Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Custom Sig Atomic.tcp Not Consistent

Below is the custom signature I created to catch rogue smtp engines on my network. Many of the alarm does not have DST/SRC ports or IP's. About ten % of the alarms have correct information. Am I missing something in my custom sig? After applying this sig, my 4230 cpu utilization jumped to 15% from ~10% (not significant).

Sample (no dst port or ip): 5/4/2003 | 8:58:18 | OUT | OUT | 5|20005 | 64.65.243.202 | 0.0.0.0 | 3611 | 0 - Interval Summary: 1 of total 809 alarms

Tune Signature Parameters : CSIDS Signature Wizard

___________________________________________________________________________

Current Signature: Engine ATOMIC.TCP SIGID 20005

SigName: Proxy-Guzu (25)

___________________________________________________________________________

0 - Edit ALL Parameters

1 - AlarmInterval =

2 - AlarmThrottle = FireOnce

3 - ChokeThreshold = 100

4 - DstPort = 25

5 - FlipAddr =

6 - LimitSummary =

7 * Mask = =SYN

8 - MaxInspectLength =

9 - MinHits =

10 - PortRange =

11 - ResetAfterIdle = 15

12 - SigComment =

13 - SigName = Proxy-Guzu (25)

14 - SigStringInfo =

15 - SinglePacketRegex =

16 - SourcePorts =

17 - SrcPort =

18 * StorageKey = SRC

19 * TcpFlags = =SYN

20 - ThrottleInterval = 30

21 - WantFrag =

d - Delete a value

u - UNDO and continue

x - SAVE and continue

3 REPLIES
Bronze

Re: Custom Sig Atomic.tcp Not Consistent

Ok, this has a couple of problems. First, if you really only want to catch "rogue" SMTP server. It would be better to look for SYN/ACK packets coming from port 25 instead of looking for a SYN to 25. This will tell you that a service is actually listening. Second, I'd use the SinglePacketRegex to look for a "220" pattern. This will better indicate a SMTP server. Lastly, don't forget to filter out your legitimate SMTP server as sources. Try this signature:

Tune Signature Parameters : CSIDS Signature Wizard

___________________________________________________________________________

Current Signature: Engine ATOMIC.TCP SIGID 20000

SigName: Rogue SMTP Server

___________________________________________________________________________

0 - Edit ALL Parameters

1 - AlarmInterval =

2 - AlarmThrottle = FireOnce

3 - ChokeThreshold = 100

4 - DstPort =

5 - FlipAddr =

6 - LimitSummary =

7 * Mask = FIN | SYN | RST | PSH | ACK | URG

8 - MaxInspectLength =

9 - MinHits =

10 - PortRange =

11 - ResetAfterIdle = 15

12 - SigComment =

13 - SigName = Rogue SMTP Server

14 - SigStringInfo =

15 - SinglePacketRegex = 220

16 - SourcePorts =

17 - SrcPort = 25

18 * StorageKey = DUAL

19 * TcpFlags = SYN | ACK

20 - ThrottleInterval = 30

21 - WantFrag =

d - Delete a value

u - UNDO and continue

x - SAVE and continue

___________________________________________________________________________

New Member

Re: Custom Sig Atomic.tcp Not Consistent

Thanks for your prompt reply and let me get a little more specific about my objective. I'm actually looking for Trojans that has it's own smtp engine. Spammers are using these pc's that has been compromised with these Trojans (i.e. Proxy-Guzu) to send out spam emails to whatever mail domain they choose. These engines are not necessarily listening for incomming mail.

New Member

Re: Custom Sig Atomic.tcp Not Consistent

Okay, it looks like your original problem is that you are recieving too many alarms and the alarms are then summerized. Summerized alarms do not contain specific information for each alarm because they represent many alarms. You will have to filter out all of your SMTP servers in order to get the alarm levels down so that the sensor does not summerize. From there you will find the specific information that you are looking for.

94
Views
0
Helpful
3
Replies