Simulate attack or intrusion to cause a signature trigger

Similar Messages

• Emails from iPhone going to Junk folder caused by signature

  I recently came across an issue when sending emails from my iphone using my business account.  When I send emails to users of Outlook 2010, my emails go straight to their junk email folder, but for other versions of Outlook this does not occur.  I appears that my email signature is causing this issue as I deleted my signature and the problem was solved.  I want to be able to keep my signature in my emails that are coming from my iPhone, but I don't understand why the signature is triggering the junk email filter in Outlook 2010.  Has anyone had this problem?

  I don't understand why the signature is triggering the junk email filter
  Because Outlook is interpreting the text / content / formatting of your signature as that which could be viewed as junk.
  This has nothing to do with your iPhone, but is an Outlook "issue"

• How to cause an internal trigger to generate a pulse on an Oscilloscope

  I am realtively new with LabView and need to generate a square pulse on an oscilloscope. I am trying to cause a trigger such that only when it is triggered, the pulse is generated. What should I do to get such a trigger? 
  Thank you.

  A score does not typically have the ability to generate any sort of signal. You have not mentioned the male and model. Where in its manual do you see pulse generation?

• 3002 Signature related DNS replication or something else?

  We see this signature alot... 3002 - TCP Syn Port Sweep
  Source and destination are internal and port 53-DNS, 88-Kerberos, 135-Endpoint Mapper, 139-Netbios, 389-LDAP, and 445-SMB.
  Thoughts?

  Sig 3002 triggers on 5 syn's packets from (Host A) to (Host B ports 1-1024). Knowing the trigger condition, you can now look at the "attacker" machine... since it's internal, what is it, what does it do?
  Network management tools mapping hosts and services will cause this signature to fire since that behavior is really no different than say an nmap scan. It's also conceivable that given the combination of services running on the attacker, normal operation of that box will cause this to trigger.
  The next step is to identify what the "attacker" box is, and what it's doing.

• IPS MC: It doesn´t show any signature.

  Hi.
  I had IPS MC 2.1.0 (Build 123) functioning fine. I installed the idsmdc2.1.0-win-CSCsc336961.tar file in order to solve the CSCsc33696 bug. Next, I installed an update signature for IPS version 5 (But I didn´t has any IPS sensor version 5, I just was checking), but the update didn´t work. Afther it, I noted that I have a big issue: When I try to modify any signature, in the Settings->IOS IPS, it shows:
  Object loading failed. Errors occurred while loading the Signatures. Not all signatures may have been loaded.
  It doesn´t show any signature.
  I erased all the sensors, including the IOS IPS. Then I import one of the IOS IPS and follow the instruction for the CSCsc33696 bug. I reimported the device, deployed configuration, disabled the IPS feature in the router and enabled the feature in order to load the signature configuration, but the issue persist. Then, I installed the newest signature update to IDS sensor version 4 (it includes IOS IPS update) and it installed without problems, but the problem in the sigature page perisist.
  I reinstalled the IPS MC, but the problem persist. I uninstalled the IDS MC, and installed again without save the database. It shows the application IDS MC and Security Monitor without configuration, like a new installation, but the issue persist!!!
  Someone had this problem? Someone know how can I solve it?
  Thanks.

  The Cisco IOS IPS feature restructures the existing Cisco IOS Intrusion Detection System (IDS), allowing customers to choose to load the default, built-in signatures or to load a Signature Definition File (SDF) called attack-drop.sdf onto the router. The attack-drop.sdf file contains 118 high-fidelity Intrusion Prevention System (IPS) signatures, providing customers with the latest available detection of security threats. For more information refer to following url:
  http://www.cisco.com/en/US/products/ps5854/prod_configuration_guide09186a00802c9587.html

• How to convert Cisco IPS signatures to a MARS events - no keyword search

  I am trying to run a scheduled report looking for the new Microsoft exploit under the IPS S411 release, SIGID 19339.0 and I am trying to form the query looking for the event this falls under without using a keyword search on the SIGID. Does anyone know how to correlate an IPS signature to a MARS event?
  Thanks,
  Mike

  With the help of On-box local event correlation technology you can correlate. On-box local event correlation technology not only enables detection, but actually blocks multi-event attacks and malware in real time, complementing security incident management software such as the Cisco Security Monitoring, Analysis, and Reporting System (Cisco Security MARS) that correlate events across multiple devices.
  Integrates with the Cisco Security Manager to correlate security events with the configured firewall rules and intrusion prevention system (IPS) signatures that can affect the security event

• Generated some Dos attacks: no correponding IDS event is generated

  I installed and configured a Cisco IDS 4250 sensor.
  Actually the sniffing interface has been placed on a lan segment residing on the internal network, so, by monitoring IEV logs, I could see lots of events, but all belonging to a few category of signatures, and quite all informational. That's why, In order to generate some more significant network activity to verify correct sensor behaviour, I placed my workstation running a vulnerability assessment tool (ISS Internet Scanner) on the outside vlan (where the sniffing interface resides), and issued several common dos attacks against one workstation residing on one of the inside vlans.
  Some example of attacks generated are : SYN flood, Ping of death, UDP bomb, Land, Teardrop. I also generated a lot of tcp scan activity. Using Internet Scanner logs I verified that those attacks reached the destination machine.
  The fact is that neither IEV default view nor "sh ev" sensor commands showed any event related to my activity. The only events generated by my workstation during my tests, matched signatures "NET FLOOD UDP" (maybe signame 6910) and signature with sig number 1107 (I don't remember the name). In both cases destination ip is multicast or broadcast address.
  I verified that those signatures I was expected to match my attack packets were enabled (I verified so by "sh conf" command), so I don't see any reason why the sensor did not register any event related to the attacks I perpetrated.
  Am I missing something ? Have anyone any idea to make me understand why the results are not the ones expected?
  Thanks in advance and Regards
  Marina

  When a user complains that they are only seeing alarms with multicast or broadcast addresses, then this usually points to a sensor connected to a switch where Span has not been configured.
  When the sensor is connected to a switch, the switch will normally only send broadcast and multicast (with an occasional unicast) packet to the sensor.
  So the sensor is not being sent the packets created by your ISS scanner.
  The switch must be configured to copy these packets to your sensor. This switch configuration is normally done through the Span or Monitor command. Check your switch configuration to see how to configure these commands on your switch.
  If you are not connecting the sensor to the switch or believe that the Span configuration is correct, then the next step is to run tcpdump on the sensor and verify whether or not the packets are actually being sent to the sensor.
  1) In older versions of the sensor you need to configure the sensor to monitor the interface (I think was changed in version 4.1(4) so the interface can still be monitored while tcpdump is used)
  2) Create a service account
  3) Login to the service account
  4) Switch to user root (using same password as service account).
  5) Type "ifconfig -a" and determine which interface is your sniffing interface.
  6) Run "tcpdump -i " to start seeing packets coming in that interface.
  7) Execute the ISS scan.
  8) Look through the output of tcpdump to see if those packets are making it to the sensor.
  9) If the tcpdump does not see the ISS packets, then either span is misconfigured or the switch is not plugged in where you think it is.
  10) If the tcpdump is seeing the packets, then reconfigure the sensor to watch the interface again.
  If you have verified that the sensor IS receiving the packets then the next step is to try and generate traffic that triggers specific signatures.
  A side note:
  Often times scanners can tell you about a vulnerability without actually executing the attack. The scanner checks OS version and patches to see if it is vulnerable, but does not send packets to actually attack the machine. Especially in cases where sending the attack itself would have caused the target machine to crash.
  This type of reconaissance is often considered benign and will not trigger the alarm. An actual attack has to be executed against the vulnerability to fire the alarm.
  So for your ISS scanner you should see some alarms, but will not likely see alarms for every vulnerability that the ISS notifies you about.

• Check printing - signature print on check??

  I was wonderng if anyone here has any advise on how to print a check with signature on a check. Our company is looking at a printer that will put the signature on the check but the company says we would have to supply on the form a "font call function" so the printer knows where the signature would go. Has anyone else tried printing in this way?
  Thanks,
  Kurt

  Our printing is done using standard PCL printers (HP, Xerox, Lexmark). We just scan the signature, turning it into a graphic (gif, jpg), and then place it on the form as a logo using designer.
  Are you sure that Output Designer even has a driver for this particular printer? A quick purusal of the "presentment targets" that came with version 5.5 seems to indicate that - besides some label printers - pcl & postscript printers is what it supports.
  Even the Print Agent font reference commands are referring to the "internal" fonts included within the template (as a result of the selected "presentment targets").
  I can remember a printer we used years ago requiring that the signature be a font - but it wasn't a pcl/postscript printer and that was prior to us moving to Output Designer. This was a font that was permanently loaded on the printer and a printer command sequence activated it and then a string of characters (like "abcd") caused the signature to be printed.
  Without knowing anything about the printer, I see two possibilities if a graphic image can't be used. 1) The font is permanently installed on the printer and you might be able to imbed within your document the command string that causes the signature to be printed; or 2) the font can be installed on the designer PC and thus added to the available fonts for the presentment target and used like a normal font (this requires that the printer be able to accept downloaded fonts).

• Loading Digital Signatures online

  Hello,
  I have a PDF that needs to be filled out, digitally signed, saved, and the retrieved whenever necessary, all online. All of that works just fine for plain text form fields, but when it comes to the Digital Signature, the field is rendered unsigned. What I'm doing is merging a FDF file with the desired PDF online and then viewing that. If I edit the FDF file to merge with a local file, the signature shows up, however editing the same file again to have it point back to an exact copy of the PDF on the server causes the signature field to be left blank. Any ideas are appreciated.
  Thanks,
  alex.rupp01

  Hello again,
  I apologize for the double post but I am still in need of some advice on this topic. Any input is appreciated.
  Thanks

• Digital Signatures break

  I have a form with JS a few initialize events and a signature field. When the form is signed and saved, reopening it causes the signature to break.
  I am wondering if the initialize event is the problem ? If so, any work arounds ?
  Aditya

  I don't understood this part of text:
  you must configure the routing so that it specifies an operation selection algorithm other than the SOAP body algorithm. Make sure the actions in the proxy service pipeline do not modify the WS-Security header or any parts of the SOAP envelope that are signed or encrypted. Changes to clear-text message parts covered by digital signatures almost always break the digital signature because the signature cannot be verified later.
  1) About the "selection algorithm" (Wich i should choose ? How to make this configuration ?)
  2) Make sure the actions in the proxy service pipeline do not modify the WS-Security header or any parts of the SOAP envelope that are signed or encrypted. (How to make this ?)
  3) Changes to clear-text message parts covered by digital signatures almost always break the digital signature because the signature cannot be verified later. (What is this ?)
  Thanks

• Clean Way To Prevent Signature Collision Of Mounting VHDX In Parallel PowerShell Scripting

  I have multiple Virtual Machines I am to build from a Sysprepped VHDX. (All this is done automatically via Powershell)
  For each of these Virtual Machines, I copy this VHDX and create a new one unique to the Virtual Machine. However, I wish to mount each one (in parallel) and make modifications before attaching it to the virtual machine and booting the first time. 
  The issue comes when it is time to mount the VHDX on the Physical Host, and these two processes attempt to mount at the same time. This causes a Signature Collision. I am looking for a clean - emphasis on clean - way to prevent signature collision. I have
  tried the following.
  Using the Get-Drive cmdlet and determining if one exist with a FriendlyName of "Microsoft Virtual Disk" before mounting, to detect if another VHDX is already mounted and waiting til it dismounts - the latency in this flag being available causes
  this method to fail and still the two VHDXs attempt to mount and have signature collision, breaking the script associated with that VHDX.
  I have tried using a Flag file, i.e., a text file to denote if a VHD is mounted and do a similar check - however, this relies on the file system and seems too clumsy for me. 
  I have considered Environment variables, but am afraid this is also too convoluted for such a simple task.
  Any recommendations? 

  The builds are being done in separate scripts. The purpose is that each script can be ran on it's own to rebuild a particular VM, but when the host is first built, all scripts are run concurrently to build each VM (total of 3). They could be ran sequentially,
  but the copy of the VHDX will make this take a very long time (or at least that is the thought, haven't really tested this.) The script is the same for all three builds just differentiates based on a parameter passed.
  I am currently testing the inclusion of a PauseBeforeMount parameter, which I will pass to one of the two servers in question. This way, it will only be used in the full host build, and not if a single VM is being rebuilt.
       if($PauseBeforeMount.IsPresent){ 
             Write-Host "Pausing for VHDX Mount..."
             Start-Sleep -Seconds 60 
      #Mounts the OS Disk and captures the Drive Letter 
      Write-Host "Mounting OS VHDX located at $OS_VhdPath"
      [string]$OsDriveLetter = Mount-VHD -Path $OS_VhdPath -Passthru | Get-Disk | Get-Partition | Get-Volume | `
          Where-Object {$_.FileSystemLabel -eq "OS_Disk"} | Select -ExpandProperty DriveLetter
      $OsDriveLetter += ":"
   

• Signature 1330-X: TCP segment out of order - what does it mean?

  Hi,
  on a customer's site, on one of their IPS, I get a lot of sig 1330 alerts, mainly those two:
  1330-12: TCP segment is out of order. If the signature status is set to disabled, the packet will be passed to all engines that are not stream based.
  This signature will not produce an alert in promiscuous mode regardless of the signature status.
  1330-17: TCP segment out of state order. If a packet in a stream causes this signature to produce an alert, processing will cease for that stream. This signature will not produce an alert in promiscuous mode regardless of the signature status
  I'm not sure how to interpret these alerts correctly and/or how to troubleshoot further. Does anyone have an idea?
  Thanks a lot,
  Florian

  Is your sensor monitoring more than one network segment?
  If so then these alarms are common when a TCP connection crosses both networks and gets seen twice by the sensor.
  This can confuse the sensor's tracking of the connection.
  A common scenario is to have the sensor monitor both the Inside network or a firewall as well as the DMZ. When an internal user connects to the company's web server the traffic gets seen by the sensor both on the Inside network and in the DMZ. The sensor tries to put the packets from both networks together in order to try and monitor it as a single connection. Because the packets get modified by the firewall it often results in inconsitency between traffic on the 2 sides and causes the sensor to be confused about the connection.
  The good news is that if this is your problem, then there are 2 easy workarounds.
  1) If your sensor supports virtual sensors, then create a second virtual sensor. Assign one network to default vs0, and assign the other network to the new virtual sensor. This way each virtual sensor sees traffic on just one of the networks and won't become confused.
  2) If your sensor does not support additional virtual sensors, or you've used up all 4 virtual sensors, then there is a configuration option within the virtual sensor configuration itself:
  Inline TCP Session Tracking Mode
  By default it is set to Virtual Sensor which is why it tries to put together packets from both networks to try and look at is a single connection and gets confused.
  BUT it can also be set to Interface and Vlan. This configuration allows the virtual sensor to treat the traffic on each network independantly. The connection on the first network will be monitored independant of the connection on the second network. This will prevent the virtual sensor from getting confused.
  The above is just my guess at what is going on in your network based on what we've seen on other networks. If this doesn't address the reason for the signature triggerings, then please respond back with more information about your network.
  It is possible that these could be a hacker trying to avoid detection by the sensor, but more likely something in your deployment is confusing the sensor.

• Negating deny-attacker inline best practice

  We have recently deployed an inline IPS solution using 5.1(7) E1 software. We would like to deny-attacker-victim-pair-inline for some signatures from one particular subnet on the network but negate the rest.
  In order to correctly implement this, I think that we need to use SigEvent Action Filters on the sensor and use the commands <<actions-to-remove/deny-attacker-victim-pair-inline>> for all subnets accept the one that we wish to allow deny actions for.
  I have seen that in the configuration on the sensor you can implement under the section <<service network-access>> a <<never-block-networks>> statement. My understanding is that this is used more for shunning rather then deny-inline solutions.
  Am I correct about this?
  Please could some one on the list validate that this is the best practice solution for negating deny-attackers inline.

  create 2 event actions filters.
  The first event action filter will match the signatures and subnets you want to deny on and don't subtract any actions. make sure you set it to "stop on match".
  The next one will will match the same signatures but the 0.0.0.0-255.255.255.255 address. remove the appropriate actions.
  The net result is that the first event action filter will apply when it matches and the second when it doesn't.

• Mail 8 on MacBook Pro adds selected signature, does not replace

  I have several signitures that I use in Yosemite Mail 8 on my MacBook Pro. The normal behavior has always been that changing signatures, by selecting a different one from the Signature selector at the right end of the From line, has replaced the default signature. Suddenly, Mail is now adding the signature under the default one. Hypothesizing a possible corrupt signature, I deleted and remade them, but the problem has not gone away. I can find no setting that tells Mail how to deal with alternate signatures. Has anyone had to deal with this problem, and how did you solve it?

  It appears that Yosemite's Mail 8 has made a change in Mail signatures. I have always had a photo as part of my signature. With the upgrade to Yosemite, the photo causes the behavior noted above. A signature with a photo will cause it to stick, although adding a signature without a photo below it will behave as expected. Just removing the photo in the Signature preference will cause the signature to behave as expected.

• Hiding subflows and Signature Status

  Hi There,
    Hiding subFlows in PreSign is causing the signature status to display "At lease one signature requires validation...." instead of the valid green tick mark. When I right cick and validate again the display shows the green tick mark. Please help.
  Regards,
  RT

  Hi There,
    Hiding subFlows in PreSign is causing the signature status to display "At lease one signature requires validation...." instead of the valid green tick mark. When I right cick and validate again the display shows the green tick mark. Please help.
  Regards,
  RT