Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Help with custom signature RegexString value!!!

Hello.

All the routers in my network are configured in a manner so that when I attempt a telnet connection, I have to enter in a username and password. If I type in my username incorrectly, the router returns the following message...

% Login invalid

All these routers have logging enabled and are sending messages to the IDS 4250.

I'm trying to create a custom signature so that when the router returns % Login invalid, my IDS will display a message within IEV.

With that said, what would the RegexString value look like for this??

Thank you!

5 REPLIES
Cisco Employee

Re: Help with custom signature RegexString value!!!

Maybe you could try:

%.Login.invalid

or

Login.invalid

where the . matches any character, hopefully including space.

Here's a regular expression reference from the IDS 4.0 docs:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids9/idmiev/swappa.htm#787101

peter

Community Member

Re: Help with custom signature RegexString value!!!

Peter:

Thanks for the link and the response.

I tried your two suggestions and they didn't work...

I also tried the following...

[/%][/ .*][Ll]ogin[/ .*]invalid

That didn't work either unfortunately.

Any other ideas!?!?

Thanks for your help!

Bronze

Re: Help with custom signature RegexString value!!!

Try this one:

[\%][ .*][Ll]ogin[ .*]invalid

Hope it helps!

Cisco Employee

Re: Help with custom signature RegexString value!!!

Just a side comment for you.

You say that the routers have logging enabled and sending messages to the IDS 4250.

What this generally means is that the syslog messages are being sent to the sensor. The sensor will then look for a few specific syslog messages that will be created when an ACL denies a packet. If you have the sensor configured to alarm when those sylog messages are seen for the specific ACL then the sensor will generate an alert.

There has been some confusion from users thinking that the sensor is able to analyze other syslog messages from the router (like invalid login messages).

In your scenario it is irrelevant that router is sending syslog messages to the sensor, because the sensor won't look for syslog messages about failed logins.

What you have to do is ensure that the sensor is monitoring the network between the telnet client and the router. The sensor will need to sniff the packets from the telnet client to the router, and from the router back to the telnet client.

Then you configure the sensor to fire on a regular expression like "[Ll]ogin [Ii]nvalid" (or one of the other suggested regular expressions) when it is seen coming FROM the telnet server.

NOTE: BY default the sensor will look for the regular expression on connections To the server, you will need to make sure you change the direction on the alarm to be From Service.

Additionally you will need to pay particular attention on where the sniffing interface of the sensor is deployed. If the sensor is monitoring the network off of the external interface of the router, then it will only monitor connections from the external network trying to connect to the router. It will not monitor users connecting from the internal network to the router.

And of course if the sensor is monitoring the internal network then it will monitor internal users connecting to the router, but won't monitor external users connecting to the router.

And if you have multiple interfaces, then the sensor will only monitor connections originating from the one side where it is monitoring.

If the failed logins are the only concern for you, then you may want to consider not using the sensor, but instead simply using a syslog server. Point the router to send it's syslogs to the syslog server and search for failed login messages in the resulting syslogs.

Community Member

Re: Help with custom signature RegexString value!!!

Thank you for this reply.

That explains my problem...

"ensure that the sensor is monitoring the network between the telnet client and the router"

90
Views
0
Helpful
5
Replies
CreatePlease to create content