Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
352
Views
0
Helpful
4
Replies

CTR Detection Issues

ishah
Level 1
Level 1

‎08-19-2003 03:12 PM - edited ‎03-09-2019 04:28 AM

Hi,

CTR detects Unpatched windows 2k systems as XP RC1 and doesn't detect Red Hat Version 7.3 using the NMAP ID technique.

Workaround is to statically map the systems in protected systems but has anyone else noticed this.

Labels:
0 Helpful
4 Replies 4

cskipper
Level 1
Level 1

‎08-20-2003 09:10 AM

Hi,

I am not seeing this at all. Can you give me some more information on exactly what the Forensic Log is giving you.

When conductin an Operating System Detection against an unpatched Windows 2000 I get the following:

Alarm ID (1557761): Operating System Detection changed severity to Warning: Attack Targets Platform and status to Attack targets platform (Confirmed match) because OS was identified as Windows Millennium Edition (Me), Win 2000, or WinXP which happens to be affected by this event type.

As far as the Red Hat Version 7.3 I get the following:

Alarm ID (1557892): Operating System Detection changed severity to Warning: Attack Targets Platform and status to Attack targets platform (Confirmed match) because OS was identified as Linux Kernel 2.4.0 - 2.4.18 (X86) which happens to be affected by this event type.

Thanks

Chad R. Skipper

0 Helpful

ishah
Level 1
Level 1
In response to cskipper

‎08-21-2003 01:22 AM

Hi,

Do you get the same results with the systems not defined as protected systems and with an intervening firewall.

How exactly does the ID technique work as I get unable to determine OS messages or the OS ID's as stated above.

0 Helpful

cskipper
Level 1
Level 1
In response to ishah

‎08-21-2003 06:15 AM

Hi,

Good question.

The results that I get are with the systems defined and NOT defined as protected systems, however there is NOT an intervening firewall. Most likely your firewall is blocking the nmap scans. Most if not all firewalls will block this kind of nmap scanning. This would cause the problems you are seeing.

Since there is a FW between CTR and your protected systems you will not get accurate OS Mappings. For the best placement of CTR and to obtain accurate OS mappings, CTR should be placed on the same segement as your protected systems. If this is not feasible then you will need to define each system in the Protected Systems tab and associate the appropiate OS.

If Threat Response is separated from your IDS sensors or RealSecure event collectors by a firewall, you must open the ports, as listed in Firewall Settings.

Firewall Settings For... Ports...

Cisco Secure IDS UDP 45000

ISS RealSecure TCP 1433

Threat Response TCP 443 and TCP 3306 (if the browser and Threat Response system are separated by a firewall)

I hope this helps

Chad R. Skipper

0 Helpful

ishah
Level 1
Level 1
In response to cskipper

‎08-21-2003 11:04 AM

Hi,

Thanks for your response. We are developing a service provider solution on a per customer basis.

I suspected as much. Firewalls do block certain types of packets that NMAP uses to ID systems even with full access from the CTR box allowed and this is what I suspected is causing the problem.

In an environment with multi-dmz's it seems the best option is to use static mappings.

Since we are using RDEP only, we don't need UDP 45000.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents