IDS Signature Attacks - OVERLOAD

Similar Messages

• IDS Signature attack detected...

  I think my WLAN is under two DOS attacks, Deauth flood and Reassociation flood... The following are the traps shown on the controller (WLC 4402):
  IDS Signature attack detected. Signature Type: Standard, Name: Deauth flood, Description: Deauthentication flood, Track: per-Mac, Detecting AP Name: W-Seattle-StudioRm8-02Flr-B-Fa36, Radio Type: 802.11b/g, Preced: 9, Hits: 30, Channel: 1, srcMac: 00:15:AF:ED:96:36
  IDS Signature attack detected. Signature Type: Standard, Name: Reassoc flood, Description: Reassociation Request flood, Track: per-signature, Detecting AP Name: W-Seattle-StudioRm2-02Flr-B-Fa43, Radio Type: 802.11b/g, Preced: 6, Hits: 50, Channel: 6, srcMac: 00:1D:E0:99:5E
  The network is for hotel guests so there is no authentication/encryption... Any suggestions about how I can mitigate those attacks?
  In the trap messages they also list the Src MAC addresses. However I was reading about those two attacks and seems the attacks are actually spoofing MAC addresses of clients. So are they the real mac addresses of the hacker? Should I block them?
  If I should, how can I do it? I was thinking using MAC-filter however it seems only allow clients with configured MAC addresses and will deny the ones that are not listed... As you can guess, we are hotel enviroment and we can't keep allowing new MAC addresses for new guests... So any suggestions?
  Any advice is welcome! Thank you!

  When you see 'deauth flood' messages this means that an
  AP is seeing a lot of deauths in the air. These messages
  often happen when a NIC card leaves an area where there
  there are dense APs.
  If you want this to trigger less often:
  5.0:
  Management > Trap Controls > 802.11 Security Traps > IDS Signature Attack
  Wireless Protection Policies > Standard Signatures > >
  modify/save
  for example if you wanted to see the alarm on '60' detections of
  'Deauth flood' instead of '50'.
  Below 5.0:
  You can modify the IDS settings so that the messages occurs less often
  or not at all:
  http://www.cisco.com/warp/public/102/controller_ids_sig.html
  If you want it to trigger not at all:
  Management > Trap Controls > 802.11 Security Traps > IDS Signature Attack
  Below 5.0:
  http://www.cisco.com/warp/public/102/controller_ids_sig.html

• Signature attack ???

  The wireless network use 2100 controller run 4.2.205.0 and 1242G APs.
  In 2100 controller's trap log :
  103 Thu Sep 16 14:49:19 2010 IDS Signature attack cleared. Signature Type: Standard, Name: Auth flood, Description: Authentication Request flood, Track: per-Mac, Detecting AP Name: AP9caf.ca01.c890, Radio Type: 802.11b/g, Preced: 5, Channel: 11
  104 Thu Sep 16 14:49:05 2010 IDS Signature attack cleared. Signature Type: Standard, Name: Deauth flood, Description: Deauthentication flood, Track: per-Mac, Detecting AP Name: AP9caf.ca01.c870, Radio Type: 802.11b/g, Preced: 9, Channel: 1
  105 Thu Sep 16 14:48:15 2010 IDS Signature attack cleared. Signature Type: Standard, Name: Auth flood, Description: Authentication Request flood, Track: per-signature, Detecting AP Name: AP9caf.ca01.c890, Radio Type: 802.11b/g, Preced: 5, Channel: 11
  109 Thu Sep 16 14:31:49 2010 IDS Signature attack detected. Signature Type: Standard, Name: Auth flood, Description: Authentication Request flood, Track: per-signature, Detecting AP Name: AP9caf.ca01.c890, Radio Type: 802.11b/g, Preced: 5, Hits: 50, Channel: 11, srcMac: 00:1C:BF:7D:49:3F 
  110 Thu Sep 16 14:31:23 2010 IDS Signature attack detected. Signature Type: Standard, Name: Auth flood, Description: Authentication Request flood, Track: per-Mac, Detecting AP Name: AP9caf.ca01.c890, Radio Type: 802.11b/g, Preced: 5, Hits: 30, Channel: 11, srcMac: 00:1C:BF:7D:49:3F
  Does someone really want to attack my wireless network?
  Thanks!

  Could be.  Your AP is detecting an Intel Wireless NIC flooding de-authenticate messages.  Your best bet is to track this machine down or contain it.

• IDS signature tuning... interval questions.

  Just starting out trying to tune some signatures to fit our environment, and looking for clarification on some parameters of IDS signatures.
  For example: 2152 - ICMP flood
  It uses the "Flood Host" engine with the action parameters:
  Limit type: percentage (100)
  Rate: 25
  Event count: 1
  Event count key: victim address
  Specify interval: No
  Summary mode: Fire all
  Threshold: 10000
  Interval: 30
  Global threshold: 20000
  Summary key: victim address
  Can someone translate into english?
  I'm guessing 25 packets/sec of ICMP traffic to the same destination would trigger the "event". And the 100% limit means...? 25 in a row?
  And the summaries?
  At least the "flood host" has a clear interval, but many of the scans do not. For example, 3002 or 3030 - TCP SYN port sweep. This specifies a number of "unique" packets with the same key (attacker address, or attacker and victim, or other combination) but does not specify the interval. Is this also per-second? The documentation simply says "The unique parameter triggers the alert when more than the unique number of ports or hosts is seen on the address set within the time period."
  What is the "time period" and where is it set? For these alerts (as well as the previous) the "Specify Alert Interval" is set to "No".

  I can't claim to understand some of the "scan" signatures either...most of ours are disabled.
  The limit type and percentage would only seem applicable if you're using the "request rate limit" action in inline mode. I don't think they have anything to do with alarming.
  For this particular signature I believe the most relevant variable is rate, which you already seem to understand.
  The alert frequency settings allow you change the summary mode from "fire all" to "summarize" or "global summarize" based on the number of alerts being generated. This probably has other uses, but the one that immediately comes to mind is to prevent the monitoring system from being overloaded with spurious alarms.
  As far as 3030 - TCP SYN port sweep...I don't understand it either. Do a search for it on the forums, there have been other questions.

• Best Practise for WLC IDS Signature Thresholds

  Hi, are there any best practices for WLC IDS Signature thresholds?
  Thanks!
  KR,
  Rena

  You can configure IDS signatures, or bit-pattern matching rules used to identify various types of attacks in incoming 802.11 packets, on the controller. When the signatures are enabled, the access points joined to the controller perform signature analysis on the received 802.11 data or management frames and report any discrepancies to the controller. If an attack is detected, appropriate mitigation is initiated.
  http://www.cisco.com/c/en/us/td/docs/wireless/controller/7-5/config_guide/b_cg75/b_cg75_chapter_0111110.html#d162818e187a1635

• Disassoc flood - false alarms - IDS signature file needs adjustment

  Another interesting observation regarding Disassociation flood wireless IDS alarms:
  When a wireless client goes out of range of an AP, is that it is not uncommon for a burst of 64 disassociation frames to be sent in order to ensure that the client/AP are no longer associated.
  However, the threshold in the WLC's IDS signature file is 50. It is unclear why this value was chosen by the developers. However, at Cisco's recommendation, we have adjusted the signature file to a value of FREQ=80 (instead of 50) for the following alarms:
  Disassociation, Deauth Flood, and Bcast Deauth
  This has resulted in fewer false alarms (except for Bcast deaut which is the result of the WLC alarming on its own containment messages - see previous thread!).
  Additional Note: When making changes to the IDS signature file, it would appear that a REBOOT ended up being necessary in our case in order to get the WLCs to recognize the changes to the IDS signature file. When we merely upgraded the signature file, it did not make a difference.
  Also, it would appear that the name of the signature file is important (since the parsing of the file does not take place unless a specific file name is given).
  - John

  Hi,
  I'm getting a lot of false positive rogue APs (I've checked the MAC addresses and they are definitely ours), is it possible that a similar problem with signatures is causing this?
  Scott

• IDS Signature update S(184)

  The IDS signature update S(184) included [MS plug and play - 6131] This particulare SIG ID is disable, and the severity is Information. is there is any one know how to enable it and change it to high?
  thnak you

  You can use IDM (https://) to change the severity and enable the signature. The other management platforms also provide you a meands to change it as well.

• MC-IDS - Error Updating Network IDS Signatures

  MC for IDS Sensors
  Update Network IDS Signatures
  Error
  Object update failed. The update package provided appears to be corrupt, or permission was denied for reading the file. Please verify the update package contents and retry the operation.
  I verified the checksum of 4207248 matches the file I downloaded from CCO. We are running on Solaris. What userid is VMS using to read?
  Any ideas ? -jason
  root@bnavms # cd/opt/CSCOpx/MDC/etc/ids/updates/
  root@bnavms # su jra
  root@bnavms # ls -l
  -rw-r--r-- 1 jra other 4207248 Jan 7 09:30 IDS-sig-4.1-4-S136.rpm.pkg

  You need to get the .zip version of the update. It can be found on the same CCO download page under the IDSMC -> IDS Management Console link at the bottom of the page.

• Problem updating IDS signatures

  I have a IDS-4215 sensor with version 5.1(5)E1S333V1.2
  I tried several times updating signatures with next version on it but it doesnot get updated and only the local MC gets upgraded. I have other IDS sensors also but I dont have any problem updating signatures with them.
  Why are the signatures not getting updated on this Sensor.
  Help me with a solution. All helpful posts will be rated.

  Did you try applying S355 directly to the sensor using the CLI or IDM rather than the MC?
  Sometimes you don't get good error messages when trying to apply through the MC.
  If you apply through CLI or IDM did you get any messages back from the sensor?
  Did you get a success messgae? If doing it from the CLI did it come back to a CLI prompt?
  If no error messages come back when trying the upgrade, then it will require looking at a "show tech" from your sensor to try and see what is going on.
  You would not want to copy that output to this forum, so your best bet would be to open up a TAC case and provide them the output from when you tried applying the update through the CLI or IDM, as well as the output from the "show tech" taken immediately after the failed upgrade attempt.
  I am not currently aware of any situation where the upgrade would fail without some type of error message being returned.
  Here, however, are some common errors that should return an error message (I don't remember the exact wording of the error messages):
  1) sensorApp/analysis engine is Not Running
  (you can check "show version" before doing the upgrade to make sure it is Running).
  2) sensorApp/analysis engine is not responding (you can do a "show stat vi" before trying the upgrade to ensure it is responding to statistic requests before trying the upgrade)
  3) license has expired (you can do a "show ver" and make sure the license has not expired)
  4) Signature Update already installed - This is a tricky one. This can happen when a previous attempt to update at that same signature level failed, but left some remnants around. The second attempt to install the same update detects the remains of the previous failure and incorrectly thinks that the update is already installed. There are 2 ways to recover from this. Save off the config, and do a recover-application command to re-image the sensor, then re-apply the config. Or wait till the next signature update S356 comes out and try it with the newer sig update. I haven't seen this problem in a long time, and I am not sure if it can happen anymore. Steps were taken to try and prevent this from happening.
  5) sensorApp/analysis engine could stop During the signature update - This can happen on lower end sensors like the IDS-4215 especially when tunings have been made to the signatures or custom signatures have been created. The low end sensors have limited memory. When a new signature update is applied the sensor has to compile the new signatures. If using the standard set of signatures with no user tunings, then the signature update should apply fine. But if the customer has made tunings and/or added custom signatures, then this compiling of the new signatures could push the sensor above it's allowed memory limits. The kernel will then kill sensorApp/analysis engine. The signature update will never complete (never get an error OR a success message). And the sensor has to be rebooted to get it working again. If you are running into this issue you might need to remove some of your tunings and custom signatures, apply the signature update, and then re-apply your tunings.

• IDS Signature Updates

  When I update my IDS sensors using the IDS MC 3 of my 4 sensors hang. They never restart all of the services. When I telnet to them I get the message "Error: Cannot communicate with system processes. Please contact your system admi
  nistrator.". The IDS MC progress veiwer shows 100% but with errors. It's errors are :Sensor Int_IDS1: Signature Update Process
  An error occurred while running the update script on the sensor named Int_IDS1. Detail = An RDEP communication error occurred during the update. Exception message = org.apache.commons.httpclient.HttpRecoverableException: Error in parsing the status line from the response: unable to find line starting with "HTTP"
  One sensor works fine with no problems.
  I have tried upgrading the sensors individually through IDSMC and the same 3 fail with the same error message. I have tried doing it through command line and ftp and the same 3 fail. The 3 sensors that fail are 4235's and the successful sersor is a 4250 XL.

  If you are not running the 'f' patch on your sensors, 4.1.4(f), you should download and install that patch. It fixes some out-of-memory on upgrade issues that are most likely the cause of your problem.
  The patch location is posted in another thread.

• Cisco IDS signature update vs. Snort

  Greetings all
  I have a question for anyone using any Cisco IDS products.
  How often the Cisco IDS/IDSM update it's signatures and are the updates
  comparable to Snort? Example: An exploit is known...Snort publishes an
  update...can a similar update be found for Cisco IDS?
  Regards
  Fredrik Hofgren

  Cisco does not update as frequently or completely as Snort. Cisco also tends to give much higher priority to releasing signatures on vulnerabilities that affect their own products. There are also many signatures released for Snort that never seem to make their way to Cisco from what we have seen.

• IPS/IDS Signature updates

  Just a quick question, will there be a charge for upgrading the signatures? In other words will you have to pay to download the new updates as they come out?

  What about the IOS IPS with 5.x? It looks like the IOS IPS doesn;t support the 5.x signatures due to current engine support, yet I havn't been able to find an EOL on IOS IPS.

• IDS Signature configuration - Using masks and Flags

  Hi all,
  It is not clear to me on how to use "mask" and "flags" while editing a signature on IDM. In the wizad, I have the option to select the TCP flags to either fire (TRUE)or NOT to fire (FALSE) the alarm or ignore (Don't Care)the flag. Can someone explain how the mask is used? My understanding about them is;
  Mask tells the sensor what flags to monitor. Other flags are ignored.
  TcpFlag tells the sensor to fire the alarm, if that particular flag is set.
  Say for example; I select SYN and ACK in the mask and only SYN in the TcpFlag. This means, the signature will fire only if SYN is set in the packet. If ACK is also set in addition to SYN, then the sig will not fire. This is equal to setting the SYN to TRUE; ACK to False and all other flags to DON'T Care. Am I correct?
  Thanks in advance,
  Mohan

  You are correct.
  By setting Mask to SYN and ACK it will ignore the other flags.
  By setting TcpFlag to SYN the signature will trigger if the packet has a SYN, but will not fire if it also has an ACK.
  So a SYN packet will trigger it.
  A SYN ACK packet will Not.
  An ACK packet will Not.
  A RST packet will Not.
  etc..
  However, be aware that a SYN with a combination of any other flag besides ACK WILL trigger it.
  So a SYN RST will trigger it.
  A SYN FIN will trigger it.
  A SYN RST FIN PSH will trigger it.
  etc...
  This is because the signature will only look to ensure the SYN is present and the ACK is not present.
  So the signature will trigger on a traditional SYN to open a connection, but will also trigger on these other weird combinations that are not part of a normal TCP connection.
  So if you want to limit it to firing only on real SYN packets, then go ahead and list all the flags in the Mask and only SYN in the TcpFlags. This will ensure the signature triggers on only packets with the single SYN flag.

• IDS signature for login Failure

  Is there a signature that detects login failures where you can set a threshold for like 3 logins failures and if this is attained, someone will be alerted?
  Seems pretty common, right?
  Thanks

  IMHO, this is better accomplished using a tool that monitors host logs. The sensor can't do much for encrypted protocols like SSH and HTTPS.
  However, there are signatures for a couple protocols:
  3127-0,SNMP brute force
  5606-0,6255-0 SMB auth failure
  6250-0, FTP auth failure
  6251-0, telnet auth failure
  6252-0, rlogin auth failure
  6253-0, pop3 login failure
  6256-0, HTTP auth failure

• WCS IDS False Alarms - NetStumbler Generic Attack

  We have a particular installation where we are seeing four (4) types of IDS errors constantly reappearing:
  "IDS Signature attack detected. Signature Type: Standard"
  "Disassoc flood, Description: Disassociation flood
  "AP impersonation"
  "NetStumbler Generic Attack"
  In the first three alarms, Cisco has acknowledged that there are known issues with false IDS alarms that are supposed to be fixed in an upcoming "BE-MR2" in mid-December, and a new IDS signature in January.
  Is anyone else experiencing the NetStumbler Generic IDS alarm? We see them on a regular basis.
  If so, please reply - as I would like to forward this on to TAC to make sure they get this fixed in the next release.
  We are using WLC-4.x and WCS 4.x with LAP-1131AG access points.
  - John

  The Disassociation attack is a known bug acknowledged by Cisco TAC. (That is not a guarantee that it is a false alarm - that is what has been especially frustrating in troubleshooting these).
  Specifically, though, I am trying to confirm that others are experiencing the NetStumbler attack as we suspect this is another false alarm since it came from the MAC address of a trusted laptop that was confirmed to not be running NetStumbler - and, yes, I realize that the MAC address can be spoofed, but with the high number of false positives on the other types of alarms mentioned earlier, it would seem more likely that the WLC's IDS subsystem needs tweaking.
  I would really like to get this fixed within the next release, and am hoping that additional confirmation may help get Cisco to resolve it more quickly.
  - John