cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
483
Views
0
Helpful
2
Replies

Different event levels for the same signature ?

pheuch
Level 1
Level 1

Is it possible to setup different event levels for the same signature, based on the ip range of the source / destionation address ?

This would be very handy for some problems. Take the CodeRed for example. Incoming CodeRed packets are, at the moment, only for statistical purposes interesting. But outgoing traffic with this signature is a real problem. I would like to configure event level 2 or 3 for the incoming and 5 for outgoing. But I could not find any hint how to do this.

Any ideas?

2 Replies 2

klwiley
Cisco Employee
Cisco Employee

Hmm, this is actually not something anyone has ever asked for before. There is no way to do this with a single signature, however we can accomplish this with a little trickery.

I'm assuming you are running 3.0(1)S5. If you are running 3.0(1)S4 you will have to make two signatures as I outline below.

Using SigWizMenu create a signature with the following parameter line:

Engine STRING.HTTP SIGID 20000 AlarmThrottle FireOnce DeObfuscate True Direction ToService MinHits 1 MultipleHits True RegexString [.][Ii][Dd][Aa][?].*[\r\n] MinMatchLength 200 ResetAfterIdle 15 ServicePorts 80,3128,8010,8080,8888 SigName WWW IIS .ida Indexing Service Overflow SigStringInfo .ida?<200+ chars>

Let's assume you want this to be applied to the "external" traffic so set it as a level 2 severity. You are going to keep the built in signature (5126) as it is at a level 5.

In the SigSettings.conf file add the following lines at the bottom of the file.

RecordOfExcludedPattern 20000 * IN * (This will only work if you've defined your protected network with the RecordOfInternalAddress token, excludes this signature from firing on internally generated events)

RecordOfExcludedPattern 5126 * OUT * (This will only work if you've defined your protected network with the RecordOfInternalAddress token, excludes this signature form firing on externally generated events)

This example assumes you have no signature 20000, please use auto generate in SigWizMenu to insure you do not have overlap. In the RecordOfExcludedPattern for the external signatuire you must be sure to use the autugenerated SigId as well.

crossmanj
Level 1
Level 1

Actually this would be handy for a lot of things....

The ingress/egree issue with Code red is a good example, though we solved it a slightly different way with the creation of a new alarm level, and alerting only on IN-to-OUT traffic for that alarm level.

But being able to choose responses by IP for the same signature would be valuable in several ways. Here's my-off-the cuff thoughts:

1 - Ability to monitor/alert/respond differently for servers with higher SLA requirements (eg, have higher mission critical nature)

2 - Ability to alert OS-specific, or App-specific, detects. Cold Fusion detects shouldn't get people out of bed when seen against an IIS server, but on a Cold-Fusion server, well....

3 - In the last 7 days, we've gotten 227 DNS Version Requests, but few of those were directed to DNS servers, which (maybe) should be responded to a bit more aggressively.

Anyway, all of my other examples are related to these basic themes, attacks on ports that are open versus ones that aren't (UDP), customizing responses based on appropriateness of data for a server configuration, etc. I'm sure y'all get the feel.... :-)

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: