Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
484
Views
0
Helpful
5
Replies

IDSM2 "Scanning"special packets

1cschmidt
Level 1
Level 1

‎10-21-2005 01:11 AM - edited ‎03-10-2019 01:42 AM

I have the following question:

I need to configure an IDSM2-Sensor in a slightly different way. A special (allowed) traffic eg tcp xyz is passing the switch through access list. All othe traffic is denied by default. This special traffic has to be “scanned” by the IDSM.

Is it possible for the Sensor to “learn” the content type of this traffic for a later alarming in case of an anomaly in these packets?

I know it sounds strange, but our customer has very special requirements regarding security to this traffic…

Thanks in advance

chris

Labels:
0 Helpful
5 Replies 5

smalkeric
Level 6
Level 6

‎10-26-2005 11:57 AM

I am not sure, i think it is not possible to scan a special packets and filter. If you have FWSM with IDSM@ module in your hardware, you can filter using this modules.

0 Helpful

jlimbo
Level 1
Level 1

‎10-26-2005 03:43 PM

The IDSM cannot learn the payload dynamically at this time. The best thing is to create a set of custom signatures to ensure the integrity of the payload.

So for example if you expect an application header of "blah: request", then you can create a signature for this in STRING.TCP: [Bb][Ll][Aa][Hh][:]

The more details you know about the application and its format structure the better you can use the sensor to ensure normality within the application stream through signatures.

I hope that helps.

0 Helpful

1cschmidt
Level 1
Level 1
In response to jlimbo

‎10-26-2005 10:08 PM

Thats exactly the way I thought to go...

But: Let's say the "correct" application content is blah and I created a signature for this. (I've done this so far and it works!).

Is it possible to "invert" the signature to send an alarm/info if the content is not blah?

0 Helpful

jlimbo
Level 1
Level 1
In response to 1cschmidt

‎10-27-2005 04:24 PM

Yes, that statement is actually quite often used. So how you can do it is to negate a character class. For example: [^blah]

Be careful of this statement as it can false positive, there are a lot of packets which are not "blah". Key thing is to identify what protocol it is, then to look at the integrity of the application stream.

So for example you may match the application header with one part of the signature, for eg: [Bb][Ll][Aa][Hh]

Then the second part of the signature to match for something which is not a valid operating function. Let us say the operations are "start" and "stop"

so the sig may look like:

[Bb][Ll][Aa][Hh]:[ ][ ]([^Ss][^Tt][^Aa][^Rr][^Tt]|[^Ss][^Tt][^Oo][^Pp])

Hope that helps.

0 Helpful

1cschmidt
Level 1
Level 1
In response to jlimbo

‎10-27-2005 10:34 PM

Thanks for your reply!

I will figure this out...

So far I just did the initial setup and now I have to learn the Application and its protocols.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card