IPS SCADA signatures

Similar Messages

• WLC IPS custom signature file

  Hi,
  Where can I download the WLC IPS custom signature file? Is WLC support openLdap for user web or 802.1x authentication?
  Best Regards,
  Jackson Ku

  The documentation for 5.1 is located at:
  http://www.cisco.com/en/US/customer/products/hw/vpndevc/ps4077/products_configuration_guide_book09186a008055de07.html
  I believe the regex you want is:
  [Mm][Aa][Ii][Ll][\t][Ff][Rr][Oo][Mm][:][\x21-\x7E]+[@][Ss][Ee][Xx].[Cc][Oo][Mm]
  The + field allows for any printable characters (but there must be at least 1) in the senders email address. You should use the SMTP state machine with the SMTP Commands state set, direction to service port 25.

• CSM / ASA IPS -- upstream signature package includes hundreds of retired signatures

  CSM / ASA IPS -- upstream signature package includes hundreds of retired signatures
  When I push new signatures that CSM downloads and applies for me, I get hundreds of retired signatures.  I have tried to wipe signature policy and create fresh and anew - it seems as if CSM isn't marking 'new' signatures for application to existing signature configuration files.  The deltas betwen previous versions do not get applied.
  Is this a common occurance for other people running CSM?

  Hi JP,
  The signatures need to be enabled and unretired for them to function.
  The following FAQ described this process in detail:
  http://www.cisco.com/web/about/security/intelligence/ips_sig_faq.html#2
  Hope this is helpful.
  Regards
  Neil Archibald
  IPS Signature Development Team

• IOS IPS Automatic Signature Update

  I will use cisco1941w.
  I'd like to know, how to configure at CLI and where is the URL.
  Is the bellow correct?
  CLI
  Router(config)# ip ips auto-update
  Router(config-ips-auto-update)# occur-at 0 0-23 1-31 1-5
  Router(config-ips-auto-update)# url https://www.cisco.com/cgi-bin/front.x/ida/locator/locator.pl
  Router(config-ips-auto-update)# username XXX password XXX
  URL
  https://www.cisco.com/cgi-bin/front.x/ida/locator/locator.pl

  Hello,
  A. Hete is what the six files do:
  • ios-ips-sigdef-default.xml: contains all the factory default signature definitions
  • ios-ips-sigdef-delta.xml: contains signature definitions that have been changed from the default
  • ios-ips-sigdef-typedef.xml: is a file that has all the signature parameter definitions
  • ios-ips-sigdef-category.xml: has all the signature category information, such as category ios_ips basic and advanced
  • ios-ips-seap-delta.xml: contains changes made to the default SEAP parameters
  • ios-ips-seap-typedef.xml: contains all the SEAP parameter definitions
  B. So the signature file (.pkg) is decompressed into these files and then 'idconf' loads them in memory.
  Hence to copy signature database of one router to the other, we need to copy atleast first 4 files.
  You only need to distribute the SEAP configuration if you modified any of the Signature Event Action Override configuration:
  We do not have one single file that contains all the signatures.  The signature package is installed in a certain way.
  Hence we will need atleast first 4 files to copy of signature database from one router to the other.
  C. Secondly, I dont know if auto-update will accept a file in .xmz package, I have not tested this.
  But I am guessing it will look for a .pkg file and decompress it.
  With copying a .xmz file, you may have to manually load it into memory using 'idconf' command.
  D. Hence there is no one single configuration file that you copy off the external ftp server.
  I guess, the only thing you can do is to have different routers update signatures at different times to reduce load on the network.
  It is also not necessary to check for signature updates every hour.
  Normal rate of adding new signature releases is every few days, so even if you check around once a day that should be ok.
  Sid Chandrachud
  TAC Security Solutions
  Customer support engineer

• IPS/IDS Signature updates

  Just a quick question, will there be a charge for upgrading the signatures? In other words will you have to pay to download the new updates as they come out?

  What about the IOS IPS with 5.x? It looks like the IOS IPS doesn;t support the 5.x signatures due to current engine support, yet I havn't been able to find an EOL on IOS IPS.

• IPS 4200 Signature & Action IDs

  I need a reference manual for the list of all the signatures and actions supported by Cisco IPS 4200 series appliances with software version 6.x.
  I have tried locating this through the IPS product page but had no luck yet.
  Please let me know where can I find this reference manual.
  Thanks.

  Have you looked at the security center?
  http://tools.cisco.com/security/center/search.x?search=Signature
  Regards
  Farrukh

• OOB warning during IPS 4260 signature update via CSM

  Hi,
  During the recent IPS signatures updates via CSM, i have noticed that there was warning (below).
  >OOB change detected - Out of Band(OOB)and sensor configuration change happened on device. But you selected to continue deployment in case of OOB. Continuing...
  what is the cause & impact of such event?
  As i suspected there is a mismatch of configuration, my inline interfaces are no longer applied to the virtual sensor 'VS0'. Could it be due to the mis-synchronisation?
  Apprepriate for any advice.
  thanks
  cash

  CSM keeps an internal copy of the configuration it last pushed to the sensor.
  Each portion of the configuration has a configToken assigned to it by the sensor. The config token is a base 64 encoding of that configuration portion.
  Each time CSM goes to push a new configuration it will compare the configToken of it's previously saved configuration for that sensor against the configToken of the configuration currently on the sensor.
  If the 2 configTokens match, then no configuration change has been made since the last time that CSM pushed a configuration to the sensor. CSM can safely push the new configuration to the sensor.
  If the 2 configTokens do not match, then an Out Of Band (OOB) configuration change has been made to the sensor. This means that the sensor's configuration has been modified by something other than CSM. This may have been a user changing something through the CLI or IDM instead of using CSM.
  In these situations CSM gives you the option of either stopping the push of the new configuration so the detected changes can be imported and evaluated by the user, or to go ahead and push the changes to the sensor.
  If you decide to go ahead and push the changes to the sensor, the outcome of the configuration change is not guaranteed.
  The sensor may wind up merging the OOB changes in with the new configuration from CSM, or the CSM changes may wind up overwriting the OOB changes.
  So telling CSM to push the new configuration even when OOB changes have been detected can be risky and can cause loss of some of your configuration.
  I fyou will be making changes with CLI or IDM, then it is always best to import those changes into CSM before making further configuration changes in CSM.

• How often ARE those IPS virus signatures updated?

  I was looking at a "show version" on one of my current sensors and noticed that the last virus signature was over 7 months ago. Now, one of the big reasons I was told we had to pay for our 5.x licenses was these virus signatures. If that's true, and this is the additional value Trend Micro has brought to our sensors, should they get updated a little more frequently?
  (from my sensor)
  Cisco Intrusion Prevention System, Version 5.1(1p1)S235.0
  Host:
  Realm Keys key1.0
  Signature Definition:
  Signature Update S235.0 2006-06-22
  Virus Update V1.2 2005-11-24

  The Virus Signature from Trend was one reason for the licensing in 5.x, but was not the only reason and was not even the primary reason.
  Even as far back as version 2.x a Support Contract was required for downloading and installation of signature updates. But was not enforced by the software. We relied on the users keeping the support contracts up to date on their own. Many users downloaded and installed signature updates without paying for the support contract. And the vast majority did not realize that a support contract was needed to receive the signature updates.
  With the lack of support contract purchases it became difficult to continue fielding a team for writing IPS signature updates.
  So in version 5.x it was decided to begin enforcing the purchase of support contracts through the use of Signature Update Licenses as part of the Cisco Service for IPS Contracts. Thus ensuring funding for the signature team, and allowing the team to spread out world wide for 24 hour coverage.
  The additional cost of a Cisco Service for IPS contract when compared to standard SmartNET contracts for other Cisco products is for the specific funding of the Cisco signature team, and a small amount sent to Trend for assistance in signature creation. Only a small portion of the support contract is paid to Trend Micro for their support.
  The Virus signatures are part of the Cisco Incident Control System (Cisco ICS). With the purchase of ICS there is a faster deployment of signature for Virus/Worms. When a virus or worm reaches a critical level then TrendMicro can create their own Virus signatures and have Cisco ICS deploy those signature to the sensors as soon as they are written.
  Cisco then includes these Virus signatures in a later standard Cisco signature update.
  Now as for why there have not been any recent updates to the Virus Signatures is that there has not been a major out break in the past 6/7 months. The virus signatures are only created on an emergency basis when a virus or worm reaches a critical level. Cisco ICS was specifically designed for handling virus and worm outbreaks, and is referred to as Outbreak Prevention.
  If the virus/worm does not reach a critical level, then the emergency Virus signatures are not created.
  Instead the Cisco signature team will take care of them as part of the standard Cisco signatures that are included as part of the standard S updates.
  This doesn't mean that we are not receiving information from Trend. For Virus/Worms that do not reach that critical level, the Trend team will instead send information to Cisco for creation of standard Cisco signatures by the Cisco signature team. This way the Cisco team can create a mroe general signature designed to catch all attacks for a certain vulnerability that will catch that specific virus/worm as well as future virus/worms that may also attempt to exploit the same vulnerability. These signatures wind up as part of the standard S update. This method is used because the Cisco signature team has more in depth knowledge of the various engines in Cisco IPS and can often write signatures that the Trend engineers would not be able to.
  It is only when the Trend Micro engineers need to create an emergency update that they will create their V signatures for the specific virus/worm.
  Otherwise they share share the information with Cisco and the Cisco engineers creates the signature.

• IPS custom signature to filter email domain

  Using IPS 5.0.
  I'm creating custom signature on SMTP using State Name: SMTP Commands.
  My question:
  1. On the Regex String, what should i key in to disable any users from the sex.com domain to send me email. I have keyin
  [Mm][Aa][Ii][Li][\t][Ff][Rr][Oo][Mm]:^.@[Ss][Ee][Xx].[Cc][Oo][Mm]
  but i don't think this is corrent...am i ??
  2. In the State Name(SMTP), they have
  Abort, Mail Body, Mail Header, SMTP Commands and Start. Can anyone provide the information (URL) and example of how to use these....
  Thanks in advance...

  The documentation for 5.1 is located at:
  http://www.cisco.com/en/US/customer/products/hw/vpndevc/ps4077/products_configuration_guide_book09186a008055de07.html
  I believe the regex you want is:
  [Mm][Aa][Ii][Ll][\t][Ff][Rr][Oo][Mm][:][\x21-\x7E]+[@][Ss][Ee][Xx].[Cc][Oo][Mm]
  The + field allows for any printable characters (but there must be at least 1) in the senders email address. You should use the SMTP state machine with the SMTP Commands state set, direction to service port 25.

• IPS upnp signature

  Hello,
  I have a LAN IDSM in promiscusous mode wherre I'm seing too much of the below alerts, I've researched it and found out that it should be stopped! since it is a high severity alert!! however I guess summarization is preventing me from knowing the attacker and targets because of the 0.0.0.0 source and destination, right? IS  this the case? and how can I solve it?
  Should I disable summary for that specific signature? what's the best practice? Should it be stopped?
  Regards
  evIdsAlert: eventId=1262106216512606028  vendor=Cisco  severity=high 
    originator:  
      hostId: LAN-IDSM2 
      appName: sensorApp 
      appInstanceId: 25921 
    time: Mar 03, 2010 07:38:23 UTC  offset=60  timeZone=GMT+02:00 
    signature:   description=UPnP LOCATION Overflow  id=4058  version=S433  type=vulnerability  created=20050603 
      subsigId: 2 
      sigDetails: LOCATION \x3c100+ Chars> 
      marsCategory: Penetrate/BufferOverflow/Misc 
    interfaceGroup: vs0 
    vlan: 120 
    participants:  
      attacker:  
        addr: 0.0.0.0  locality=OUT 
        port: 1900 
        ipv6Address: fe80::9d91:b37c:be42:5387  locality=OUT 
      target:  
        addr: 0.0.0.0  locality=OUT 
        port: 1900 
        ipv6Address: ff02::c  locality=OUT 
        os:   idSource=unknown  type=unknown  relevance=unknown 
    actions:  
      denyPacketRequestedNotPerformed: true 
    riskRatingValue: 90  targetValueRating=medium 
    threatRatingValue: 90 
    interface: ge0_7 
    protocol: udp
  evIdsAlert: eventId=1262106216512606029  vendor=Cisco  severity=high 
    originator:  
      hostId: LAN-IDSM2 
      appName: sensorApp 
      appInstanceId: 25921 
    time: Mar 03, 2010 07:38:38 UTC  offset=60  timeZone=GMT+02:00 
    signature:   description=UPnP LOCATION Overflow  id=4058  version=S433  type=vulnerability  created=20050603 
      subsigId: 2 
      sigDetails: LOCATION \x3c100+ Chars> 
      marsCategory: Penetrate/BufferOverflow/Misc 
    interfaceGroup: vs0 
    vlan: 120 
    participants:  
      attacker:  
        addr: 0.0.0.0  locality=OUT 
        port: 0 
        ipv6Address: fe80::9d91:b37c:be42:5387  locality=OUT 
      target:  
        addr: 0.0.0.0  locality=OUT 
        port: 0 
        ipv6Address: ::  locality=OUT 
        os:   idSource=unknown  type=unknown  relevance=unknown 
    summary: 24  final=true  initialAlert=1262106216512606028  summaryType=Regular 
    alertDetails: Regular Summary: 24 events this interval ; 
    riskRatingValue: 90  targetValueRating=medium 
    threatRatingValue: 90 
    interface: ge0_7 
    protocol: udp

  Best practise is to find out which Windows machines are affected and apply the patch accordingly, otherwise, the machine will be vulnerable to UPnP vulnerability as per the following:
  http://tools.cisco.com/security/center/viewAlert.x?alertId=2986

• IPS: relationship between signatures and network service

  Hello,
  Does anybody know if there is documentation regarding the recommended signatures to be activated depending of the network service being deployed?
  Let's say that I have several servers behind a firewall, therefore, in theory I would only need to activate in my IPS the signatures related to those services, for example, ftp, https, aaa, etc...

  Hi there,
  Depending on IPS, you should be able to disable signatures for Solaris, OSX, Windows, Linux if you are not using them in your network. The trick is getting the vendor to admit how many signatures the device can handle. They will almost always lye to you.
  Also if you but sensors in front and behind your firewalls. You will see which are getting through the firewall, That then need to be install on the IPS to protect against.. if you add a 3rd sensor in back of the IPS. you can see how many made it past all your defenses
  Let me know if that helps a little.
  ~TS

• Cisco ips link update signature automatically ?

  Dear all,
  I would like to know what address or link that we need for update IPS 4240  signature automatically from cisco.
  In our IPS config show this link. is  it correct ?
  user-name sabirins1978
  cisco-url https://198.133.219.25//cgi-bin/front.x/ida/locator/locator.pl
  Thanks.
  Regards,
  Budy

  Umm, I tried to access both links..
  I could access the page using the link with one slash (https://198.133.219.25/cgi-bin/front.x/ida/locator/locator.pl), but I couldn't access the page using the link with two slashes (https://198.133.219.25//cgi-bin/front.x/ida/locator/locator.pl) with the error message: "The Page you requsted is not available".
  So, which on of the the correct one ?
  Is the license just needed in automatically-updating the intrusion signature (not including firmware/engine update) ?
  How long approximately is the signature update released periodically by Cisco ?
  Regards,
  Daniel

• IPS Signature Update. The IPS is left hanging.

  I have performed a IPS signature ID update once the definition have been updated the IPS is left hanging and I need to perform a reload.  The config has been verified as not a possible cause for this adverse effect.  Have people had issue of this sort? What would cause the IPS to effectively stall when upgrade takes place? Any solutions?

  Please use the below troubleshoot guide
  http://www.cisco.com/c/en/us/support/docs/security/ips-sensor-software-version-71/113674-ips-automatic-signature-update-00.html#troubleshoot

• IPS 1304 & IPS-6-OOO_FULL

  Hello - I am seeing a whole bunch of the below messages in my logs. Can anyone tell my why this is happening and how I can resolve the issue.  I have tried tunning the setting below with no luck.
  Dec 16 08:55:47.195 WA: %IPS-4-SIGNATURE: Sig:1304 Subsig:0 Sev:25 TCP Session Packet Queue Overflow [23.59.190.106:80 -> 10.0.1.215:54067] VRF:NONE RiskRating:25
  Dec 16 09:05:45.212 WA: %IPS-6-OOO_FULL: Out-of-Order reached its maximum queue size! Drop this packet
  Cisco IOS Software, C800 Software (C800-UNIVERSALK9-M), Version 15.3(2)T, RELEASE SOFTWARE (fc3)
  Technical Support: http://www.cisco.com/techsupport
  Copyright (c) 1986-2013 by Cisco Systems, Inc.
  Compiled Thu 28-Mar-13 13:45 by prod_rel_team
  ROM: System Bootstrap, Version 15.1(4r)M, RELEASE SOFTWARE (fc1)
  parameter-map type ooo global
  tcp reassembly timeout 60
  tcp reassembly queue length 1024
  tcp reassembly memory limit 256000
  Signature statistics [process switch:fast switch]
    signature 6009:0: packets checked [0:8160] alarmed [0:0] dropped [0:0]
    signature 1304:0: packets checked [0:4474] alarmed [0:3544] dropped [0:0]
    signature 3653:0: packets checked [0:3] alarmed [0:0] dropped [0:0]
  Interfaces configured for ips 1
  Session creations since subsystem startup or last reset 5752
  Current session counts (estab/half-open/terminating) [22:0:0]
  Maxever session counts (estab/half-open/terminating) [179:68:7]
  Last session created 00:00:18
  Last statistic reset 15:09:08
  TCP reassembly statistics
    Out-of-order packets dropped 4474
  Thanks -
  gm

  Your post is quite old now. I have the same problem with a router I am using in a lab. Did you a find a solution for this problem? I assume you may :-)
  Thanks

• IPS + CBAC problem

  Hi guys,
  I've got a strange problem here - I activated IOS IPS on both internal and external interfaces in incoming direction and also had to run CBAC on the incoming direction of the external interface. The result of all these things is that the IPS is counting connections from the internal network and it's overwriting for some reason the statistics generated by CBAC, no matter that CBAC is enabled only on the external interface in incoming direction. I'm using 1812 router with 12.4(2)XA IOS. Searched for bugs in the Bug Toolkit, nothing showed up. Here are the outputs:
  interface FastEthernet0
  description WAN
  bandwidth 6000
  ip address xxx
  ip access-group 102 in
  ip verify unicast reverse-path
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  ip nbar protocol-discovery
  ip nat outside
  ip inspect Web in
  ip ips IPS in
  ip virtual-reassembly
  ip route-cache flow
  ip tcp adjust-mss 1452
  duplex auto
  speed auto
  service-policy output TrafficPolicy-OUT
  end
  interface Vlan1
  description LAN
  bandwidth 6000
  ip address xxx
  ip access-group 100 in
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  ip nbar protocol-discovery
  ip flow egress
  ip nat inside
  ip ips IPS in
  ip virtual-reassembly
  ip route-cache flow
  ip tcp adjust-mss 1452
  service-policy output TrafficPolicy-IN
  end
  ip inspect name Web http alert on audit-trail off
  sh ip inspect statistics
  Packet inspection statistics [process switch:fast switch]
  tcp packets: [1315:117238]
  udp packets: [4681:36103]
  packets: [12:54]
  packets: [4747:119509]
  http packets: [0:829]
  Interfaces configured for inspection 1
  Session creations since subsystem startup or last reset 5024
  Current session counts (estab/half-open/terminating) [739:78:0]
  Maxever session counts (estab/half-open/terminating) [815:96:8]
  Last session created 00:00:00
  Last statistic reset 00:10:08
  Last session creation rate 487
  Last half-open session total 78
  sh ip ips statistics
  Signature statistics [process switch:fast switch]
  signature 3050:0 packets checked: [4:0]
  signature 3173:0 packets checked: [18:0]
  signature 5477:2 packets checked: [0:3]
  signature 6253:0 packets checked: [0:159]
  signature 6064:0 packets checked: [1:0]
  signature 6056:0 packets checked: [1:0]
  signature 5170:1 packets checked: [0:11]
  signature 5322:1 packets checked: [0:2013]
  signature 4620:0 packets checked: [0:339822]
  signature 2157:1 packets checked: [1:37077]
  signature 2157:0 packets checked: [0:2]
  signature 1102:0 packets checked: [50:0]
  Interfaces configured for ips 2
  Session creations since subsystem startup or last reset 5153
  Current session counts (estab/half-open/terminating) [744:72:0]
  Maxever session counts (estab/half-open/terminating) [815:96:8]
  Last session created 00:00:00
  Last statistic reset 00:10:26
  Any idea about that? I'm pretty sure it's a bug but still can't prove it. As you can see I'm monitoring only http traffic entering the internal network with CBAC (they have a single web server which for sure cannot handle that much connections). I'll be glad if you can help but anyway if we can't find the truth behind this I'll simply disable the IPS on the internal interface and I think I'll get statistics pretty closer to the reality (I need them to tune CBAC TCP Intercept values). Besides that it's pretty nasty that you can't see separate statistics for each interface but anyway - I can live with that if I manage to get accurate statistics with limited security in that case. Thanks in advance!
  Best Regards,
  Stefan

  Latest update: I found a bug for IPS 5.0 which I think is related to my problem, but I'm using IPS v4 signatures cause I need something like 12.4(15)T for IPS 5.0 signatures so I'm not sure that's my case.
  Headline IPS5.0 : Signature statistics not displayed correctly
  Product IOS
  Feature OTHERS Components Duplicate of
  Severity 3 Severity help Status Resolved Status help
  First Found-in Version 12.4(10.8)T01 All affected versions First Fixed-in Version 12.4(12.15)T Version help
  Release Notes
  Symptoms:
  This is a CLI display bug
  Conditions:
  idConf/IPS 5.0 is configured on the IOS router
  Workaround:
  None
  Further Problem Description:
  None
  First thing that disturbs me - it's for 5.0, second thing - sounds like IPS statistics are not correct and in my case we are talking about CBAC statistics. Any idea?