Configuring TCP Reset Using IDS Director

Document ID: 23182

Introduction

This document describes how to configure an Intrusion Detection System (IDS, formerly NetRanger) Director and Sensor to send TCP resets on an attempted Telnet to a range of addresses which include the managed router if the sent string is "testattack".

Prerequisites

Requirements

When considering this configuration, please remember to:

• Install the Sensor and verify that it works properly before you perform this configuration.
• Ensure that the sniffing interface spans to the managed router's outside interface.

Components Used

The information in this document is based on these software and hardware versions:

• Cisco IDS Director 2.2.3
• Cisco IDS Sensor 3.0.5
• Cisco IOS® Router running Software Release 12.2.6

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Conventions

For more information on document conventions, refer to the Cisco Technical Tips Conventions.

Configure

In this section, you are presented with the information to configure the features described in this document.

Note: To find additional information on the commands used in this document, use the Command Lookup Tool ( registered customers only).

Network Diagram

This document uses the network setup shown in this diagram.

Configurations

This document uses these configurations.

• Router Light
• Router House

Configure the Sensor

Complete these steps to configure the Sensor.

1. Telnet to 10.64.10.49 (the IDS Sensor) with the username root and the password attack.
2. Type sysconfig-sensor.
3. When prompted, enter the configuration information, as shown in this example:
   
   1 - IP Address: 10.64.10.49
   2 - IP Netmask: 255.255.255.224
   3 - IP Host Name: sensor-2
   4 - Default Route: 10.64.10.33
   5 - Network Access Control
   64.
   10.
   6 - Communications Infrastructure
   Sensor Host ID: 49
   Sensor Organization ID: 900
   Sensor Host Name: sensor-2
   Sensor Organization Name: cisco
   Sensor IP Address: 10.64.10.49
   IDS Manager Host ID: 50
   IDS Manager Organization ID: 900
   IDS Manager Host Name: dir3
   IDS Manager Organization Name: cisco
   IDS Manager IP Address: 10.64.21.50
4. When prompted, save the configuration and allow the Sensor to reboot.

Add the Sensor into the Director

Complete these steps to add the Sensor into the Director.

1. Telnet to 10.64.21.50 (the IDS Director) with the username netrangr and the password attack.
2. Type ovw& to launch HP OpenView.
3. From the Main Menu, go to Security > Configure.
4. In the Configuration File Management Utility, go to file > Add Host and click Next.
5. Complete the Sensor host information, as shown in this example. Click Next.
   
   
6. Accept the default settings for the type of machine, and click Next, as shown in this example.
   
   
7. You may either change the log and shun minutes or you may accept the default values. However, you must change the Network Interface name to the name of your sniffing interface. In this example, it is "iprb0". It can be "spwr0" or anything else depending on the Sensor type and how you connect your Sensor.
   
   
8. Continue to click Next and then click Finish to add the Sensor into the Director. From the main menu, you should now see sensor-2, as in this example.
   
   

Configure TCP Reset for the Cisco IOS Router

Complete these steps to configure TCP reset for the Cisco IOS router.

1. In the Main Menu, go to Security > Configure.
2. In the Configuration File Management Utility, highlight sensor-2 and double-click it.
3. Open Device Management.
4. Click Devices > Add. Enter the device information, as shown in the following example. Click OK to continue. Both the Telnet and enable passwords are Cisco.
   
   
5. Open the Intrusion Detection window and click Protected Networks. Add the range of addresses from 10.64.10.1 to 10.64.10.254 into the protected network.
   
   
6. Click Profile and select Manual Configuration. Next, click Modify Signatures. Choose Matched Strings with an ID of 8000. Click Expand > Add to add a new string called testattack. Enter the string information, as shown in this example, and click OK to continue.
   
   
7. You have finished this part of the configuration. Click OK to close the Intrusion Detection window.
8. Open the System Files folder, then the Daemons window. Make sure you have these daemons enabled:
   
   
9. Click OK to continue.
10. Choose the version you just modified, click Save and then Apply. Wait for the system to tell you that the Sensor has finished restarting services, then close all the windows for the Director Configuration.
    
    

Launch the Attack and TCP Reset

Telnet from Router Light to Router House and type testattack. As soon as you hit the Space or Enter key, your Telnet session resets. You will connect to Router House.

light#telnet 10.64.10.45
Trying 10.64.10.45 ... Open

User Access Verification
Password:
house>en
Password:
house#testattack
[Connection to 10.64.10.45 closed by foreign host]

!--- Telnet session has been reset because the
!--- signature testattack was triggered.

Verify

There is currently no verification procedure available for this configuration.

Troubleshoot

This section provides information you can use to troubleshoot your configuration.

Telnet to 10.64.10.49, the Sensor, using the username root and the password attack. Type cd /usr/nr/etc. Type cat packetd.conf. If you correctly set TCP reset for testattack, you should see a four (4) in the Action Codes field. This indicates TCP reset as shown in this example.

netrangr@sensor-2:/usr/nr/etc
>cat packetd.conf | grep "testattack"
RecordOfStringName 51304 23 3 1 "testattack"
SigOfStringMatch 51304 4 5 5 # "testattack"

If you accidentally set the action to "none" in the signature, you will see a zero (0) in the Action Codes field. This indicates no action as seen in this example.

netrangr@sensor-2:/usr/nr/etc
>cat packetd.conf | grep "testattack"
RecordOfStringName 51304 23 3 1 "testattack"
SigOfStringMatch 51304 0 5 5 # "testattack"

The TCP resets are sent from the sniffing interface of the Sensor. If there is a switch connecting the Sensor interface to the outside interface of the managed router, when you configure using the set span command in the switch, use this syntax:

set span < src_mod/src_port>< dest_mod/dest_port> both inpkts enable

banana (enable) set span 2/12 3/6 both inpkts enable
Overwrote Port 3/6 to monitor transmit/receive traffic of Port 2/12
Incoming Packets enabled. Learning enabled. Multicast enabled.
banana (enable)
banana (enable)
banana (enable) show span

Destination : Port 3/6

!--- Connect to sniffing interface of the Sensor.

Admin Source : Port 2/12

!--- Connect to FastEthernet0/0 of Router House.

Oper Source : Port 2/12
Direction : transmit/receive
Incoming Packets: enabled
Learning : enabled
Multicast : enabled

NetPro Discussion Forums - Featured Conversations

Networking Professionals Connection is a forum for networking professionals to share questions, suggestions, and information about networking solutions, products, and technologies. The featured links are some of the most recent conversations available in this technology.

Related Information

• Field Notices
• Cisco Secure Intrusion Detection Support Page
• Documentation for Cisco Secure Intrusion Detection Syste
• Technical Support - Cisco Systems

All contents are Copyright © 1992-2005 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement.