I am trying to build a custom signature for detecting non-SSL traffic on a specific SSL port (let's say tcp/443). This has to do with CONNECT tunnels through an HTTP proxy. Conceptually, it's not a complicated idea. Whether or not it can technically be done effectively with the Cisco IPS I don't know.
It seems that very early in every SSL connection, there is an SSL "client hello" message(SYN,SYN/ACK,ACK,CLIENT HELLO). There are two relevant record formats, SSLv2 and SSLv2/TLS. I would like to create a signature that fires when it DOES NOT see the client hello message very early in a given TCP session. I would want the signature to only need to check the very first n packets of any given TCP session (n = max size of connection establishment + max size of client hello packet). Has anyone created such a beast or willing to help? Here are a couple packets.
SSLv3 Client Hello
0000 00 00 5e 00 01 67 00 a0 8e 82 ec 5d 08 00 45 00 ..^..g.....]..E.
0010 00 8e 33 b8 40 00 3e 06 94 16 ce c3 c3 6c 40 22 ..3.@.>......l@"
I hadn't really thought of that, but I expect my IPS to do that anyway;-) I'm no TCP or SSL expert, but I don't see how during the "SSL handshake" process packets could get out of order. Every step seems to have a dependency on the previous. After the handshake is done, all bets are off.
>>2) To determine that happen at the very begining of the conection
I don't know what to call it. It just seems like something a modern IPS ought to be able to do. Maybe none of them can though? I'm looking into how this might be done with Snort at the moment.
>>3) fire when the traffic doesn't match with the signature.
that's not exactly what I'm trying to do. I'm trying to create a signature that looks for traffic that does not match a specific regular expression pattern. For example, to "alert" on all lines in /etc/password that don't start with r:
I'm trying to say I think it's imposible to make a signature in the Cisco IPS to fire what you want because the difficulties I mention.
I think your idea is perfect.
Every IDS would have to detect this kind of behavior.
I mean if the sensor (o firewall) has the capability to permit only 3 way handshake tcp conections (a well know traffic) you prevent a lot of attack like fin sweeps or xmas attacks (at least in the very begining of the conection) and save a lot of signature to detect abnormal trafic.
I think it would not be complicated. You only need to make a Meta signature with atomic signatures like syn,syn-ack,ack, and hello packet and permit to fire if the trafic doesn't match.
Perhaps Cisco will add this feature in a next version :)
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :