TCP RESET - CISCO IPS 4240 in IDS Mode - Block Teamviewer

manuadoor · ‎08-05-2009

I would like to block teamviewer in my network. we are using CISCO IPS 4240 in IDS Mode. I found that there are signatures for teamviewer in latest Signatures.

We have only configured promiscuous interface, I read that we can issue TCP resets thru promiscuous interface as well (recommended is dedicated tcp reset interface).

However in my case, I found that Signatures for teamviewer is not getting fired even after getting successful teamviewer connections.

I am a beginner is IPS, Any inputs will be valuable for me.

rhermes · ‎08-05-2009

Assuming you enabled the teamviewer sigs (new sigs are often not enabled) you've found that some signatures are less accurate than others (new signatures are usualy worse so). Since the regex of the sigs is hidden you can't see why it is fireing or not fireing. You have two choices. Wait till Cisco releases better versions of the signatures you need, or write a customer signature to catch what you're looking for.

wsulym · ‎08-05-2009

We're talking about sigs 15002-0, -1, -2 here. They are by default shipped disabled and retired, so you'll want to enable and activate them.

For these, the signature settings are not hidden and what they look for is pretty clearly documented in the sig description.

-0 looks for some specific DNS requests on TeamViewer's startup. TCP resets will have no effect on this.

-1 looks for specific traffic to tcp port 5938 which would indicate Teamviewer's direct-connection method

-2 looks for traffic indicating use over http when teamviewer is configured to use a proxy

TCP resets are a best effort response, they aren't going to be a 100% effective stop

manuadoor · ‎08-06-2009

I checked it, The signature was configured as retired, no its enabled and I can see that 15002 is getting fired. I fond that all the connnections using UDP protocols and hence its not blocking.

My main doubt is, can we send TCP resets thu promiscous interfaces (I juts configured only promiscous interfaces, no dedicated tcp reset interfaces).

rhermes · ‎08-07-2009

an IPS sensor CAN send TCP resets via its promiscious interface, but that interface on teh switch must be configured to be able to accept the incomming TCP resets from the sensor.

The keyword you are looking for is "ingress" in the monitor session command.

http://www.cisco.com/en/US/docs/switches/lan/catalyst2960/software/release/12.2_46_se/command/reference/cli1.html#wp9700521

manuadoor · ‎08-08-2009

Thanks a lot.. But when I activated the signature 15002 (teamviewer activity), Treamviewer version 3 is getting blocked but teamviewer 4.0 is still not getting blocked...

manuadoor · ‎08-10-2009

Suppose I want to monitor 3 vlans as source to single destination port which is connected to promiscous interface of cisco IPS 4240, in this case what will be the vlan id to be specified after ingress vlan command.

Is that native vlan, which is normally vlan 1??