Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

CTR Detection Issues

Hi,

CTR detects Unpatched windows 2k systems as XP RC1 and doesn't detect Red Hat Version 7.3 using the NMAP ID technique.

Workaround is to statically map the systems in protected systems but has anyone else noticed this.

4 REPLIES
New Member

Re: CTR Detection Issues

Hi,

I am not seeing this at all. Can you give me some more information on exactly what the Forensic Log is giving you.

When conductin an Operating System Detection against an unpatched Windows 2000 I get the following:

Alarm ID (1557761): Operating System Detection changed severity to Warning: Attack Targets Platform and status to Attack targets platform (Confirmed match) because OS was identified as Windows Millennium Edition (Me), Win 2000, or WinXP which happens to be affected by this event type.

As far as the Red Hat Version 7.3 I get the following:

Alarm ID (1557892): Operating System Detection changed severity to Warning: Attack Targets Platform and status to Attack targets platform (Confirmed match) because OS was identified as Linux Kernel 2.4.0 - 2.4.18 (X86) which happens to be affected by this event type.

Thanks

Chad R. Skipper

New Member

Re: CTR Detection Issues

Hi,

Do you get the same results with the systems not defined as protected systems and with an intervening firewall.

How exactly does the ID technique work as I get unable to determine OS messages or the OS ID's as stated above.

New Member

Re: CTR Detection Issues

Hi,

Good question.

The results that I get are with the systems defined and NOT defined as protected systems, however there is NOT an intervening firewall. Most likely your firewall is blocking the nmap scans. Most if not all firewalls will block this kind of nmap scanning. This would cause the problems you are seeing.

Since there is a FW between CTR and your protected systems you will not get accurate OS Mappings. For the best placement of CTR and to obtain accurate OS mappings, CTR should be placed on the same segement as your protected systems. If this is not feasible then you will need to define each system in the Protected Systems tab and associate the appropiate OS.

If Threat Response is separated from your IDS sensors or RealSecure event collectors by a firewall, you must open the ports, as listed in Firewall Settings.

Firewall Settings For... Ports...

Cisco Secure IDS UDP 45000

ISS RealSecure TCP 1433

Threat Response TCP 443 and TCP 3306 (if the browser and Threat Response system are separated by a firewall)

I hope this helps

Chad R. Skipper

New Member

Re: CTR Detection Issues

Hi,

Thanks for your response. We are developing a service provider solution on a per customer basis.

I suspected as much. Firewalls do block certain types of packets that NMAP uses to ID systems even with full access from the CTR box allowed and this is what I suspected is causing the problem.

In an environment with multi-dmz's it seems the best option is to use static mappings.

Since we are using RDEP only, we don't need UDP 45000.

90
Views
0
Helpful
4
Replies
CreatePlease login to create content