[ LiB ] |
We've seen in the previous section how to configure global sensing. Now we go through the signature groups, which you need to understand to access a signature for tuning or to create a custom signature. You access signatures from Configuration, Settings, Signatures. You use a drop-down menu to access the signature group of interest. Figure 10.3 shows how you can use the signature drop-down menu to select a group of signatures to access.
The signatures are grouped in the following way:
Signature ID
L2/L3/L4 protocol
Service signatures
Attack signatures
OS signatures
Figure 10.3 also shows that by selecting Signature ID from the drop-down menu, you can select the General check box to access all preloaded signatures or the Custom check box, which allows you to access all custom signatures.
L2/L3/L4 signatures operate at Layers 2, 3, and 4 and include Address Resolution Protocol (ARP), TCP, User Datagram Protocol (UDP), and Internet Control Message Protocol (ICMP) signature engines. When you select the L2/L3/L4 option in the drop-down menu from the Signatures page, the list of signatures and numbers appears (see Table 10.2).
L2/L3/L4 Signatures Group Name | Enabled |
---|---|
ARP Signatures | 2 of 4 |
General IP Signatures | 22 of 23 |
General TCP Signatures | 585 of 667 |
TCP Flood Signatures | 0 of 1 |
TCP Hijacks Signatures | 2 of 2 |
TCP Host Sweeps Signatures | 8 of 8 |
TCP Anomalies Signatures | 8 of 8 |
TCP Port Sweeps Signatures | 12 of 12 |
General UDP Signatures | 180 of 191 |
UDP Flood Signatures | 1 of 2 |
UDP Protocol Anomalies Signatures | 1 of 1 |
UDP Port Sweeps Signatures | 2 of 2 |
General ICMP Signatures | 8 of 22 |
ICMP Floods Signatures | 1 of 4 |
ICMP Host Sweeps Signatures | 3 of 3 |
ICMP Protocol Anomalies Signatures | 1 of 2 |
Miscellaneous Protocol Signatures | 5 of 5 |
TCP/UDP Combo Sweeps Signatures | 2 of 2 |
The steps to edit and enable a specific signaturein this example, the Back Door UDP port 21 signatureare as follows :
IDS MC Edit Signatures Settings | Description |
---|---|
Enable check box | Allows you to enable or disable the signature. |
Severity drop-down menu | Allows you to set the severity level for the signature. The available options are info , low, medium, and high. |
Actions check boxes | Allow you to set the action that will be performed when the signature is triggered. The available options are log, reset, block host, and block connection. |
You can enable a set of signature groups by selecting the check boxes to the left of the signature group and clicking the Enable button. Figure 10.4 shows that all ARP Signatures, General TCP Signatures, and TCP Floods Signatures will be enabled when you click Enable.
You can enable multiple signature groups by selecting a signature group using the Group Signatures drop-down menu on the Configuration, Settings, Signatures page, selecting the check boxes for the desired signature groups, and then clicking the Enable button. |
The steps listed here to edit and enable a signature or to enable a group of signatures are the same for all signatures, so we don't repeat them for the remaining signature groups.
The attack signature group consists of signatures which detect attacks that have predefined host or network targets. Table 10.4 lists the attack signature groups and the number of signatures enabled within the group.
Attack Signatures Group Name | Enabled |
---|---|
General Attack Signatures | 76 of 118 |
DoS (Denial-of-Service) Signatures | 69 of 81 |
DDoS (Distributed DoS) Signatures | 12 of 12 |
Information Signatures | 82 of 86 |
Reconnaissance Signatures | 163 of 177 |
File Access Signatures | 100 of 124 |
Code Execution Signatures | 231 of 246 |
Viruses/Worms/Trojans Signatures | 27 of 27 |
Signatures based on services that are operating systemindependent are grouped together in the service signature group.
Service signatures are based on services provided on the network that are operating systemindependent. |
Table 10.5 lists the service signatures and the numbers enabled.
Service Signatures Group Name | Enabled |
---|---|
General Service Signatures | 149 of 197 |
SQL (Structured Query Language) Signatures | 1 of 1 |
DNS (Domain Name Service) Signatures | 34 of 34 |
Finger Signatures | 10 of 10 |
FTP (File Transfer Protocol) Signatures | 27 of 28 |
HTTP (Hypertext Transfer Protocol) Signatures | 344 of 397 |
Ident Signatures | 4 of 4 |
IMAP (Internet Message Access Protocol) Signatures | 2 of 2 |
NNTP (Network News Transfer Protocol) Signatures | 2 of 2 |
LPR Signatures | 1 of 1 |
NetBIOS/SMB (Server Message Block) Signatures | 18 of 18 |
NTP (Network Time Protocol) Signatures | 1 of 1 |
POP (PostOffice Protocol) Signatures | 5 of 5 |
R-services Signatures | 3 of 3 |
RPC (Remote Procedure Call) Signatures | 66 of 70 |
SMTP (Simple Mail Transfer Protocol) Signatures | 22 of 22 |
SNMP (Simple Network Management Protocol) Signatures | 51 of 51 |
SSH (Secure Shell) Signatures | 2 of 2 |
Telnet Signatures | 12 of 13 |
SOCKS Signatures | 0 of 1 |
TFTP (Trivial File Transfer Protocol) Signatures | 3 of 3 |
HTTPS (Secure HTTP) Signatures | 1 of 1 |
DHCP (Dynamic Host Configuration Protocol) Signatures | 0 of 1 |
OS signature groups target specific operating systems. You can use OS signature option to access these signatures. Table 10.6 lists the OS signature groups and the numbers enabled.
OS Signatures Group Name | Enabled |
---|---|
General Unix Signatures | 182 of 188 |
General Linux Signatures | 1 of 1 |
Red Hat Linux Signatures | 1 of 2 |
SuSE Linux Signatures | 2 of 2 |
Mandrake Linux Signatures | 1 of 1 |
General Solaris Signatures | 17 of 18 |
HP-UX Signatures | 1 of 1 |
AIX Signatures | 2 of 2 |
IRIX Signatures | 9 of 11 |
General Windows Signatures | 108 of 124 |
General Windows NT Signatures | 48 of 55 |
WinNT Signatures | 13 of 14 |
IOS Signatures | 11 of 14 |
General OS Signatures | 353 of 431 |
NetWare Signatures | 1 of 1 |
MacOS Signatures | 3 of 3 |
[ LiB ] |