All the routers in my network are configured in a manner so that when I attempt a telnet connection, I have to enter in a username and password. If I type in my username incorrectly, the router returns the following message...
% Login invalid
All these routers have logging enabled and are sending messages to the IDS 4250.
I'm trying to create a custom signature so that when the router returns % Login invalid, my IDS will display a message within IEV.
With that said, what would the RegexString value look like for this??
Re: Help with custom signature RegexString value!!!
Just a side comment for you.
You say that the routers have logging enabled and sending messages to the IDS 4250.
What this generally means is that the syslog messages are being sent to the sensor. The sensor will then look for a few specific syslog messages that will be created when an ACL denies a packet. If you have the sensor configured to alarm when those sylog messages are seen for the specific ACL then the sensor will generate an alert.
There has been some confusion from users thinking that the sensor is able to analyze other syslog messages from the router (like invalid login messages).
In your scenario it is irrelevant that router is sending syslog messages to the sensor, because the sensor won't look for syslog messages about failed logins.
What you have to do is ensure that the sensor is monitoring the network between the telnet client and the router. The sensor will need to sniff the packets from the telnet client to the router, and from the router back to the telnet client.
Then you configure the sensor to fire on a regular expression like "[Ll]ogin [Ii]nvalid" (or one of the other suggested regular expressions) when it is seen coming FROM the telnet server.
NOTE: BY default the sensor will look for the regular expression on connections To the server, you will need to make sure you change the direction on the alarm to be From Service.
Additionally you will need to pay particular attention on where the sniffing interface of the sensor is deployed. If the sensor is monitoring the network off of the external interface of the router, then it will only monitor connections from the external network trying to connect to the router. It will not monitor users connecting from the internal network to the router.
And of course if the sensor is monitoring the internal network then it will monitor internal users connecting to the router, but won't monitor external users connecting to the router.
And if you have multiple interfaces, then the sensor will only monitor connections originating from the one side where it is monitoring.
If the failed logins are the only concern for you, then you may want to consider not using the sensor, but instead simply using a syslog server. Point the router to send it's syslogs to the syslog server and search for failed login messages in the resulting syslogs.
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...