Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

IDS custom signature and connection reset

Test bed configuration consists of Catalyst 6500 and 4255 IDS vith SW version 6.0. The traffic is captured using VLAN capture feature and send to the sensing interface Gi0/0 on IDS. The reset interface is Gi0/3, connected back to the Cat6K.

Vlan 140 with IP interface is defined on the switch. There is a host connected to that Vlan. A custom signature defines that telnet to that host is not legal and the reset action is defined IDS.

When the telnet is started to that host from anywhere in the network, the connection is reset. BUT the event counter gone mad constantly increasing.

What we suspect to happen is that the reset packet from IDS that is destined for te secured host, triggers the event again what causes new resets. It is some kind of a loop situation.

Is there any feature or technique to overcome such situation ?

IDS should recognize its own reset packets !

Thanks for any hint.

Best regards

Metod Platise


Re: IDS custom signature and connection reset

You need to write your custom signature so it triggers on more than an IP address and port number. Try triggering on SYN or ACK (if telnet is really enabled on the host).

New Member

Re: IDS custom signature and connection reset

Agreed with rhermes solutions try to create custom signature wih IP and port number.

New Member

Re: IDS custom signature and connection reset

Thank you for ideas.

In fact, any traffic to that host except specific application is not permited.

Just IP and port would not suffice, because the reset would contain both parameters.

We mada a workaround applying port ACL on the switch where IDS reset interface is connected ( IOS version ...XH)and filter reset packets to that host.




Re: IDS custom signature and connection reset

You didn't provide the details on the custom sig. You might try an atomic IP signature. layer 4 protocol = tcp. tcp flags = SYN. tcp mask = Ack|Fin|Psh|Rst|Syn|Urg. destination port = 23. specify ip address = .

This should only fire on the initial SYN packet and the RST packets won't match.

CreatePlease to create content