Worldwide [change] |Account |Register |About Cisco
Guest

Hierarchical Navigation

Cisco IPS 4200 Series Sensors

Configuring IDS TCP Reset Using IDM and IEV

Downloads

Document ID: 44903


Contents

Introduction
Prerequisites
      Requirements
      Components Used
      Conventions
Configure
      Network Diagram
      Configurations
Start the Sensor Configuration
Add the Sensor into the IEV
Configure the TCP Reset for the Cisco IOS Router
Verify
      Launch the Attack and the TCP Reset
Troubleshoot
      Tips
NetPro Discussion Forums - Featured Conversations
Related Information

Introduction

This document discusses the configuration of the Intrusion Detection System (IDS) TCP Reset using the IDS Device Manager (IDM) and IDS Event Viewer (IEV). IDM and IDS Sensors are used to manage a Cisco router for TCP Reset. When considering this configuration, please remember these items:

  • Install the Sensor and make sure the Sensor works properly.

  • Make the sniffing interface span to the router outside the interface.

Prerequisites

Requirements

There are no specific requirements for this document.

Components Used

The information in this document is based on these software and hardware versions:

  • Cisco IDS Event Viewer 4.1.1S(50)

  • Cisco IDS Sensor 4.1.1S(50)

  • Cisco IOSĀ® router with Cisco IOS Software Release 12.2(15)T5

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Conventions

For more information on document conventions, refer to the Cisco Technical Tips Conventions.

Configure

Network Diagram

This document uses the network setup shown in this diagram.

idstcpreset-1.gif

Configurations

This document uses the configurations shown here.

Router Light 

Current configuration : 906 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname light
!
enable password cisco
!
username cisco password 0 cisco
ip subnet-zero
!
!
!
ip ssh time-out 120
ip ssh authentication-retries 3
!
call rsvp-sync
!
!
!
fax interface-type modem
mta receive maximum-recipients 0
!
controller E1 2/0
!
!
!
interface FastEthernet0/0
 ip address 100.100.100.2 255.255.255.0
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address 1.1.1.1 255.255.255.0
 duplex auto
 speed auto
!
interface BRI4/0
 no ip address
 shutdown
!
interface BRI4/1
 no ip address
 shutdown
!
interface BRI4/2
 no ip address
 shutdown
!
interface BRI4/3
 no ip address
 shutdown
!
ip classless
ip route 0.0.0.0 0.0.0.0 100.100.100.1
ip http server
ip pim bidir-enable
!
!
dial-peer cor custom
!
!
line con 0
line 97 108
line aux 0
line vty 0 4
 login
!
end

Router House 

Current configuration : 939 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname house
!
logging queue-limit 100
enable password cisco
!
ip subnet-zero
!
!
no ip cef
no ip domain lookup
!
ip audit notify log
ip audit po max-events 100
!
!
no voice hpi capture buffer
no voice hpi capture destination
!
!
!
!
interface FastEthernet0/0
 ip address 10.66.79.210 255.255.255.224
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address 100.100.100.1 255.255.255.0
 duplex auto
 speed auto
!
interface ATM1/0
 no ip address
 shutdown
 no atm ilmi-keepalive
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.66.79.193
ip route 1.1.1.0 255.255.255.0 100.100.100.2
no ip http server
no ip http secure-server
!
!
!
!
call rsvp-sync
!
!
mgcp profile default
!
!
line con 0
 exec-timeout 0 0
line aux 0
line vty 0 4
 exec-timeout 0 0
 password cisco
 login
line vty 5 15
 login
!
!
end

Start the Sensor Configuration

Complete these steps to start the configuration of the Sensor.

  1. If this is your first time logging into the Sensor, you must enter cisco as the user name and cisco as the password.

  2. When the system prompts you, change your password.

    Note: Cisco123 is a dictionary word and is not allowed in the system.

  3. Type setupand follow the system prompt to setup the basic parameters for the Sensors.

  4. Enter this information:

    sensor5#setup 

    --- System Configuration Dialog --- 


!--- At any point you may enter a question mark '?' for help. 
!--- Use ctrl-c to abort the configuration dialog at any prompt. 
!--- Default settings are in square brackets '[]'. 


Current Configuration: 

networkParams 
ipAddress 10.66.79.195 
netmask 255.255.255.224 
defaultGateway 10.66.79.193 
hostname sensor5 
telnetOption enabled 
accessList ipAddress 10.66.79.0 netmask 255.255.255.0 
exit 
timeParams 
summerTimeParams 
active-selection none 
exit 
exit 
service webServer 
general 
ports 443 
exit 
exit

  5. Save the configuration.

    It might take a few minutes for the Sensor to save the configuration.

    [0] Go to the command prompt without saving this config. 
[1] Return back to the setup without saving this config. 
[2] Save this configuration and exit setup. 

Enter your selection[2]: 2

Add the Sensor into the IEV

Complete these steps to add the Sensor into the IEV.

  1. Go to the Windows 2000 PC which installed the IEV and open the IEV.

  2. Select File > New > Device.

  3. Type in this information and click OK to finish the configuration.

    idstcpreset-2.gif

  4. Verify the Sensor status by selecting Devices > sensor5 and then right-click to select Device Status.

    Make sure that you can see "Subscription successfully opened."

    idstcpreset-3.gif

Configure the TCP Reset for the Cisco IOS Router

Complete these steps to configure the TCP Reset for the Cisco IOS router.

  1. From the IEV PC, open your web browser and go to https://10.66.79.195.

  2. Click OK to accept the HTTPS certificate downloaded from the Sensor.

  3. In the login window, enter cisco for the user name and 123cisco123 for the password.

    This IDM management interface appears:

    idstcpreset-4.gif

  4. From the Configuration tab, click Sensing Engine.

  5. On the left pane, click Signature Wizard.

  6. Under Virtual Sensor Configuration, click the Start the Wizard button.

  7. Select Signature Type from Wizard Tasks then choose TCP Stream Signature.

  8. Click Next to continue.

    idstcpreset-5.gif

  9. You can leave this information as Default or enter your own Signature ID and User Notes and click Next to continue.

    idstcpreset-6.gif

  10. Enter a Regular Expression ("testattack" is used in this example), enter 23 for Service Ports, select To Port for the Direction, and click Next to continue.

    idstcpreset-7.gif

  11. Set the Severity of the Alert to high and highlight Log and Reset in the Action to Take in Response list.

  12. Click Next to continue.

    idstcpreset-8.gif

  13. Use the Default settings in the Alert Behavior screen and click Next to continue.

    Click Advanced if you want to fine tune the alert behavior.

    idstcpreset-9.gif

  14. Click Create to create the new signature.

    idstcpreset-10.gif

  15. Click OK twice to confirm it.

    idstcpreset-11.gif

  16. From the main menu, click the Save Changes icon to apply the signature to the Sensor.

  17. This step is optional, and is used if you want to verify or perform further modification to the signature.

    1. Click the Configuration tab and choose Sensing Engine.

    2. From the left pane, select Signature Configuration Mode under Virtual Sensor Configuration.

    3. Click All Signatures.

    4. From the Page drop-down menu, select 20002.

    5. For the Signature ID, check 20002 and click Edit.

      You can modify everything about this signature from this page.

    6. Click OK to confirm your change or click Cancel if you are not applying any changes.

      idstcpreset-12.gif

Verify

Launch the Attack and the TCP Reset

Complete these steps to launch the attack and the TCP Reset.

  1. Before you launch the attack, go to the IEV and select Tools > Realtime Dashboard and click Launch Dashboard.

  2. From the Router Light, Telnet to Router House and enter testattack.

    Hit either <space> or <enter> to reset your Telnet session. 

    light#telnet 100.100.100.1 
    Trying 100.100.100.1 ... Open 

    User Access Verification 
    Password: 
    house>en 
    Password: 
    house#testattack 
    [Connection to 100.100.100.1 closed by foreign host] 
    
!--- Telnet session has been reset due to the 
   !--- signature "testattack" triggered.

  3. From the Dashboard of the IDS Event Viewer, the Red Alarm appears once the attack is launched.

    idstcpreset-13.gif

  4. In the Dashboard, highlight one of the alarms, right-click and choose show context or NSDB link to view more detail information with the alarm.

    You can check the online version of NSDB in the Cisco Secure Encyclopedia ( registered customers only)

Troubleshoot

This section provides information you can use to troubleshoot your configuration.

Tips

Use these troubleshooting tips:

  • Shunning works out of the command and control port to reprogram the router access control lists (ACLs). The TCP Resets are sent from the sniffing interface of the Sensor. When you set span in the switch, use the set span <src_mod/src_port><dest_mod/dest_port> command with both incoming packets enabled as shown here. 

    banana (enable)set span 2/12 3/6 both inpkts enable 
Overwrote Port 3/6 to monitor transmit/receive traffic of Port 2/12 
Incoming Packets enabled. Learning enabled. Multicast enabled. 
banana (enable) 
banana (enable) 
banana (enable)show span 

Destination     : Port 3/6              
!--- connect to sniffing interface of the sensor 
Admin Source    : Port 2/12        
!--- connect to FastEthernet0/0 of Router House 
Oper Source     : Port 2/12 
Direction       : transmit/receive 
Incoming Packets: enabled  
Multicast       : enabled

  • If the TCP Resets are working, check if the alarm is triggered for action type TCP Reset. If the alarm appears, check that the signature type is set to TCP reset.

    Login using the service account su to root and issue this command. This command assumes the sensing interface is set to eth0. 

    [root@sensor1 root]#tcpdump -i eth0 -n

    Note: One-hundred tcp resets get sent to the victim/target then one-hundred get sent to the attacker/client.

    This is example output:

    03:06:00.598777 64.104.209.205.1409 > 
 10.66.79.38.telnet: R 107:107(0) ack 72 win 0 
03:06:00.598794 64.104.209.205.1409 > 
 10.66.79.38.telnet: R 108:108(0) ack 72 win 0 

03:06:00.599360 10.66.79.38.telnet > 
 64.104.209.205.1409: R 72:72(0) ack 46 win 0 
03:06:00.599377 10.66.79.38.telnet > 
 64.104.209.205.1409: R 73:73(0) ack 46 win 0

NetPro Discussion Forums - Featured Conversations

Networking Professionals Connection is a forum for networking professionals to share questions, suggestions, and information about networking solutions, products, and technologies. The featured links are some of the most recent conversations available in this technology.
NetPro Discussion Forums - Featured Conversations for Security
Security: Intrusion Detection [Systems]
Security: AAA
Security: General
Security: Firewalling

Related Information

Updated: Jun 16, 2008Document ID: 44903