TCP RESET - CISCO IPS 4240 in IDS Mode - Block Teamviewer

Unanswered Question
Aug 5th, 2009

I would like to block teamviewer in my network. we are using CISCO IPS 4240 in IDS Mode. I found that there are signatures for teamviewer in latest Signatures.

We have only configured promiscuous interface, I read that we can issue TCP resets thru promiscuous interface as well (recommended is dedicated tcp reset interface).

However in my case, I found that Signatures for teamviewer is not getting fired even after getting successful teamviewer connections.

I am a beginner is IPS, Any inputs will be valuable for me.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
rhermes Wed, 08/05/2009 - 10:46

Assuming you enabled the teamviewer sigs (new sigs are often not enabled) you've found that some signatures are less accurate than others (new signatures are usualy worse so). Since the regex of the sigs is hidden you can't see why it is fireing or not fireing. You have two choices. Wait till Cisco releases better versions of the signatures you need, or write a customer signature to catch what you're looking for.

wsulym Wed, 08/05/2009 - 11:10

We're talking about sigs 15002-0, -1, -2 here. They are by default shipped disabled and retired, so you'll want to enable and activate them.

For these, the signature settings are not hidden and what they look for is pretty clearly documented in the sig description.

-0 looks for some specific DNS requests on TeamViewer's startup. TCP resets will have no effect on this.

-1 looks for specific traffic to tcp port 5938 which would indicate Teamviewer's direct-connection method

-2 looks for traffic indicating use over http when teamviewer is configured to use a proxy

TCP resets are a best effort response, they aren't going to be a 100% effective stop

manuadoor Thu, 08/06/2009 - 02:20

I checked it, The signature was configured as retired, no its enabled and I can see that 15002 is getting fired. I fond that all the connnections using UDP protocols and hence its not blocking.

My main doubt is, can we send TCP resets thu promiscous interfaces (I juts configured only promiscous interfaces, no dedicated tcp reset interfaces).

manuadoor Sat, 08/08/2009 - 09:39

Thanks a lot.. But when I activated the signature 15002 (teamviewer activity), Treamviewer version 3 is getting blocked but teamviewer 4.0 is still not getting blocked...

manuadoor Mon, 08/10/2009 - 01:36

Suppose I want to monitor 3 vlans as source to single destination port which is connected to promiscous interface of cisco IPS 4240, in this case what will be the vlan id to be specified after ingress vlan command.

Is that native vlan, which is normally vlan 1??

Actions

This Discussion