Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Custom Signature

Can someone help me with this?

I am trying to create a custom signature with the following characteristics...

Option 1:

Source Sequence number is 0

Flags are Syn/Ack

Destination Port 80

MinHits 5

Option 2

Source Port 80

Flag RST

Sequence number = 1

TCP ZeroWindow

MinHits 5

I've tried using the signature wizard but can't find the right combination.

1 ACCEPTED SOLUTION

Accepted Solutions
Bronze

Re: Custom Signature

We don't currently support looking for specific sequence numbers or window sizes. We are in the process of planning additional engine parameters to deal with this. To create custom signatures that match close to your specifications, you could do this with ATOMIC.TCP.

Option 1

TcpFlags SYN|ACK

Mask FIN|SYN|RST|PSH|ACK|URG

DstPort 80

MinHits 5

Option 2

TcpFlags RST

Mask FIN|SYN|RST|PSH|ACK|URG

SrcPort 80

MinHits 20

If needed, you can add the SrcIpAddr / DstIpAddr parameters to limit these to certain addresses.

4 REPLIES
New Member

Re: Custom Signature

Here is what I tried, in order to achieve option 2 - it didn't work:

Sweep.port.tcp signature

Mask: SYN/FIN/RST

TcpFlags: RST

MinHit: 5

Protocol: TCP

Unique: 5

PortRange: 1

InvertedSweep: True

This isn't firing...

New Member

Re: Custom Signature

I finally have it working, but not quite the way I want it.

ATOMIC.TCP

FlipAddr: True

Mask: FIN/SYN/RST

MinHits: 20

Protocol: TCP

SrcIPAddr: 10.10.10.5

ScrIpMask: 255.255.255.255

SrcPort: 80

TcpFlags: RST

If I don't specifiy the source, it fires often - due to the fact it's going to see more than 20 RST packets to various hosts. I would like to use a state based signature, so I don't have to specificy the source.

I'm trying to get it to fire when the IDS system sees an IP address sending multiple RST packets to another machine with the source coming from TCP 80.

Bronze

Re: Custom Signature

We don't currently support looking for specific sequence numbers or window sizes. We are in the process of planning additional engine parameters to deal with this. To create custom signatures that match close to your specifications, you could do this with ATOMIC.TCP.

Option 1

TcpFlags SYN|ACK

Mask FIN|SYN|RST|PSH|ACK|URG

DstPort 80

MinHits 5

Option 2

TcpFlags RST

Mask FIN|SYN|RST|PSH|ACK|URG

SrcPort 80

MinHits 20

If needed, you can add the SrcIpAddr / DstIpAddr parameters to limit these to certain addresses.

New Member

Re: Custom Signature

Thank you for your guidance... FYI: This signature helps identify when a port scan is taking place using the nmap idle feature. If this signature fires at the same time the TCP SYN PORT Sweep, then the source (since flipaddress is true) is the one probing the zombie's IPID. I've tested it several times and it works well... I have to keep the minhits high, around 20-30, and define the source as the web servers and it works great. Thanks for your help!

104
Views
0
Helpful
4
Replies
CreatePlease login to create content