cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
351
Views
0
Helpful
5
Replies

new engineering release 3.1.3 for service-over-host sweeps

jakasper
Level 1
Level 1

We have created the engrel2 bundle to address the problems noted with the host sweeps,

particulary the Sig 3030 false negative on SQL Spyda sweeps on port 1433. (We were only

looking at low ports, so port 1433 was never counted).

Now, we have changed the behavior of the signatures 3030-3037 to be service sweeps

instead of a regular host sweeps. (See the README with the bundle on ftp-eng).

You can find the files on 'ftp-eng.cisco.com'.

The path is: /ftp/pub/titanium

Download the files:

CSIDS-313-engrel2.tar.Z and README

in ftp BINARY mode.

The README has installation instructions and a full description of the changes in this version.

-JK

5 Replies 5

bbenton
Level 1
Level 1

There appears to be a new signature file in this directory for this release...(313-S24), but it isn't referenced in the thread, nor is it executable. Should we just load 312 S24 instead, or what?

Can anyone address the signature file in xml format in this directory?

The sigs.xml.313eng.s24 file is not a replacement "Sig Update" file. It is the engine parameter and signature default descriptions for the Director platform.

This file is not needed to make the new 3.1.3 sensor function properly. The only need for the file is if you want to use the "PortOfInterest" parameter for the Engine SWEEP.HOST.TCP. This parameter is not needed because of the new functionality of the engine. It is there for special applications where you want to create a port XYZ custom host sweep signature. The default behavior of the engine now gives you good coverage for port ANY host sweeps so you probally won't need the PortOfInterest parameter.

We included the .xml file with the bundle so we would have the file ready if needed. I should have explicitly stated in the instructions to ignore this file.

When there is a customer need for the above mentioned capability, we will publish offical "install" instructions for this .xml file.

Sorry for this tardy response, I was out of the office for a couple days.

-JK

Thanks!

jakasper
Level 1
Level 1

CSIDS-313-engrel2 fixes the sweep problem noted in this forum's July 5th posts.

The SWEEP.HOST.TCP engine has been changed so that the default behavior is that of a "Service Sweep" instead of a "Host Sweep" and it

looks at all ports instead of just the low ports.

(affects SIGIDs 3030-3037).

I just checked the ftp-eng site and the files are still intact. Ignore the sigs.xml

file -- its not needed for the eng2 bundle. (See May 30 post on this thread.)

I do not know of a date for an "official" 3.1(3) release that would include this fix.

Someone else will have to elaborate on that topic.

Until then, the eng2 bundle solves this problem.

-JK

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: