View
5
Download
2
Category
Preview:
Citation preview
© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—6-1
Working with Signatures and Alerts
© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—6-2
Cisco IPS Signatures, Engines, and Alerts
© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—6-3
Signature Types
A Cisco IPS signature is a set of rules that your sensor uses to detect typical intrusive activity. The sensor supports three types of signatures:• Built-in signatures: known attack signatures that are
included in the sensor software• Tuned signatures: built-in signatures that you modify• Custom signatures: new signatures that you create
© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—6-4
Signature Features
• Response actions• Alert summarization• Threshold configuration• Anti-evasive techniques• Fidelity ratings• Application firewall• SNMP support• IPv6 support• A blend of detection technologies• Regular expression string pattern matching
© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—6-5
Signature Actions
Cisco IDS signatures can take one or all of the following actions when triggered:• Drop malicious packets, including the trigger packet, before
they reach their targets (for inline sensors only)• Produce an alert or an alert that includes an encoded dump of
the trigger packet • Log IP packets that contain the attacker address, the victim
address, or both• Initiate the blocking of a connection or a specific host
address• Send a request to the notification application component of
the sensor to perform SNMP notification • Terminate the TCP session between the source of an attack
and the target host
© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—6-6
Regular Expressions Syntax
Features of regular expressions syntax:• Enables you to configure your sensor to detect textual
patterns in the traffic it analyzes• Allows you to describe simple as well as complex textual
patterns• Consists of special characters such as the following:
– ()– |– [abc]
© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—6-7
Examples of Regex Patterns
To Match Regular Expression
Hacker or hacker [Hh]acker
Either hot or cold hot|cold
© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—6-8
Signature Engines
• A Signature Engine is a component of the sensor that supports a category of signatures.
• Each Cisco IPS signature is controlled by a Signature Engine designed to inspect a specific type of traffic.
• Each engine has a set of legal parameters that have allowable ranges or sets of values.
• Configurable engine parameters enable you to tune signatures to work optimally in your network and to create new signatures unique to your network environment.
© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—6-9
Alerts
• By default, the sensor generates an alert when an enabled signature is triggered. • The default setting that generates an alert can be disabled.• Alerts are stored in the sensor’s Event Store. • External monitoring applications can pull alerts from the sensor via SDEE.• Monitoring applications can collect alerts on an as-needed basis.• Multiple hosts can collect alerts simultaneously. • Alerts can have any one of the following security levels:
– Informational– Low– Medium– High
• The severity level of the alert is derived from the severity level of the signature causing the alert.
© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—6-10
Alert Format
sensor# show eventsevIdsAlert: eventId=1104949863483006238 severity=medium vendor=Cisco
originator: hostId: sensor1 appName: sensorApp appInstanceId: 376 time: 2005/01/14 11:14:38 2005/01/14 11:14:38 UTC signature: description=ICMP Echo Req id=2004 version=1.0
subsigId: 0 sigDetails: empty interfaceGroup: vlan: 0 participants: attacker: addr: locality=OUT 10.0.2.11 target: addr: locality=OUT 10.0.1.12. . .
© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—6-11
Locating Signature Information
© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—6-12
NSDB Link from the IDM
NSDB Link
Signature Definition
Configuration
Signature Configuration
NSDB Information
on Signature
3324
© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—6-13
The Cisco Intrusion Prevention Alert Center
Breaking News
Signatures Listed by Release
Signatures Listed by Signature
ID
Active Threats
Latest Threats
Cisco IPS Download
Center
© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—6-14
The Cisco Intrusion Prevention Alert Center (Cont.)
© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—6-15
The NSDB
Related Threats
Recommended Filters
Description
Benign Triggers
Release Date
Release Version
Default Alarm
Severity
Signature ID
Signature Name
© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—6-16
Basic Signature Configuration
© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—6-17
Signature Configuration Tasks
Basic signature configuration includes the following:• Enabling or disabling the signature• Assigning the signature action
© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—6-18
Accessing the Signature Configuration Page
Configuration Select By
Signature Definition
Signature Configuration
Select Criteria
© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—6-19
Locating Signatures by Sig ID
Find
Enter Sig ID
Select By
© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—6-20
Locating Signatures by Network Service
Select Service
Select By
© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—6-21
Activating and Retiring Signatures
Activate
Retire
Activate
Retire
© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—6-22
Enabling and Disabling Signatures
Select All
Disable
Enable
© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—6-23
Configuring Signature Actions
Restore Default
s
Reset
Actions
© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—6-24
Configuring Signature Actions (Cont.)
Select All
Select None
Action List
© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—6-25
Configuring IP Logging for a Specific IP Address
AddIP
Logging
Monitoring
© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—6-26
Configuring IP Logging for a Specific IP Address (Cont.)
IP Address
Duration
Packets
Bytes
Apply
© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—6-27
Viewing IP Logs
Edit
DownloadRefresh
Stop
© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—6-28
Configuring General Settings for Signature Actions
Maximum Denied
Attackers
Block Action
Duration
Deny Attacker Duration
General Settings
Event Action Rules
Configuration
© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—6-29
Managing Denied Attackers
Monitoring
Denied Attackers
Refresh
Reset All Hit Counts
Clear List
© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—6-30
Configuring SNMP
© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—6-31
Your Sensor and SNMP
Sensor
NMS
SNMP Agent
Unsolicited SNMP Message
(Trap)
© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—6-32
Configuring SNMP
Configuration
Enable SNMP Gets/Sets
SNMP
SNMP General Configuration
Apply Reset
Read-Only Community
String
Read-Write Community String
Sensor Contact
Sensor Location
Sensor Agent Port
Sensor Agent
Protocol
© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—6-33
Configuring SNMP Traps
Configuration
Add
Enable SNMP Traps
SNMP
SNMP Traps Configuration
Select the error
events . . .
Enable detailed traps . . .
Default Trap Community
String
© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—6-34
Adding an SNMP Trap Destination
IP Address
UDP Port
Trap Community
String
© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—6-35
Adding an SNMP Trap Destination (Cont.)
Edit
Delete
ApplyReset
Recommended