IPS-6.ppt

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—6-1

Working with Signatures and Alerts


Cisco IPS Signatures, Engines, and Alerts


Signature Types

A Cisco IPS signature is a set of rules that your sensor uses to detect typical intrusive activity. The sensor supports three types of signatures:• Built-in signatures: known attack signatures that are

included in the sensor software• Tuned signatures: built-in signatures that you modify• Custom signatures: new signatures that you create


Signature Features

• Response actions• Alert summarization• Threshold configuration• Anti-evasive techniques• Fidelity ratings• Application firewall• SNMP support• IPv6 support• A blend of detection technologies• Regular expression string pattern matching


Signature Actions

Cisco IDS signatures can take one or all of the following actions when triggered:• Drop malicious packets, including the trigger packet, before

they reach their targets (for inline sensors only)• Produce an alert or an alert that includes an encoded dump of

the trigger packet • Log IP packets that contain the attacker address, the victim

address, or both• Initiate the blocking of a connection or a specific host

address• Send a request to the notification application component of

the sensor to perform SNMP notification • Terminate the TCP session between the source of an attack

and the target host


Regular Expressions Syntax

Features of regular expressions syntax:• Enables you to configure your sensor to detect textual

patterns in the traffic it analyzes• Allows you to describe simple as well as complex textual

patterns• Consists of special characters such as the following:

– ()– |– [abc]


Examples of Regex Patterns

To Match Regular Expression

Hacker or hacker [Hh]acker

Either hot or cold hot|cold


Signature Engines

• A Signature Engine is a component of the sensor that supports a category of signatures.

• Each Cisco IPS signature is controlled by a Signature Engine designed to inspect a specific type of traffic.

• Each engine has a set of legal parameters that have allowable ranges or sets of values.

• Configurable engine parameters enable you to tune signatures to work optimally in your network and to create new signatures unique to your network environment.


Alerts

• By default, the sensor generates an alert when an enabled signature is triggered. • The default setting that generates an alert can be disabled.• Alerts are stored in the sensor’s Event Store. • External monitoring applications can pull alerts from the sensor via SDEE.• Monitoring applications can collect alerts on an as-needed basis.• Multiple hosts can collect alerts simultaneously. • Alerts can have any one of the following security levels:

– Informational– Low– Medium– High

• The severity level of the alert is derived from the severity level of the signature causing the alert.


Alert Format

sensor# show eventsevIdsAlert: eventId=1104949863483006238 severity=medium vendor=Cisco

originator: hostId: sensor1 appName: sensorApp appInstanceId: 376 time: 2005/01/14 11:14:38 2005/01/14 11:14:38 UTC signature: description=ICMP Echo Req id=2004 version=1.0

subsigId: 0 sigDetails: empty interfaceGroup: vlan: 0 participants: attacker: addr: locality=OUT 10.0.2.11 target: addr: locality=OUT 10.0.1.12. . .


Locating Signature Information


NSDB Link from the IDM

NSDB Link

Signature Definition

Configuration

Signature Configuration

NSDB Information

on Signature

3324


The Cisco Intrusion Prevention Alert Center

Breaking News

Signatures Listed by Release

Signatures Listed by Signature

ID

Active Threats

Latest Threats

Cisco IPS Download

Center


The Cisco Intrusion Prevention Alert Center (Cont.)


The NSDB

Related Threats

Recommended Filters

Description

Benign Triggers

Release Date

Release Version

Default Alarm

Severity

Signature ID

Signature Name


Basic Signature Configuration


Signature Configuration Tasks

Basic signature configuration includes the following:• Enabling or disabling the signature• Assigning the signature action


Accessing the Signature Configuration Page

Configuration Select By

Signature Definition

Signature Configuration

Select Criteria


Locating Signatures by Sig ID

Find

Enter Sig ID

Select By


Locating Signatures by Network Service

Select Service

Select By


Activating and Retiring Signatures

Activate

Retire

Activate

Retire


Enabling and Disabling Signatures

Select All

Disable

Enable


Configuring Signature Actions

Restore Default

s

Reset

Actions


Configuring Signature Actions (Cont.)

Select All

Select None

Action List


Configuring IP Logging for a Specific IP Address

AddIP

Logging

Monitoring


Configuring IP Logging for a Specific IP Address (Cont.)

IP Address

Duration

Packets

Bytes

Apply


Viewing IP Logs

Edit

DownloadRefresh

Stop


Configuring General Settings for Signature Actions

Maximum Denied

Attackers

Block Action

Duration

Deny Attacker Duration

General Settings

Event Action Rules

Configuration


Managing Denied Attackers

Monitoring

Denied Attackers

Refresh

Reset All Hit Counts

Clear List


Configuring SNMP


Your Sensor and SNMP

Sensor

NMS

SNMP Agent

Unsolicited SNMP Message

(Trap)


Configuring SNMP

Configuration

Enable SNMP Gets/Sets

SNMP

SNMP General Configuration

Apply Reset

Read-Only Community

String

Read-Write Community String

Sensor Contact

Sensor Location

Sensor Agent Port

Sensor Agent

Protocol


Configuring SNMP Traps

Configuration

Add

Enable SNMP Traps

SNMP

SNMP Traps Configuration

Select the error

events . . .

Enable detailed traps . . .

Default Trap Community

String


Adding an SNMP Trap Destination

IP Address

UDP Port

Trap Community

String


Adding an SNMP Trap Destination (Cont.)

Edit

Delete

ApplyReset

Documents

IPS-6.ppt