Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

IDSM2 "Scanning"special packets

I have the following question:

I need to configure an IDSM2-Sensor in a slightly different way. A special (allowed) traffic eg tcp xyz is passing the switch through access list. All othe traffic is denied by default. This special traffic has to be “scanned” by the IDSM.

Is it possible for the Sensor to “learn” the content type of this traffic for a later alarming in case of an anomaly in these packets?

I know it sounds strange, but our customer has very special requirements regarding security to this traffic…

Thanks in advance

chris

5 REPLIES
Silver

Re: IDSM2 "Scanning"special packets

I am not sure, i think it is not possible to scan a special packets and filter. If you have FWSM with IDSM@ module in your hardware, you can filter using this modules.

New Member

Re: IDSM2 "Scanning"special packets

The IDSM cannot learn the payload dynamically at this time. The best thing is to create a set of custom signatures to ensure the integrity of the payload.

So for example if you expect an application header of "blah: request", then you can create a signature for this in STRING.TCP: [Bb][Ll][Aa][Hh][:]

The more details you know about the application and its format structure the better you can use the sensor to ensure normality within the application stream through signatures.

I hope that helps.

New Member

Re: IDSM2 "Scanning"special packets

Thats exactly the way I thought to go...

But: Let's say the "correct" application content is blah and I created a signature for this. (I've done this so far and it works!).

Is it possible to "invert" the signature to send an alarm/info if the content is not blah?

New Member

Re: IDSM2 "Scanning"special packets

Yes, that statement is actually quite often used. So how you can do it is to negate a character class. For example: [^blah]

Be careful of this statement as it can false positive, there are a lot of packets which are not "blah". Key thing is to identify what protocol it is, then to look at the integrity of the application stream.

So for example you may match the application header with one part of the signature, for eg: [Bb][Ll][Aa][Hh]

Then the second part of the signature to match for something which is not a valid operating function. Let us say the operations are "start" and "stop"

so the sig may look like:

[Bb][Ll][Aa][Hh]:[ ][ ]([^Ss][^Tt][^Aa][^Rr][^Tt]|[^Ss][^Tt][^Oo][^Pp])

Hope that helps.

New Member

Re: IDSM2 "Scanning"special packets

Thanks for your reply!

I will figure this out...

So far I just did the initial setup and now I have to learn the Application and its protocols.

153
Views
0
Helpful
5
Replies
CreatePlease login to create content