04-03-2009 07:57 AM - edited 03-10-2019 04:34 AM
Are there any additional sources of information for creating custom signatures for IPS? I am working with a SSM-10 module in an ASA. The product docs are great for install and basic tuning but I need a bit more for signatures/actions.
We are trying to stop dictionary attacks being thown at one of our servers and would like to shut down access to a source address after a few failed tries.
04-09-2009 08:21 AM
This link may help you out...
http://www.cisco.com/en/US/docs/security/ips/5.1/configuration/guide/idm/dmSigWiz.html#wp1033529
04-15-2009 11:17 PM
What kind of application is this? If its using active directory logon then there is a built-in signature that you can clone and modify as necessary. Other protocols also have authentication signatures AFAIK. If its not already there you need to use the link provided by htarra to create a signature yourself. If the protocol is clear-text you can just do a regular string signature to look for the auth. failure string/OP code.
Regards
Farrukh
04-16-2009 06:50 AM
Hi Farrukh,
It is RADIUS authentication using IAS. The client has numerous services/devices that are exposed and use this type of authentication. Someone is throwing dictionary attacks against them all the time. I had hoped to be able to shut this down based on source IP after about three failed attempts.
Do you know if there are any existing signatures that could be modified to accomplish this?
Regards,
Jeff
04-17-2009 05:41 AM
I could not locate any on the following link:
http://tools.cisco.com/security/center/search.x
Radius is a semi-clear text protocol (except some fields), so you can capture the traffic via a packet sniffer and make the appropriate signature.
Regards
Farrukh
05-01-2009 11:05 AM
If you can provide us with the pcaps of the failed login attempts , i will be able to look into it and see if a signature is possible.
Thanks ,
Roopesh
IPS Signature Engineering
Cisco Systems Inc
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide