Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

RecordOfExcludedPattern - what is working ?

I tried to exclude all events from one host to the internal network . The host address is also an internal ip address.

RecordOfExcludedPattern * * 199.129.214.244 IN

(ip address changed)

But this is not working. I got some 3001 events today. We are running version 2.5(1)S2.

I know that the RecordOfExcludedPattern was a bit buggy in older versions, so can somebody give me an overlook which syntax is working with which sensor version ?

  • Other Security Subjects
2 REPLIES
Cisco Employee

Re: RecordOfExcludedPattern - what is working ?

I am going to try testing this in our QA lab here at Cisco today. I will get back to you when I have finished my testing. The syntax in your email is correct to prevent all alarms from the address to any of your internal network addresses.

Cisco Employee

Re: RecordOfExcludedPattern - what is working ?

I tested this in our lab today and this is a bug against the 2.5(1)S2 sensor. It is not excluding the

3001 signature correctly.

I created DDTS Issue: CSCdu44994

The DDTS Issue can be tracked through CCO (note: it takes a day or 2 to update CCO's bug database)

You will have to add an extra RecordOfExcludedPattern token specifically for the 3001 signature:

RecordOfExcludedPattern 3001 * IN 199.129.214.244

Here is the Release Note I created for the DDTS Issue to explain the problem:

Symptom:

RecordOfExlcudedPattern is being used to exclude an address (or set of addresses). The sensor is properly excluding all the signatures except the 3001 signature

Condition:

The user has created a RecordOfExcludedPattern token which is set to excluded the 3001 signature for a given address source or destination.

Some examples:

RecordOfExcludedPattern * * 10.1.1.1 *

(Should exlude 3001 with 10.1.1.1 as source address along with all other sigs)

RecordOfExcludedPattern 3001 * 172.10.10.10 IN

(Should exlude 1001 with 172.10.10.10 as source address and an IN address as the destination)

Configurations like the above should exclude the 3001 signature, but instead the signature continues to fire.

The 3001 signature is based off TCP RST packets. When analyzing the signature the source address of the packets is the host being scanned, and the destination address of the packet is the attacker/scanner.

So when the sensor creates the signature it must swap the address so:

Host being scanned = Source of packet = Destination address of alarm

Scanner = Destination of packet = Source address of alarm

The BUG is:

The RecordOfExcludedPattern should be comparing against the Source and Destination address of the alarm, but instead it is comparing the Source and Destination address of the packet.

WorkAround:

Because the RecordOfExlcudedPattern is comparing against the Source and Destination address of the packets you can use this to filter out the alarm by reversing the addresses in your RecordOfExcludedPattern.

Instead of

RecordOfExcludedPattern 3001 * 172.10.10.10 IN

You can use the following until the problem if fixed:

RecordOfExcludedPattern 3001 * IN 172.10.10.10

NOTE: The original pattern is replaced by the new pattern, but this will have to be returned to the original when the fix is delivered.

Instead of

RecordOfExcludedPattern * * 10.1.1.1 *

You can use both

RecordOfExcludedPattern * * 10.1.1.1 *

RecordOfExcludedPattern 3001 * * 10.1.1.1

NOTE: the original pattern is maintained to continue excluding the other sigs

92
Views
0
Helpful
2
Replies