What Is a Signature Type?

Previous page
Table of content
Next page

When an IDS device analyzes traffic that is compared against signature patterns, the device is not just looking at single packets. The IDS device can look at a single packet or at multiple packets. As you might be aware, a traffic stream can consist of many, many packets. Those packets might also be fragmented with only a portion of the actual data in the payload of a packet.

Therefore, it is essential that the IDS device be able to analyze both single packets against signatures and multiple packets against signatures. Given this single-packet-versus-multiple-packet scenario, Cisco classifies signatures into two types: atomic signatures and compound signatures .

An atomic signature is a signature that matches a pattern against a single packet only. A compound signature is a signature that matches a pattern against multiple packets. Atomic signatures usually do not require the allocation of buffer space (memory), but compound signatures do.

In addition to atomic and compound, Cisco also delineates information signatures and attack signatures . Information signatures can involve such things as a port scan that is detected by the IDS. An attack signature is when the router's IDS detects potentially harmful packets.

graphics/alert_icon.gif

Information signatures are triggered in response to packets that are not considered harmful; they are benign . Attack signatures are triggered in response to packets that are considered harmful or malicious.


Signature Reactions

The IOS Firewall can make three reactions in response to a signature match. The first reaction is alarm . When the router finds a packet that matches a signature, the firewall can send an alarm to the router's console, the syslog server, and a management platform called the Director. However ”and this point is important to remember ”even though a signature was matched and an alarm triggered, the packet is still forwarded to its ultimate destination.

A much better reaction you can configure when a signature is matched is to drop the packet. When the drop action is configured and the router's IDS services match a packet against a signature, the router immediately drops the offending packets.

The final action that can be taken is a reset . Because TCP is a connection-oriented protocol, and User Datagram Protocol (UDP) is not, resets only work against TCP-based packets. When the reset action is configured and a signature matches, the router sends TCP reset packets to both the source of the packet and the destination of the packet. These TCP reset packets immediately terminate the TCP session.

graphics/alert_icon.gif

Cisco recommends that you use the drop and reset actions together to terminate an attack.



Previous page
Table of content
Next page
CCSP SECUR Exam Cram 2
CCSP SECUR Exam Cram 2 (642-501)
ISBN: B000MU86IQ
EAN: N/A
Year: 2003
Pages: 291
Authors: Raman Sud
BUY ON AMAZON
CompTIA Project+ Study Guide: Exam PK0-003
Software Configuration Management
VBScript Programmers Reference
WebLogic: The Definitive Guide
Cisco Voice Gateways and Gatekeepers
Information Dashboard Design: The Effective Visual Communication of Data
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy