how can i add a filter task to my IDS receive a warnning message when users make authentification windows or Active directory to servers

Unanswered Question
Jun 3rd, 2010

i have an IDS 4215 ,and i want that it give me a warnning when users make authentification windows or actice directory to some servers.should i add a signature or what?and i want to specify the servers which the warnning will be available.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Scott Fringer Thu, 06/03/2010 - 04:05

Yes, this would be the ideal candidate for a custom signature.  You can find out more about writing signatures for Cisco IPS sensors here:

You can also make use of the Signature Wizard for assisted creation.  More details can be found here:

This will allow the IPS sensor to fire a signature when your criteria are matched.  Should you want an email alert to be generated for that signature event, you will need to implement a solution such as Cisco's free IPS Manager Express (IME).  You can find out more, and download IME here:


anas.belahcen Thu, 06/03/2010 - 08:36

thank you ,but can you give me one exemple of custome signature with configuration to make it in the sensor.

because i didn't found where to put for exemple the @ip of servers which i want to make warnning for them.

Scott Fringer Thu, 06/03/2010 - 09:10

Depending on whether the servers in question are the source (attacker) of the traffic or destination (victim) will determine where you would place the server IP addresses in the signature.

This is a simple signature definition using a signature variable for multiple IP address storage. This signature is in no way designed to detect the exact behavior you are interested in capturing:

signatures 60001 0
sig-name Atomic IP Detection
sig-string-info An IP address of interest was detected.
engine atomic-ip
specify-ip-addr-options yes
ip-addr-options ip-addr
specify-src-ip-addr yes
src-ip-addr $SERVERS

You will, of course, need to choose the approriate signature engine to provide inspection to meet your requirements.


anas.belahcen Fri, 06/04/2010 - 07:43

so with this configuration !! i will receive a warnning when one of users will make a log windows.???

tank you for collaboration 

Scott Fringer Fri, 06/04/2010 - 07:49

No, the above was just a  sample signature on how to add a variable as the source IP address in a signature.

You will need to determine the traffic profile for the behavior for which you are attempting to create a signature.  You may be able to do this by performing packet captures using Wireshark, or a similar tool.

Once you determine what the traffic looks like, you can determine the correct signature engine to use, and what specific details need to be caught by the signature.  Not having access to your network, I cannot create a solution to meet your needs.  This is an activity that you will need to perform on your own.

If you are wanting to monitor logins to Windows servers, it may be better to implement audit logging on the servers in question, and monitor those access for these activities.


anas.belahcen Fri, 06/04/2010 - 07:51

how you can help me ,if i wanna just have a warnning for a log windows in some servers .or try just for one.

the exemple is : when for exemple i'll make a log windiw in server x the IDS will give me a warnning for the log to tell me some one makes a log windows in server x

Scott Fringer Fri, 06/04/2010 - 08:02

I cannot write a specific signature for you since I do not have access to your network to see exactly what packets traverse the network during the activity you are wanting to alert on.  This is effort you will need to perform yourself.

There are several signatures already present on the IPS sensor that detect failed logons and such (5606/0, 5726/0-1, 5739/0-1), you may be able to use one of these signatures as a basis for creating a custom signature to detect a successful logon.

If this logon activity takes place using an encrypted channel, the IPS will not be able to detect this activity and alert you since the IPS cannot decrypt this communication.  The most effective manner for monitoring Windows server logins is through the monitoring of the local Windows event logs via a remote monitoring tool.



This Discussion