SIGNATURES

SIGNATURES

70. IDS signature EventActions take one or all of the following actions: TCP reset ( Reset ), IP log ( Log ), block host ( ShunHost ), block connection ( ShunConnection ), or ZERO .

71. Pre-block ACL Entries that the sensor will place at the beginning of the new ACL before any sensor blocking entries.

72. Post-block ACL ACL entries that the sensor should place after the sensor blocking entries.

73. Flood signature engine Used to detect attempts to cause DoS.

74. Sweep signature engine Used to detect network reconnaissance traffic.

75. Services signature engine Uses Layers 5, 6, and 7 and are operating systemindependent.

76. Trojan signature engine Cannot be used to create custom signatures.

77. Protected parameters Cannot be changed for the default signatures. However, they can be changed for custom signatures.

78. Required parameters Must be defined for all signatures, both default and custom.

79. Master parameters Common to most signatures and exist in most signature engines.

80. Local signature parameters Engine-specific.

81. Regular expressions searching for the text "Secret" or "secret" use the syntax [Ss]ecret .

82. The PortRange parameter with a value of ZERO means that all ports will be inspected.

83. Signature engine Atomic.L3.IP can be used to detect attacks which make use of routing protocols such as Border Gateway Protocol (BGP) and Enhanced Interior Gateway Routing Protocol (EIGRP) at layer 3.

84. Automatic IP logging captures entire IP packets into a log file. It is not enabled by default and must be configured.

SECURITY MONITOR

85. You can install Security Monitor without IDS MC. It only needs CiscoWorks Common Services.

86. Security Monitor can communicate with RDEP IDS, PostOffice IDS, IOS IDS, Host IDS, and PIX Firewalls.

87. You can manually add devices or import them from IDS MC into Security Monitor.

IDS MC

88. To log in to IDS MC, you must log in to CiscoWorks at http://192.168.1.1:1741. The default username and password for CiscoWorks is admin , admin .

89. IDS MC recommends Netscape 4.79 or Internet Explorer 5.5 with SP2 or higher as client browsers.

90. During installation, you must enter a new Sybase SQL database password. There is no default.

91. IDS MC processes:

    • IDS_Analyzer Defines event rules and requests user -specified notifications when appropriate.

    • IDS_Backup Performs a backup and restore of the database used by the IDS MC.

    • IDS_DbAdminAnalyzer Periodically applies active database rules to the current state of the server.

    • IDS_DeployDaemon Manages all configuration deployments.

    • IDS_Notifier Retrieves notification requests from other subsystems and performs the requested notification.

    • IDS_Receiver Receives Cisco IDS alarms and syslog security events and stores them in the database.

    • IDS_ReportScheduler Generates all scheduled reports .

92. You use the Discover Settings check box on the Add Sensor screen for IDS MC to retrieve the sensor setting information. Make sure that you enter the correct sensor IP address, username, and password into IDS MC.

93. PuTTY Configuration A client utility used for Telnet or SSH host connections to an IDS sensor. You can use it to test new keys created with PuTTYgen.

94. PuTTYgen A utility used to generate public and private keys for RSA connections.

95. IDS MC directories:

    • \MDS IDS MC home directory.

    • \MDS\Apache Apache Web server.

    • \MDS\Sybase Sybase SQL database. Information is stored on IDS appliances and IDSMs in the Sybase SQL database.

    • \MDS\Tomcat Tomcat Server is the application server that dispatches servlets to the IDS MC from Common Services.

    • \MDS\etc\ids Where the IDS MC is stored.

    • \MDS\etc\ids\updates Where IDS updates signatures are stored for the IDS MC to update sensors or the IDS MC server itself.

Similar products