cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
459
Views
0
Helpful
4
Replies

SigWizMenu Source/Destination

w.tresp
Level 1
Level 1

I try to define a custom ATOMIC.TCP signature which should trigger an alarm every time a TCP SYN packet will be detected with an external IP address and the destination to our internal privat address space.

Because we are using some subnets with the same RFC1918 addresses for DMZ host communication to our internal network I try to use the address mapping feature to prevent the triggering of TCP sessions initiated from our internal networks to our DMZ hosts or in the other direction.

I've tried the following:

Modify Signature Address Mapping : CSIDS Signature Wizard

___________________________________________________

Signature Value : 20000

SubSig Value : *

Source Value : 1/5,8/7,11/8,13/8,16/4,32/3,128/1

Dest Value : 10/8

___________________________________________________

But this doesn't work. The alarm will be generated also if I connect from 10/8 to 10/8 addresses.

Can somebody help me with this problem or point me to a better documentation than the 3.0 release notes?

Regards, Wilfried

4 Replies 4

anthall
Level 1
Level 1

Wilfried,

The best way to handle something like this is to use the RecordOfInternalAddress.

Set this value to your internal networks. Something like:

10.0.0.0 255.0.0.0

You should be able to do this inside your managment interface.

Once you get this, you can use the Signature Address Mapping to make your life simple.

Your source then becomes OUT, and your destination becomes IN.

The RecordOfInternalAddress defines the addresses listed as internal ones (IN)...all others are OUT.

Hope that helps!

anthall's reccomendation is a good one. You may want to include all of your internal address in the RecordOfInternalAddress.

But just so you know, I think that what you were doing is opposite of what you were wanting.

( Of course I could be wrong and you may be doing exactly what you were wanting, and have come across a bug we were not aware of)

The entries:

Signature Value : 20000

SubSig Value : *

Source Value : 1/5,8/7,11/8,13/8,16/4,32/3,128/1

Dest Value : 10/8

Would create the following conf lines (I believe in SigSettings.conf or SigUser.conf):

RecordOfExcludedPattern 20000 * * *

RecordOfIncludedPattern 20000 * 1/5,8/7,11/8,13/8,16/4,32/3,128/1 10/8

The first line keeps the sig from firing for any address combination.

The second line over rides the exclude and will fire the alarm if the source is 1/5,8/7,11/8,13/8,16/4,32/3,128/1 AND the destination is 10/8.

Problems:

1) I am not sure if packetd will properly interpret 1/5 syntax. So this could be part of the issue.

(I haven't tested with that syntax so you may want to run a test to be sure, but for now I'll assume the syntax works.)

2) If packetd does interpret it right, then it will ONLY fire if the source address is in 1/5,8/7,11/8,13/8,16/4,32/3,128/1 and the destination is in 10/8

What I think you wanted is to NOT fire if the source is 1/5,8/7,11/8,13/8,16/4,32/3,128/1 regardless of what the destination is.

And also not fire if the destination is 10/8 regardless of what the source is.

So the proper conf lines would more likely be:

RecordOfExcludedPattern 20000 * 1/5,8/7,11/8,13/8,16/4,32/3,128/1 *

RecordOfExcludedPattern 20000 * * 10/8

The first line excludes any of those source addresses from firing the alarm no matter what the destination is. SO if they are going to an external box, your 10 network, or other internals it won't fire.

The second line keeps the alarm from firing if the 10 network is the destination. It won't fire if the source is inside, outsidem or in the 10 network.

So the alarm will still fire if external boxes try to connect to 1/5,8/7,11/8,13/8,16/4,32/3,128/1 or other unlisted addresses.

Hello Marcoa,

you missunderstood the my intention. The Alarm should be triggered every time if a tcp syn packet passes the monitoring network with source of outside (Internet) addresses and the destinition of our internal network.

The created signature part:

RecordOfIncludedPattern 20000 * 1/5,8/7,11/8,13/8,16/4,32/3,128/1 10/8

doesn't work as expected. I've had no time to check other definitions for 1/5. Instead I use the IN and OUT keywords which works now.

Wilfried

Yes, thank you.

Why do it easy if you can do it difficult ;-)

Wilfried

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: