Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1008
Views
0
Helpful
2
Replies

CIsco IPS- Condition for TCP null packet

Shadowknight14
Level 1
Level 1

‎05-18-2014 04:26 AM - edited ‎03-10-2019 06:12 AM

What are the conditions for this event to trigger ? does it trigger even if there is one packet without any of the flags syn, ack,fin,rst or if there are 10 in 50 packets without the flags set ? 

Labels:
0 Helpful
2 Replies 2

Shadowknight14
Level 1
Level 1

‎05-18-2014 04:30 AM

Benign trigger states 

This alarm may fire if large amounts of random network traffic are transmitted across the network, such as during a denial of service attack. To reduce number of unverifiable alarms being generated, this signature will begin throttling the creation of new alarms if more than one event of this type is detected per second. The first alarm will be sent, but all subsequent alarms will be summarized and periodically reported. The summarization alarm will report NULL IP addresses / port numbers and will contain this message in the data field, Global Summary: XX alarms this interval, where XX is the number of alarms received and summarized.

0 Helpful

shepp
Level 1
Level 1

‎05-20-2014 10:39 AM

Hello Shadowknight14,

I presume you are talking about Cisco IPS signature 3040-0?
Essentially, that signature is defined as

atomic-ip/fragment-status : no-fragments
atomic-ip/l4-protocol/tcp/dst-port : 1-1024
atomic-ip/l4-protocol/tcp/tcp-flags:
atomic-ip/l4-protocol/tcp/tcp-mask : urg|ack|psh|rst|syn|fin
alert-frequency/summary-mode/fire-once/global-summary-threshold : 200
alert-frequency/summary-mode/fire-once/summary-interval : 30

If you look at the Atomic-IP section of http://www.cisco.com/web/about/security/intelligence/ips_custom_sigs.html#6
you'll see the description of tcp-flags and tcp-mask parameters.

The flags in the packet are compared for equality to the tcp-flags & tcp-mask
so the above is
    tcp-flags 000000
and tcp-mask  111111
    ----------------
              000000

so if your packet does not have 000000 for its flags, it won't trigger the packet.

In English, sig 3040-0 is going to fire on any TCP packets destined to the privileged ports 1-1024 but lacking all 6 TCP flags.

The summary settings mean that it will fire up to 1 time per 30 seconds per attacker (until it hits the global summary threshold of 200 events, at which time you switch to global-summary mode which summarizes all attackers once per interval).

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card