TCP RESET - CISCO IPS 4240 in IDS Mode - Block Teamviewer

Unanswered Question
Aug 5th, 2009
User Badges:

I would like to block teamviewer in my network. we are using CISCO IPS 4240 in IDS Mode. I found that there are signatures for teamviewer in latest Signatures.


We have only configured promiscuous interface, I read that we can issue TCP resets thru promiscuous interface as well (recommended is dedicated tcp reset interface).


However in my case, I found that Signatures for teamviewer is not getting fired even after getting successful teamviewer connections.


I am a beginner is IPS, Any inputs will be valuable for me.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
rhermes Wed, 08/05/2009 - 10:46
User Badges:
  • Gold, 750 points or more

Assuming you enabled the teamviewer sigs (new sigs are often not enabled) you've found that some signatures are less accurate than others (new signatures are usualy worse so). Since the regex of the sigs is hidden you can't see why it is fireing or not fireing. You have two choices. Wait till Cisco releases better versions of the signatures you need, or write a customer signature to catch what you're looking for.

wsulym Wed, 08/05/2009 - 11:10
User Badges:
  • Cisco Employee,

We're talking about sigs 15002-0, -1, -2 here. They are by default shipped disabled and retired, so you'll want to enable and activate them.


For these, the signature settings are not hidden and what they look for is pretty clearly documented in the sig description.


-0 looks for some specific DNS requests on TeamViewer's startup. TCP resets will have no effect on this.


-1 looks for specific traffic to tcp port 5938 which would indicate Teamviewer's direct-connection method


-2 looks for traffic indicating use over http when teamviewer is configured to use a proxy


TCP resets are a best effort response, they aren't going to be a 100% effective stop

manuadoor Thu, 08/06/2009 - 02:20
User Badges:

I checked it, The signature was configured as retired, no its enabled and I can see that 15002 is getting fired. I fond that all the connnections using UDP protocols and hence its not blocking.


My main doubt is, can we send TCP resets thu promiscous interfaces (I juts configured only promiscous interfaces, no dedicated tcp reset interfaces).



rhermes Fri, 08/07/2009 - 09:57
User Badges:
  • Gold, 750 points or more

an IPS sensor CAN send TCP resets via its promiscious interface, but that interface on teh switch must be configured to be able to accept the incomming TCP resets from the sensor.


The keyword you are looking for is "ingress" in the monitor session command.

http://www.cisco.com/en/US/docs/switches/lan/catalyst2960/software/release/12.2_46_se/command/reference/cli1.html#wp9700521

manuadoor Sat, 08/08/2009 - 09:39
User Badges:

Thanks a lot.. But when I activated the signature 15002 (teamviewer activity), Treamviewer version 3 is getting blocked but teamviewer 4.0 is still not getting blocked...

manuadoor Mon, 08/10/2009 - 01:36
User Badges:

Suppose I want to monitor 3 vlans as source to single destination port which is connected to promiscous interface of cisco IPS 4240, in this case what will be the vlan id to be specified after ingress vlan command.


Is that native vlan, which is normally vlan 1??

Actions

This Discussion