Disabling and Excluding Signatures
| You can disable signatures globally for all networks and hosts or disable signatures based on the entries in a standard IP access list. Let's first look at disabling signatures globally. Disabling Signatures GloballyWhen you disable a signature globally, the router will not compare any packets to the disabled signatures. To disable a signature, you first need to know the signature number. Visit http://www.cisco.com and review the IOS Firewall IDS documentation to get this number. The syntax to globally disable a signature is Router(config)# ip audit signature sig-id disable Let's assume that you have a spam-filtering application on your email server. There is no reason to keep the spam signature enabled, so let's disable it. Figure 6.6 shows the command to disable a signature globally for signature ID 3106. Figure 6.6. Disabling a signature globally. The sig-id of 3106 is the spam signature, and the command just issued globally disabled this signature. Configuring Exclusions Based on Host or NetworkThere are many reasons why you might not want to globally disable a signature. You might need to disable a signature for only a few hosts or maybe a subnet. Through the use of a standard IP access list, you can disable signatures selectively. When configuring an ACL to be used with the IDS, any deny entries in the ACL mean that the IDS signature will be disabled for whatever IP addresses you specify with the deny keyword. One point is very important when you use ACLs to disable IDS signatures selectively: Make sure that you include an entry in the ACL, after your deny entries, that says permit any . If you do not, the implicit deny entry at the end of every ACL will mean that you have really globally disabled the signature. Let's look at an example. You want to disable a specific signature for a host at 30.100.100.1 . You also want to disable the same signature for the network 30.1.1.0/24 . To accomplish this task, first create your ACL like so: Router(config)# access-list 55 deny host 30.100.100.1 Router(config)# access-list 55 deny 30.1.1.0 0.0.0.255 Router(config)# access-list 55 permit any Once you create the ACL, you need to apply it to the signature that you want to selectively disable. The syntax to do so is Router(config)# ip audit signature sig-id list acl-list Figure 6.7 shows how to use access list 55 to disable an event for all deny entries in the ACL: Figure 6.7. Signature exclusion using an ACL. Now, signature 3104 will only be disabled if the packets that are inspected match the deny entries for ACL 55. Applying Exclusions for IDS InspectionTo further complicate matters, you can also use a standard IP access list with a named IDS policy. By using an ACL with a named IDS policy, you can prevent all information and attack signatures from firing if the malicious packet matches the deny entries in the ACL. The command syntax is straightforward: Router(config)# ip audit name audit-name info list acl-num action [alarm] [drop] [reset] Router(config)# ip audit name audit-name attack list acl-num action [alarm] [drop] [reset] Here is an example using ACL 55 that was configured earlier. In this example, we want to stop information signatures from firing an alarm if ACL 55 deny entries are matched: Router(config)# ip audit name SAFE info list 55 action alarm For alarm signatures, we want to disable the actions of drop and reset if ACL 55 deny entries are matched. Refer to Figure 6.8 for an example of the configuration. Figure 6.8. Disabling events for named IDS policies using an ACL.  |
- Chapter I e-Search: A Conceptual Framework of Online Consumer Behavior
- Chapter II Information Search on the Internet: A Causal Model
- Chapter IV How Consumers Think About Interactive Aspects of Web Advertising
- Chapter VIII Personalization Systems and Their Deployment as Web Site Interface Design Decisions
- Chapter XI User Satisfaction with Web Portals: An Empirical Study