Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
360
Views
0
Helpful
5
Replies

Help with custom signature RegexString value!!!

ewieczorek
Level 1
Level 1

‎06-28-2003 07:37 AM - edited ‎03-09-2019 03:51 AM

Hello.

All the routers in my network are configured in a manner so that when I attempt a telnet connection, I have to enter in a username and password. If I type in my username incorrectly, the router returns the following message...

% Login invalid

All these routers have logging enabled and are sending messages to the IDS 4250.

I'm trying to create a custom signature so that when the router returns % Login invalid, my IDS will display a message within IEV.

With that said, what would the RegexString value look like for this??

Thank you!

Labels:
0 Helpful
5 Replies 5

pcomeaux
Cisco Employee
Cisco Employee

‎06-28-2003 09:15 AM

Maybe you could try:

%.Login.invalid

or

Login.invalid

where the . matches any character, hopefully including space.

Here's a regular expression reference from the IDS 4.0 docs:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids9/idmiev/swappa.htm#787101

peter

0 Helpful

ewieczorek
Level 1
Level 1
In response to pcomeaux

‎06-28-2003 09:32 AM

Peter:

Thanks for the link and the response.

I tried your two suggestions and they didn't work...

I also tried the following...

[/%][/ .*][Ll]ogin[/ .*]invalid

That didn't work either unfortunately.

Any other ideas!?!?

Thanks for your help!

0 Helpful

a.arndt
Level 3
Level 3
In response to ewieczorek

‎06-29-2003 02:09 PM

Try this one:

[\%][ .*][Ll]ogin[ .*]invalid

Hope it helps!

0 Helpful

marcabal
Cisco Employee
Cisco Employee

‎07-02-2003 10:23 AM

Just a side comment for you.

You say that the routers have logging enabled and sending messages to the IDS 4250.

What this generally means is that the syslog messages are being sent to the sensor. The sensor will then look for a few specific syslog messages that will be created when an ACL denies a packet. If you have the sensor configured to alarm when those sylog messages are seen for the specific ACL then the sensor will generate an alert.

There has been some confusion from users thinking that the sensor is able to analyze other syslog messages from the router (like invalid login messages).

In your scenario it is irrelevant that router is sending syslog messages to the sensor, because the sensor won't look for syslog messages about failed logins.

What you have to do is ensure that the sensor is monitoring the network between the telnet client and the router. The sensor will need to sniff the packets from the telnet client to the router, and from the router back to the telnet client.

Then you configure the sensor to fire on a regular expression like "[Ll]ogin [Ii]nvalid" (or one of the other suggested regular expressions) when it is seen coming FROM the telnet server.

NOTE: BY default the sensor will look for the regular expression on connections To the server, you will need to make sure you change the direction on the alarm to be From Service.

Additionally you will need to pay particular attention on where the sniffing interface of the sensor is deployed. If the sensor is monitoring the network off of the external interface of the router, then it will only monitor connections from the external network trying to connect to the router. It will not monitor users connecting from the internal network to the router.

And of course if the sensor is monitoring the internal network then it will monitor internal users connecting to the router, but won't monitor external users connecting to the router.

And if you have multiple interfaces, then the sensor will only monitor connections originating from the one side where it is monitoring.

If the failed logins are the only concern for you, then you may want to consider not using the sensor, but instead simply using a syslog server. Point the router to send it's syslogs to the syslog server and search for failed login messages in the resulting syslogs.

0 Helpful

ewieczorek
Level 1
Level 1
In response to marcabal

‎07-02-2003 11:03 AM

Thank you for this reply.

That explains my problem...

"ensure that the sensor is monitoring the network between the telnet client and the router"

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents