Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

How does "Protected Network" work?

I have always thought that if I put a network in the "Protected Network" list that this meant the sensor would only care about these addresses. If this is the case then why does my sensor still report events from/to IP's not in this list. If it does not work this way then how does the concept of a "Proteced Network" work?

5 REPLIES
Cisco Employee

Re: How does "Protected Network" work?

The Protected Network is used to tag the addresses in an alarm with a keyword.

Addresses in the Protected Network are tagged with the word IN, while any other address is tagged with the word OUT.

This helps when looking at alarms to determine whether you are being attacked, or if your internal network is being used to attack someone else's network.

The sensor, however, will monitor all traffic, so it is easy to get running without even having to configure your Protected Networks. (Everything would be reported as OUT source and OUT destination).

To get what you are looking for the IN and OUT keywords can also be used to filter out alarms.

If you are not interested in alarms between ips that are not in your Protected Network then you can exclude all alarms between two OUT addresses:

RecordOfExcludedPattern * * OUT OUT

(This can be created in nrConfigure for the Unix Director, or added in the Epilogue field in CSPM)

You could also do the following:

RecordOfExcludedPattern * * IN IN (To not look at alarms between your own machines)

RecordOfExcludedPattern * * IN OUT (To not look at alarms originating within your network)

NOTE: RecordOfExcludedPattern is also used by the Advanced Filter Tab in CSPM, but the Advanced Filter tab does not have the ability to exclude all signatures with a single entry. SO that is why the RecordOfExcludedPattern line with a "*" for the signature field is best entered in the Prologue field.

For more information on RecordOfExcludedPattern refer to:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids4/11657_02.htm#xtocid2830510

New Member

Re: How does "Protected Network" work?

I implemented your suggestion for excluding events from all outside addresses ie: RecordOfExcludedPattern * * OUT OUT. However I have concern that now the sensor is not reporting anything. What is the format of the address/netmask for the RecordOfInternalAddress in the packetd.conf file? Is the netmask the standard netmask or is there some other interpretation by the IDS software?

Cisco Employee

Re: How does "Protected Network" work?

If you are designating a network then use the network address and the netmask.

Example:

RecordOfInternalAddress 10.1.1.0 255.255.255.0

If, however, you are only designating a single ip then put in the ip with a netmask of all 255s.

Example:

RecordOfInternalAddress 10.2.2.3 255.255.255.255

Marco

New Member

Re: How does "Protected Network" work?

I'm trying to use a network of 123.456.0.0 with a mask of 255.255.0.0. nrConfigure puts in is as RecordOfInternalAddress 123.456.0.0/16 which seems correct to me. You can have more than 1 RecordOfInternalAddress right? I have several network defined. So why when I turn on my OUT OUT filter does the sensor stop reporting events even though without it I see many IN OUT and OUT IN events in the log. This is becoming a real problem for my customer.

Cisco Employee

Re: How does "Protected Network" work?

Sounds like you may have found a bug.

Something similar was reported in CSCdw39532

In that issue the * for signature wouldn't exlcude any alarms for IN or OUT, and they have fixed it.

But it could be that that when they fixed that they introduced a new bug so * for OUT OUT exlcudes all addresses?

If you are not running 3.0(5)S20 then please upgrade and try this again.

I know there were some changes in the exlcude code in the past few months.

If the issue is still in 3.0(5)S20 then please contact the TAC so they can assist in documenting the problem and create a new DDTS Issue if necessary.

If you are using 3.0(5)S20 then would you be willing to try

RecordOfExcludedPattern 0-9999 * OUT OUT

Instead of

RecordOfExcludedPattern * * OUT OUT

If the "0-9999" works then please let the TAC know this so they can put it in the release notes for the DDTS issue.

Marco

322
Views
0
Helpful
5
Replies