Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Custom Sig to Alarm on a Specific IP

Hello All,

I have a Windows 2K server that was compromised recently and I know the bad guy's IP address. Is there a way to configure my 4230 to alert using a custom signature when the bad guy's IP address enters my network? Any help will greatly be appreciated. Thanks

5 REPLIES
Bronze

Re: Custom Sig to Alarm on a Specific IP

Here's a possible solution. Be forewarned though. Using this technique will likely cause a significant perfomance impact to your sensor. First, create a custom signature that looks like this:

Tune Signature Parameters : CSIDS Signature Wizard

___________________________________________________________________________

Current Signature: Engine ATOMIC.L3.IP SIGID 20000

SigName: Bad Guy IP

___________________________________________________________________________

0 - Edit ALL Parameters

1 - AlarmInterval =

2 - AlarmThrottle = FireAll

3 - ChokeThreshold =

4 - FlipAddr =

5 - isIcmp =

6 - isOverrun =

7 - LimitSummary = True

8 - MaxDataLen =

9 - MaxInspectLength =

10 - MaxProto =

11 - MaxReassembledLen =

12 - MinDataLen =

13 - MinHits =

14 - MinProto =

15 - MinReassembledLen =

16 - ProtoNum =

17 - ResetAfterIdle = 15

18 - SigComment =

19 - SigName = Bad Guy IP

20 - SigStringInfo =

21 * StorageKey = GLOBAL

22 - ThrottleInterval = 30

23 - WantFrag =

d - Delete a value

u - UNDO and continue

x - SAVE and continue

___________________________________________________________________________

Second, create a RecordOfExcludedPattern like this:

RecordOfExcludedPattern 20000 * /32 *

Bronze

Re: Custom Sig to Alarm on a Specific IP

One of our crack Q/A engineers noticed an error in my previous reply. The correct filter should be:

RecordOfExcludedPattern 20000 * * *

RecordOfIncludedPattern 20000 * *

RecordOfIncludedPattern 20000 * *

New Member

Re: Custom Sig to Alarm on a Specific IP

Thanks a lot! I will give it a go.

New Member

Re: Custom Sig to Alarm on a Specific IP

Couldn't you just use the RecordOfLogAddress W.X.Y.Z 255.255.255.255 ?

Cisco Employee

Re: Custom Sig to Alarm on a Specific IP

RecordOfLogAddress would create an IPLOG for all packets to and from the address, but it won't generate an alarm.

109
Views
0
Helpful
5
Replies