Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

Bronze

Possible to construct an alarm to look for oversized DNS?

Let me begin by stating that I am running Cisco IDS Version 4.1(5)S190 on an IDS-4235 sensor...

I have a requirement to identify any UDP port 53 traffic emanating from my network where the overall UDP packet size exceeds 1024 bytes.

I’ve tried to use the “MinUDPLength” variable field in the Atomic.UDP engine to define the minimum length, but I found out the hard way that this would give me any packets that were less than 1024 bytes in length. Needless to say, I swamped myself with useless alerts...

Anyway, is there anyway to accomplish the task using the signature engines available to a Cisco IDS/IPS end-user, or am I looking at asking Cisco for a new signature?

Here’s the parameters the signature must cover:

Protocol - UDP

Severity – HIGH

AlarmThrottle – FireAll

Criteria – UDP packet with length is greater than 1024 bytes (current variables in Atomic.UDP don’t let me look for this)

SrcIpAddr - X.Y.0.0

SrcIpMask - 255.255.0.0

SrcPort – 53

Any suggestions?

TIA,

Alex Arndt

3 REPLIES
New Member

Re: Possible to construct an alarm to look for oversized DNS?

Alex,

Our suggestion for Cisco IDS Version 4.1 applications would be to investigate using the string.udp engine. For 5.x applications, an engine such as atomic-ip may be a better choice.

Try using string.udp with the following parameters:

Direction - From Service

EndMatchOffset - 1025

* You may have to tune this parameter to get the exact desired result. But initially setting this value to 1025 should select the 1025th byte for inspection, meaning anything over 1024 would match the RegEx below.

RegexString - [\x00-\xFF]

* What we are doing here is saying "match anything" at the first byte after 1024 bytes into the packet in combination with the EndMatchOffset parameter value above.

ServicePorts - 53

You could also use MinMatchLength as an alternative, but this would require the use of a RegEx with a wildcard match such as ".*" or similar that could be resource intensive.

Please feel free to let us know if this works as expected for your application, and if you have any other questions.

Al Roethlisberger

IPS Signature Development Team

Bronze

Re: Possible to construct an alarm to look for oversized DNS?

Awesome! Thank you very much.

I'll try it out and provide some feedback as soon as possible/practical.

Alex Arndt

Bronze

Re: Possible to construct an alarm to look for oversized DNS?

I tried what you suggested. Unfortunately, I am not getting the expected results. Upon deployment, I was inundated with alarms, all apparently containing normal DNS activity that was much smaller than the >1024 bytes I want.

Before making the post, I modified the EndMatchOffset value in the signature from the suggested 1025 bytes to 1032 bytes, just to see if it had an impact. The short answer is yes. It reduced the number of alarms I've received, but the ones I'm getting still appear to be much smaller than anticipated.

I've attached some sample alarms for you to look at, just so you can see that the DNS activity collected. I built the alarm with the PacketCapture variable set to "true" to help with troubleshooting, so you'll se that those packets that triggered the alarm and quickly see that they are too small.

Please let me know if you have any suggestions...

TIA,

Alex Arndt

117
Views
0
Helpful
3
Replies