06-11-2003 07:01 PM - edited 03-09-2019 03:38 AM
I have a feeling that this was aleady addressed before but I can not find it.
I would like to know all the options (methods) that I have possible in tuning signatures in IDS4235 code 4 image other than using IDM or VMS.
I am a CLI type of person, but wanted specifically to know whether there was a ./SigMenuWiz or similar utility available (accessible) on the appliance and through which user.
Any feedback is appreciated.
06-11-2003 09:06 PM
Hi,
You can go into the signature engine and modify the signature parameters or add new string signature.
sj_4250_40# conf t
sj_4250_40(config)# service virtual-sensor-configuration virtualSensor
sj_4250_40(config-vsc)# tune-micro-engines
sj_4250_40(config-vsc-virtualSensor)#
ATOMIC.ARP Layer 2 ARP signatures.
ATOMIC.ICMP Simple ICMP alarms based on Type, Code, Seq, Id
, etc.
ATOMIC.IPOPTIONS Simple L3 Alarms based on Ip Options
ATOMIC.L3.IP Simple L3 IP Alarms.
ATOMIC.TCP Simple TCP packet alarms based on TCP Flags, po
rts (both sides), and single packet regex. Use SummaryKey to define the address view for MinHits and Summarize counting. For best performance, use a StorageKey of xxxx.
Select the engine you want to modify and signature in it and change the settings.
sj_4250_40(config-vsc-virtualSensor)# atomic.tcp
sj_4250_40(config-vsc-virtualSensor-ATO)# signatures SIGID 9023
sj_4250_40(config-vsc-virtualSensor-ATO-sig)# show settings
SIGID: 9023
SubSig: 0
AlarmDelayTimer:
AlarmInterval:
AlarmSeverity: medium
AlarmThrottle: FireOnce
AlarmTraits:
ChokeThreshold: 100
DstPort: 36794
Enabled: True default: False
EventAction: ZERO
FlipAddr:
Mask: FIN|SYN|RST|PSH|ACK|URG
MaxInspectLength:
MaxTTL:
MinHits:
PortRange:
PortRangeSource:
Protocol: TCP
ResetAfterIdle: 15
SigComment:
SigName: Back Door Probe (TCP 36794)
SigStringInfo: SYN to TCP 36794
SigVersion: S40
SinglePacketRegex:
SrcPort:
StorageKey: xxxx
SummaryKey: AxBx
TcpFlags: SYN
ThrottleInterval: 30
WantFrag:
Thanks
Sujit
06-12-2003 03:19 AM
Thanks,
q1. Is this the only other method (aside using IDM or VMS bundle)?
q2.Is there an equivalent of packetd.conf?
06-12-2003 08:42 AM
Hi,
q1. Is this the only other method (aside using IDM or VMS bundle)?
- No other method is available when you are doing telnet or ssh to the sensor.
q2.Is there an equivalent of packetd.conf?
- No we do not have packetd.conf any more, but to see the config of all the signatures you can do a "show config" to see the settings of the signatures.
The output will be like this
service virtual-sensor-configuration virtualSensor
tune-micro-engines
systemVariables
WEBPORTS 80,88,90,8000-9900
exit
FragmentReassembly
IPReassembleMode NT
IPReassembleTimeout 120
exit
StreamReassembly
TCP3WayHandshakeRequired True
TCPReassemblyMode strict
TCPOpenEstablishedTimeout 90
TCPEmbryonicTimeout 15
exit
ShunEvent
ShunTime 30
exit
ATOMIC.ARP
signatures SIGID 7101 SubSig 0
AlarmSeverity informational
Enabled False
EventAction ZERO
exit
signatures SIGID 7102 SubSig 0
Thanks
Sujit
06-12-2003 02:41 PM
Thanks a lot for the prompt reply. I only have two final questions:
q.1 When pushing detection signature configurations changes to the sensors using MC, the changes are finalized following 5+minutes of high overhead for each push. After which the changes effected can be viewed immediately. On the IDM it requires that you log off and log on -but sometimes the changes are not effected when you log back into the IDM the second or third time. On the CLI the changes are effected within 10-20 seconds but I have not found a method of verifying the changed settings.
q1 So my question is how long does a change for a change to have been effected through the IDM.
q2 Is there a way to verify the new settings of a signature through the CLI
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: