|
Author
|
Topic: A few IPS ones...........
|
ccietobe9
Member
Member # 31901
Rate Member
|
posted February 19, 2012 02:44 PM
I am trying to understand some interpretations........
1. for the IPS initialization, if there is a question being asked to configure "HTTP" on some port e.g. 9090... Does that mean that TLS needs to be disabled. I am really for a situation like this.
2. If a custom signature needs to be created to block NSLOOKUP command when executed using Administrator account on a Windows OS. What engine would need to be configured.
Thank you in advance.
Posts: 37 | From: US | Registered: Jan 2012
| IP: Logged
|
|
|
|
Kingsley Charles (CCSP, CCNP, CCIP)
Brainiac
Member # 29872
Member Rated:
|
posted February 20, 2012 11:44 PM
Even though, we can disable tls, http connection to sensor has never worked for me.
For nslookup, create a atomic IP sig with UDP as the protocol and destination port of 53.
With regards
Kings
Posts: 887 | From: India | Registered: Jun 2010
| IP: Logged
|
|
ccietobe9
Member
Member # 31901
Rate Member
|
posted February 21, 2012 03:16 PM
quote:
Originally posted by Kingsley Charles (CCSP, CCNP, CCIP):
Even though, we can disable tls, http connection to sensor has never worked for me.
For nslookup, create a atomic IP sig with UDP as the protocol and destination port of 53.
With regards
Kings
Kings, I want to disable the "COMMAND" nslookup when being executed by administrator on an IPS. I know how to block the functionality of nslookup.
Posts: 37 | From: US | Registered: Jan 2012
| IP: Logged
|
|
Kingsley Charles (CCSP, CCNP, CCIP)
Brainiac
Member # 29872
Member Rated:
|
posted February 21, 2012 08:50 PM
nslookpup is a Windows command not an IPS command.
Not getting your question.
With regards
Kings
Posts: 887 | From: India | Registered: Jun 2010
| IP: Logged
|
|
ccietobe9
Member
Member # 31901
Rate Member
|
posted February 22, 2012 03:44 AM
quote:
Originally posted by Kingsley Charles (CCSP, CCNP, CCIP):
nslookpup is a Windows command not an IPS command.
Not getting your question.
With regards
Kings
My bad, I shouldn't be writing on forums in the middle of the night.
The question should be:
I want to block the attacker when he executes "COMMAND" nslookup as an administrator on a windows machine. I know how to block the functionality of nslookup, but I want to block the connection only when executed by an admin.
Posts: 37 | From: US | Registered: Jan 2012
| IP: Logged
|
|
Kingsley Charles (CCSP, CCNP, CCIP)
Brainiac
Member # 29872
Member Rated:
|
posted February 23, 2012 12:10 AM
With wireshark, I don't see any specific with the user name in the DNS packets.
With regards
Kings
Posts: 887 | From: India | Registered: Jun 2010
| IP: Logged
|
|
ccietobe9
Member
Member # 31901
Rate Member
|
posted February 27, 2012 07:57 PM
quote:
Originally posted by Kingsley Charles (CCSP, CCNP, CCIP):
With wireshark, I don't see any specific with the user name in the DNS packets.
With regards
Kings
Thank you Kings, how about for the commands like ipconfig or netstat ?
Posts: 37 | From: US | Registered: Jan 2012
| IP: Logged
|
|
Kingsley Charles (CCSP, CCNP, CCIP)
Brainiac
Member # 29872
Member Rated:
|
posted February 27, 2012 08:53 PM
Both are local commands, they don't interact with the network.
ipconfig/renew or ipconfig/release triggers DHCP packets with port number 67/68.
With regards
Kings
Posts: 887 | From: India | Registered: Jun 2010
| IP: Logged
|
|
shamulong
Member
Member # 21233
Rate Member
|
posted March 17, 2012 08:32 AM
1.yes if use http ,you need disable tls
2.you can yous string udp or string tcp des port 53,regex nslookup,and os windows
Posts: 45 | From: china | Registered: Jan 2007
| IP: Logged
|
|
ccie-member
Newbie
Member # 32297
Rate Member
|
posted April 26, 2012 08:09 AM
Hi everyone have one doubt in ips.
we need to create one signature in ips what should be the engine and other paramenters for this signature.
question is
Signature ID 60009
Prevent network attack on LINUX workstation that will prevent any netstat
please reply soon
Alarm severity HIGH
Deny packet/attacker/produce alert each time it is triggered.
Posts: 2 | From: India | Registered: Apr 2012
| IP: Logged
|
|
Kingsley Charles (CCSP, CCNP, CCIP)
Brainiac
Member # 29872
Member Rated:
|
posted April 29, 2012 12:19 PM
There are two interesting questions in this thread. I think, I found the answer. Please share your thoughts.
1)If a custom signature needs to be created to block NSLOOKUP command when executed using Administrator account on a Windows OS. What engine would need to be configured.
Create two tcp string sigs one has the regex of "Administrator" and the other for "NSLOOKUP". Now put them into a meta sig and make sure you select strict order. The sig for "Administrator" should be the first one in the order. The two tcp string sigs should have some port number. I assume they should be telnet and hence we use port 23.
Or we can use multistring instead of using a meta and two tcp string sigs.
2)Signature ID 60009 - Prevent network attack on LINUX workstation that will prevent any netstat
Now for this, I guess the "netstat" is a scanner trying scan the LINUX box.
So we should use "Atomic.IP" to capture it. But netstat doesn't particularly run on TCP or UDP.
How do find the transport protocol and port is the challenge.
With regards
Kings
Posts: 887 | From: India | Registered: Jun 2010
| IP: Logged
|
|
ccie-member
Newbie
Member # 32297
Rate Member
|
posted May 02, 2012 08:31 PM
NETSTAT.......thanks for the support sir i have chosen the engine as tcp string if any body knows the answer or have got the same question in lab then pleasy reply soon
Posts: 2 | From: India | Registered: Apr 2012
| IP: Logged
|
|
NewAgeQuanta
Specialist
Member # 32102
Member Rated:
|
posted May 14, 2012 07:54 PM
Just a comment on the non-functionality of plain jane HTTP, it does work but just not on the default port for some reason.
Essentially, if we disable TLS, the only way I have been able to get it to work is to change the port to a non-default one.
Nic
Posts: 73 | From: US | Registered: Mar 2012
| IP: Logged
|
|
UBBFriend: Email this page to someone!
Printer-friendly view of this topic