Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Help with custom signature RegexString value!!!

Unanswered Question
Jun 28th, 2003
User Badges:


All the routers in my network are configured in a manner so that when I attempt a telnet connection, I have to enter in a username and password. If I type in my username incorrectly, the router returns the following message...

% Login invalid

All these routers have logging enabled and are sending messages to the IDS 4250.

I'm trying to create a custom signature so that when the router returns % Login invalid, my IDS will display a message within IEV.

With that said, what would the RegexString value look like for this??

Thank you!

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
ewieczorek Sat, 06/28/2003 - 09:32
User Badges:


Thanks for the link and the response.

I tried your two suggestions and they didn't work...

I also tried the following...

[/%][/ .*][Ll]ogin[/ .*]invalid

That didn't work either unfortunately.

Any other ideas!?!?

Thanks for your help!

a.arndt Sun, 06/29/2003 - 14:09
User Badges:
  • Bronze, 100 points or more

Try this one:

[\%][ .*][Ll]ogin[ .*]invalid

Hope it helps!

marcabal Wed, 07/02/2003 - 10:23
User Badges:
  • Cisco Employee,

Just a side comment for you.

You say that the routers have logging enabled and sending messages to the IDS 4250.

What this generally means is that the syslog messages are being sent to the sensor. The sensor will then look for a few specific syslog messages that will be created when an ACL denies a packet. If you have the sensor configured to alarm when those sylog messages are seen for the specific ACL then the sensor will generate an alert.

There has been some confusion from users thinking that the sensor is able to analyze other syslog messages from the router (like invalid login messages).

In your scenario it is irrelevant that router is sending syslog messages to the sensor, because the sensor won't look for syslog messages about failed logins.

What you have to do is ensure that the sensor is monitoring the network between the telnet client and the router. The sensor will need to sniff the packets from the telnet client to the router, and from the router back to the telnet client.

Then you configure the sensor to fire on a regular expression like "[Ll]ogin [Ii]nvalid" (or one of the other suggested regular expressions) when it is seen coming FROM the telnet server.

NOTE: BY default the sensor will look for the regular expression on connections To the server, you will need to make sure you change the direction on the alarm to be From Service.

Additionally you will need to pay particular attention on where the sniffing interface of the sensor is deployed. If the sensor is monitoring the network off of the external interface of the router, then it will only monitor connections from the external network trying to connect to the router. It will not monitor users connecting from the internal network to the router.

And of course if the sensor is monitoring the internal network then it will monitor internal users connecting to the router, but won't monitor external users connecting to the router.

And if you have multiple interfaces, then the sensor will only monitor connections originating from the one side where it is monitoring.

If the failed logins are the only concern for you, then you may want to consider not using the sensor, but instead simply using a syslog server. Point the router to send it's syslogs to the syslog server and search for failed login messages in the resulting syslogs.

ewieczorek Wed, 07/02/2003 - 11:03
User Badges:

Thank you for this reply.

That explains my problem...

"ensure that the sensor is monitoring the network between the telnet client and the router"


This Discussion