS in place.


He ideally needs to check his hosts for viruses :-)


Thanks


Andy

mohamed_makled Wed, 03/25/2009 - 09:48
User Badges:

Andy


surely , the customer will do that.

My question is that if the signature action is "deny connection inline" , is that will deny the attacker totally or not???


regards

andrew100 Wed, 03/25/2009 - 09:51
User Badges:

Hi Mohammed,


No, it will deny only the single connection from the host. But the host will then create a new connection and that will then be blocked (if it fires a signature rule). if the connection to the internet is legitimate this will not be blocked as it is a new connection.


To block the host completley this will be 'deny attacker inline'.


Thanks


Andy

mohamed_makled Wed, 03/25/2009 - 10:08
User Badges:

Andy


I agree with you regarding that.

But although the signature action is "deny connection inline" , the internal user (attacker address) is totally denied.

Do you have any recommendations to know the reason for that??


regards

rjaaouan Thu, 03/26/2009 - 01:48
User Badges:
  • Cisco Employee,

Hi Mohammed.


Right now I'm preparing the IPS Exam, and I have read some where that:


"deny connection inline" will stop the connection totaly. But if the same user(IP Address) has many "deny connection inline", the IPS will say that there is a problem with this PC, and I'll not lose ressource and time to block each connection, and the the IPS sensor will block the Host.


You can tune the Signature to solve this issue, but this will not solve the main problem.


But as Andy said, thier is a Sweep attack from these PCs. try to scan them with Anti-Virus, and anti-worm... because they are the source of this issues.


Sweep is a "Network Reconnaissance Attack". Please take a look at this link for more information:

http://www.cisco.com/en/US/docs/security/ips/5.1/configuration/guide/cli/cliSgEng.html#wp1048257


I hope this helpful.


Best regards

Reda

[email protected]





Actions

This Discussion