Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

HowTo: Trigger on traffic from a subnet

I am trying to figure out the most efficient way to write the following signature:

1. The range of addresses is a 255.255.255.128 netmask within a Class B

2. Trigger on any traffic that originates from that subnet.

The idea is to monitor a group of IP addresses and if the sensors see any traffic at all originating from those IP addresses, then create an alert.

I might have been going about it the wrong, or maybe there is no other to do it beyond creating an ATOMIC.TCP signature that triggers on all traffic to all ports.

And then creating a whole bunch of ExcludeNetwork type filters that exclude the signature for all except my small subnet.

Is there a way to do the inverse with a couple of statements that ignores the signature for all except the following subnet? I don't think there is but wanted to make sure.

2 REPLIES
Community Member

Re: HowTo: Trigger on traffic from a subnet

Could you not create 2 rules -- a tcp string and udp string, both with the regex matches set to "*" and port ranges set 1-65535 and then put the following in your SigSettings.conf for both signatures?

RecordOfExcludedPattern * * *

RecordOfIncludedPattern * *

My .02.

-brkn!

Cisco Employee

Re: HowTo: Trigger on traffic from a subnet

You should be able to create a signature using hte Atomic.L3.IP engine that just looks for any IP packet:

Tune Signature Parameters : CSIDS Signature Wizard

___________________________________________________________________________

Current Signature: Engine ATOMIC.L3.IP SIGID 20000

SigName: Special IP Seen

___________________________________________________________________________

0 - Edit ALL Parameters

1 - AlarmInterval =

2 - AlarmThrottle = FireAll

3 - ChokeThreshold =

4 - FlipAddr =

5 - isIcmp =

6 - isOverrun =

7 - LimitSummary = True

8 - MaxDataLen =

9 - MaxInspectLength =

10 - MaxProto =

11 - MaxReassembledLen =

12 - MinDataLen =

13 - MinHits =

14 - MinProto =

15 - MinReassembledLen =

16 - ProtoNum =

17 - ResetAfterIdle = 15

18 - SigComment =

19 - SigName = Special IP Seen

20 - SigStringInfo =

21 * StorageKey = GLOBAL

22 - ThrottleInterval = 30

23 - WantFrag =

d - Delete a value

u - UNDO and continue

x - SAVE and continue

___________________________________________________________________________

Selection>

By default this will fire for every single IP packet on your network.

brkn was correct in his post on how to limit the alarm to fire for only a given address set.

You use RecordOfExcludedPattern to exclude all ip addresses:

RecordOfExcludePattern 20000 * * *

Then you use RecordOfIncludedPattern to include only the ip addresses of interest:

RecordOfIncludedPattern 20000 * 10.0.0.0-10.0.0.255,10.1.0.0-10.1.255.255 *

If you use the Address Mapping Feature in SigWizMenu, it will create the RecordOfExcludedPattern for everything, and then create the

RecordOfIncludedPattern for the addresses you specified.

Refer to:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids6/12216_02.htm#xtocid1115826

140
Views
0
Helpful
2
Replies
CreatePlease to create content