08-05-2009 01:14 AM - edited 03-10-2019 04:43 AM
I would like to block teamviewer in my network. we are using CISCO IPS 4240 in IDS Mode. I found that there are signatures for teamviewer in latest Signatures.
We have only configured promiscuous interface, I read that we can issue TCP resets thru promiscuous interface as well (recommended is dedicated tcp reset interface).
However in my case, I found that Signatures for teamviewer is not getting fired even after getting successful teamviewer connections.
I am a beginner is IPS, Any inputs will be valuable for me.
08-05-2009 10:46 AM
Assuming you enabled the teamviewer sigs (new sigs are often not enabled) you've found that some signatures are less accurate than others (new signatures are usualy worse so). Since the regex of the sigs is hidden you can't see why it is fireing or not fireing. You have two choices. Wait till Cisco releases better versions of the signatures you need, or write a customer signature to catch what you're looking for.
08-05-2009 11:10 AM
We're talking about sigs 15002-0, -1, -2 here. They are by default shipped disabled and retired, so you'll want to enable and activate them.
For these, the signature settings are not hidden and what they look for is pretty clearly documented in the sig description.
-0 looks for some specific DNS requests on TeamViewer's startup. TCP resets will have no effect on this.
-1 looks for specific traffic to tcp port 5938 which would indicate Teamviewer's direct-connection method
-2 looks for traffic indicating use over http when teamviewer is configured to use a proxy
TCP resets are a best effort response, they aren't going to be a 100% effective stop
08-06-2009 02:20 AM
I checked it, The signature was configured as retired, no its enabled and I can see that 15002 is getting fired. I fond that all the connnections using UDP protocols and hence its not blocking.
My main doubt is, can we send TCP resets thu promiscous interfaces (I juts configured only promiscous interfaces, no dedicated tcp reset interfaces).
08-07-2009 09:57 AM
an IPS sensor CAN send TCP resets via its promiscious interface, but that interface on teh switch must be configured to be able to accept the incomming TCP resets from the sensor.
The keyword you are looking for is "ingress" in the monitor session command.
08-08-2009 09:39 AM
Thanks a lot.. But when I activated the signature 15002 (teamviewer activity), Treamviewer version 3 is getting blocked but teamviewer 4.0 is still not getting blocked...
08-10-2009 01:36 AM
Suppose I want to monitor 3 vlans as source to single destination port which is connected to promiscous interface of cisco IPS 4240, in this case what will be the vlan id to be specified after ingress vlan command.
Is that native vlan, which is normally vlan 1??
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide