Task 2.3

Hi,

I had the following settings and the attacker/packet was denied when the signature fired.

Any idea why the subtracted action didnt take place?

Attaching the sig config, event rules config and show events output

 

IPS(config-sig-sig)# sh sett
   sig-id: 60005
   subsig-id: 0
   -----------------------------------------------
      alert-severity: high default: medium
      sig-fidelity-rating: 100 default: 75
      promisc-delta: 0 <defaulted>
      sig-description
      -----------------------------------------------
         sig-name: My Sig <defaulted>
         sig-string-info: My Sig Info <defaulted>
         sig-comment: Sig Comment <defaulted>
         alert-traits: 0 <defaulted>
         release: custom <defaulted>
         sig-creation-date: 20000101 <defaulted>
         sig-type: Other <defaulted>
      -----------------------------------------------
      engine
      -----------------------------------------------
         string-tcp
         -----------------------------------------------
            event-action: produce-alert|deny-attacker-inline default: produce-alert
            strip-telnet-options: false <defaulted>
            specify-min-match-length
            -----------------------------------------------
               no
               -----------------------------------------------
               -----------------------------------------------
            -----------------------------------------------
            regex-string: [Pp][Aa][Ss][Ss][Ww][Oo][Rr][Dd]
            service-ports: 23
            direction: to-service <defaulted>
            specify-exact-match-offset
            -----------------------------------------------
               no
               -----------------------------------------------
                  specify-max-match-offset
                  -----------------------------------------------
                     no
                     -----------------------------------------------
                     -----------------------------------------------
                  -----------------------------------------------
                  specify-min-match-offset
                  -----------------------------------------------
                     no
                     -----------------------------------------------
                     -----------------------------------------------
                  -----------------------------------------------
               -----------------------------------------------
            -----------------------------------------------
            swap-attacker-victim: false <defaulted>
         -----------------------------------------------
      -----------------------------------------------
      event-counter
      -----------------------------------------------
         event-count: 1 <defaulted>
         event-count-key: Axxx <defaulted>
         specify-alert-interval
         -----------------------------------------------
            no
            -----------------------------------------------
            -----------------------------------------------
         -----------------------------------------------
      -----------------------------------------------
      alert-frequency
      -----------------------------------------------
         summary-mode
         -----------------------------------------------
            summarize
            -----------------------------------------------
               summary-interval: 15 <defaulted>
               summary-key: Axxx <defaulted>
               specify-global-summary-threshold
               -----------------------------------------------
                  no
                  -----------------------------------------------
                  -----------------------------------------------
               -----------------------------------------------
            -----------------------------------------------
         -----------------------------------------------
      -----------------------------------------------
      status
      -----------------------------------------------
         enabled: true <defaulted>
         retired: false <defaulted>
         obsoletes (min: 0, max: 65535, current: 0)
         -----------------------------------------------
         -----------------------------------------------
      -----------------------------------------------
      vulnerable-os: general-os <defaulted>
      specify-mars-category
      -----------------------------------------------
         yes
         -----------------------------------------------
            mars-category: Info/Misc <defaulted>
         -----------------------------------------------
      -----------------------------------------------
   -----------------------------------------------
IPS(config-sig-sig)#

 

IPS(config-eve)#
IPS(config-eve)# sh sett
   variables (min: 0, max: 256, current: 0)
   -----------------------------------------------
   -----------------------------------------------
   overrides (min: 0, max: 15, current: 1)
   -----------------------------------------------
      <protected entry>
      action-to-add: deny-packet-inline <defaulted>
      -----------------------------------------------
         override-item-status: Enabled <defaulted>
         risk-rating-range: 90-100 <defaulted>
      -----------------------------------------------
   -----------------------------------------------
   alert-trait-overrides (min: 0, max: 16, current: 1)
   -----------------------------------------------
      <protected entry>
      alert-trait-to-add: alert-trait-value-32768 <defaulted>
      -----------------------------------------------
         override-item-status: Enabled <defaulted>
         risk-rating-range: 60-100 <defaulted>
      -----------------------------------------------
   -----------------------------------------------
   filters (ordered min: 0, max: 4096, current: 2 - 0 active, 2 inactive)
   -----------------------------------------------
   INACTIVE list-contents
   -----------------------------------------------
      NAME: alert-only
      -----------------------------------------------
         signature-id-range: 60005 default: 900-65535
         subsignature-id-range: 0-255 <defaulted>
         attacker-address-range: 0.0.0.0-255.255.255.255 <defaulted>
         victim-address-range: 150.1.2.2-150.1.2.2 default: 0.0.0.0-255.255.255.255
         ipv6-attacker-address-range: ::0-FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF <defaulted>
         ipv6-victim-address-range: ::0-FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF <defaulted>
         attacker-port-range: 0-65535 <defaulted>
         victim-port-range: 0-65535 <defaulted>
         risk-rating-range: 0-100 <defaulted>
         actions-to-remove: deny-attacker-inline|deny-packet-inline default:
         deny-attacker-percentage: 100 <defaulted>
         filter-item-status: Enabled <defaulted>
         stop-on-match: False <defaulted>
         user-comment:  <defaulted>
         os-relevance: relevant|not-relevant|unknown <defaulted>
      -----------------------------------------------
      -----------------------------------------------
      NAME: deny-attacker
      -----------------------------------------------
         signature-id-range: 60005 default: 900-65535
         subsignature-id-range: 0-255 <defaulted>

         attacker-address-range: 0.0.0.0-255.255.255.255 <defaulted>
         victim-address-range: 0.0.0.0-255.255.255.255 <defaulted>
         ipv6-attacker-address-range: ::0-FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF <defaulted>
         ipv6-victim-address-range: ::0-FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF <defaulted>
         attacker-port-range: 0-65535 <defaulted>
         victim-port-range: 0-65535 <defaulted>
         risk-rating-range: 0-100 <defaulted>
         actions-to-remove: deny-packet-inline default:
         deny-attacker-percentage: 100 <defaulted>
         filter-item-status: Enabled <defaulted>
         stop-on-match: False <defaulted>
         user-comment:  <defaulted>
         os-relevance: relevant|not-relevant|unknown <defaulted>
      -----------------------------------------------
      -----------------------------------------------
   -----------------------------------------------
   general
   -----------------------------------------------
      global-overrides-status: Enabled <defaulted>
      global-filters-status: Enabled <defaulted>
      global-summarization-status: Enabled <defaulted>
      global-metaevent-status: Enabled <defaulted>
      threat-rating-adjustment-status: Enabled <defaulted>
      global-deny-timeout: 900 default: 3600
      global-block-timeout: 30 <defaulted>
      max-denied-attackers: 10000 <defaulted>
      one-way-tcp-reset-status: Enabled <defaulted>
   -----------------------------------------------
   target-value (min: 0, max: 5, current: 0)
   -----------------------------------------------
   -----------------------------------------------
   ipv6-target-value (min: 0, max: 5, current: 0)
   -----------------------------------------------
   -----------------------------------------------
   os-identification
   -----------------------------------------------
      calc-arr-for-ip-range: 0.0.0.0-255.255.255.255 <defaulted>
      configured-os-map (ordered min: 0, max: 50, current: 0 - 0 active, 0 inactive)
      -----------------------------------------------
      passive-traffic-analysis: Enabled <defaulted>
   -----------------------------------------------
   risk-categories
   -----------------------------------------------
      red-threat-threshold: 90 <defaulted>
      yellow-threat-threshold: 70 <defaulted>
      green-threat-threshold: 1 <defaulted>
      risk-levels (ordered min: 0, max: 32, current: 3 - 3 active, 0 inactive)
      -----------------------------------------------
      ACTIVE list-contents
      -----------------------------------------------
         <protected entry>
         NAME: _r1
         -----------------------------------------------
            risk-name: HIGHRISK <defaulted>
            threshold: 90 <defaulted>
         -----------------------------------------------
         -----------------------------------------------
         <protected entry>
         NAME: _r2
         -----------------------------------------------
            risk-name: MEDIUMRISK <defaulted>
            threshold: 70 <defaulted>
         -----------------------------------------------
         -----------------------------------------------
         <protected entry>
         NAME: _r3
         -----------------------------------------------
            risk-name: LOWRISK <defaulted>
            threshold: 1 <defaulted>
         -----------------------------------------------
         -----------------------------------------------
      -----------------------------------------------
   -----------------------------------------------
IPS(config-eve)#   

!

!

!

 

evIdsAlert: eventId=1041379909192000192 severity=high vendor=Cisco alarmTraits=32768
  originator:
    hostId: IPS
    appName: sensorApp
    appInstanceId: 1216
  time: 2014/12/30 16:53:48 2014/12/30 16:53:48 UTC
  signature: description=My Sig id=60005 created=20000101 type=other version=custom
    subsigId: 0
    sigDetails: My Sig Info
  interfaceGroup: vs0
  vlan: 32
  participants:
    attacker:
      addr: locality=OUT 130.1.32.3
      port: 47642
    target:
      addr: locality=OUT 150.1.2.2
      port: 23
      os: idSource=unknown relevance=relevant type=unknown
  actions:
    deniedPacket: true
    deniedAttacker: true
    deniedFlow: true
    tcpOneWayResetSent: true
  context:
    fromTarget:
000000  69 6E 65 2E 20 20 45 6E  64 20 77 69 74 68 20 43  ine.  End with C
000010  4E 54 4C 2F 5A 2E 0D 0A  52 32 28 63 6F 6E 66 69  NTL/Z...R2(confi
000020  67 29 23 75 73 65 72 07  0D 0A 52 32 28 63 6F 6E  g)#user...R2(con
000030  66 69 67 29 23 75 73 65  72 08 20 08 08 20 08 08  fig)#user. .. ..
000040  20 08 08 20 08 07 0D 0A  52 32 28 63 6F 6E 66 69   .. ....R2(confi
000050  67 29 23 75 73 65 72 07  0D 0A 52 32 28 63 6F 6E  g)#user...R2(con
000060  66 69 67 29 23 75 73 65  72 08 20 08 08 20 08 08  fig)#user. .. ..
000070  20 08 08 20 08 07 75 73  65 72 6E 61 6D 0D 0A 52   .. ..usernam..R
000080  32 28 63 6F 6E 66 69 67  29 23 75 73 65 72 6E 61  2(config)#userna
000090  6D 65 20 74 65 73 74 07  0D 0A 52 32 28 63 6F 6E  me test...R2(con
0000A0  66 69 67 29 23 75 73 65  72 6E 61 6D 65 20 74 65  fig)#username te
0000B0  73 74 20 70 61 73 73 77  08 20 08 57 6F 52 64 20  st passw. .WoRd
0000C0  74 65 73 74 0D 0A 52 32  28 63 6F 6E 66 69 67 29  test..R2(config)
0000D0  23 0D 0A 52 32 28 63 6F  6E 66 69 67 29 23 0D 0A  #..R2(config)#..
0000E0  52 32 28 63 6F 6E 66 69  67 29 23 75 73 65 72 6E  R2(config)#usern
0000F0  61 6D 65 20 74 65 73 74  20 70 61 73 73 77 6F 72  ame test passwor
    fromAttacker:
000000  FF FD 03 FF FB 20 FF FB  1F FF FB 21 FF FD 01 FF  ..... .....!....
000010  FC 18 FF FA 1F 00 50 00  18 FF F0 FF FC 20 63 69  ......P...... ci
000020  73 63 6F 0D 0A 63 69 73  63 6F 0D 0A 63 6F 6E 66  sco..cisco..conf
000030  69 67 20 74 0D 0A 75 73  65 72 09 08 08 08 08 08  ig t..user......
000040  0D 0A 75 73 65 72 09 08  08 08 08 08 75 73 65 72  ..user......user
000050  6E 61 6D 09 74 65 73 74  09 20 70 61 73 73 77 08  nam.test. passw.
000060  57 6F 52 64 20 74 65 73  74 0D 0A 0D 0A 0D 0A 75  WoRd test......u
000070  73 65 72 6E 61 6D 65 20  74 65 73 74 20 70 61 73  sername test pas
000080  73 77 6F 72 64                                    sword
  riskRatingValue: attackRelevanceRating=relevant targetValueRating=medium 100
  threatRatingValue: 55
  interface: ge0_1
  protocol: tcp


evStatus: eventId=1041379909192000193 vendor=Cisco
  originator:
    hostId: IPS
    appName: sensorApp
    appInstanceId: 1216
  time: 2014/12/30 16:53:48 2014/12/30 16:53:48 UTC
  denyAttackerStarted:
    description: denyAttackerStarted for address: 130.1.32.3
    address: 130.1.32.3

 

Sign In or Register to comment.