13-8 Detect Attacks and Threats with the IOS Intrusion Detection System
-
The Intrusion Detection System (IDS) is configured as an inline sensor, watching packets as they flow through a router.
-
The IOS IDS senses 59 different common attacks or "signatures" that are present in network traffic.
-
When a match for an IDS signature is found, the IDS can send alerts through standard SYSLOG messages or through the Cisco IDS Post Office Protocol (for use with the Cisco Secure IDS Director or the Cisco Secure Policy Manager management platforms).
-
IDS can also take action when a threat is detected by dropping suspicious packets or by resetting TCP connections.
Table 13-1 lists the 59 attack signatures that are available to the IDS sensor. An " info " signature is one that is meant to gather information about the devices on a protected network. An "attack" signature detects actual attempted attacks on a protected network.
Table 13-1. Attack Signatures
| Signature | Name | Info | Attack | Description |
|---|---|---|---|---|
| 1000 | IP optionsBad Option List | X | Triggers on receipt of an IP datagram where the list of IP options in the IP datagram header is incomplete or malformed . The IP options list contains one or more options that perform various network management or debugging tasks . | |
| 1001 | IP optionsRecord Packet Route | X | Triggers on receipt of an IP datagram where the IP option list for the datagram includes option 7 (Record Packet Route). | |
| 1002 | IP optionsTimestamp | X | Triggers on receipt of an IP datagram where the IP option list for the datagram includes option 4 (Timestamp). | |
| 1003 | IP optionsProvide s,c,h,tcc | X | Triggers on receipt of an IP datagram where the IP option list for the datagram includes option 2 (Security options). | |
| 1004 | IP optionsLoose Source Route | X | Triggers on receipt of an IP datagram where the IP option list for the datagram includes option 3 (Loose Source Route). | |
| 1005 | IP optionsSATNET ID | X | Triggers on receipt of an IP datagram where the IP option list for the datagram includes option 8 (SATNET stream identifier). | |
| 1006 | IP optionsStrict Source Route | X | Triggers on receipt of an IP datagram in which the IP option list for the datagram includes option 2 (Strict Source Routing). | |
| 1100 | IP Fragment Attack | X | Triggers when any IP datagram is received with the "more fragments " flag set to 1 or if an offset is indicated in the offset field. | |
| 1101 | Unknown IP Protocol | X | Triggers when an IP datagram is received with the protocol field set to 101 or greater. These protocol types are undefined or reserved and should not be used. | |
| 1102 | Impossible IP Packet | X | Triggers when an IP packet arrives with a source equal to the destination address. This signature catches the so-called Land Attack. | |
| 2000 | ICMP Echo Reply | X | Triggers when an IP datagram is received with the "protocol" field in the IP header set to 1 (ICMP) and the "type" field in the ICMP header set to 0 (Echo Reply). | |
| 2001 | ICMP Host unreachable | X | Triggers when an IP datagram is received with the "protocol" field in the IP header set to 1 (ICMP) and the "type" field in the ICMP header set to 3 (Host Unreachable). | |
| 2002 | ICMP Source Quench | X | Triggers when an IP datagram is received with the "protocol" field in the IP header set to 1 (ICMP) and the "type" field in the ICMP header set to 4 (Source Quench). | |
| 2003 | ICMP Redirect | X | Triggers when an IP datagram is received with the "protocol" field in the IP header set to 1 (ICMP) and the "type" field in the ICMP header set to 5 (Redirect). | |
| 2004 | ICMP Echo Request | X | Triggers when an IP datagram is received with the "protocol" field in the IP header set to 1 (ICMP) and the "type" field in the ICMP header set to 8 (Echo Request). | |
| 2005 | ICMP Time Exceeded | X | Triggers when an IP datagram is received with the "protocol" field in the IP header set to 1 (ICMP) and the "type" field in the ICMP header set to 11 (Time Exceeded for a Datagram). | |
| 2006 | ICMP Parameter Problem | X | Triggers when an IP datagram is received with the "protocol" field in the IP header set to 1 (ICMP) and the "type" field in the ICMP header set to 12 (Parameter Problem on Datagram). | |
| 2007 | ICMP Timestamp Request | X | Triggers when an IP datagram is received with the "protocol" field in the IP header set to 1 (ICMP) and the "type" field in the ICMP header set to 13 (Timestamp Request). | |
| 2008 | ICMP Timestamp Reply | X | Triggers when an IP datagram is received with the "protocol" field in the IP header set to 1 (ICMP) and the "type" field in the ICMP header set to 14 (Timestamp Reply). | |
| 2009 | ICMP Information Request | X | Triggers when an IP datagram is received with the "protocol" field in the IP header set to 1 (ICMP) and the "type" field in the ICMP header set to 15 (Information Request). | |
| 2010 | ICMP Information Reply | X | Triggers when an IP datagram is received with the "protocol" field in the IP header set to 1 (ICMP) and the "type" field in the ICMP header set to 16 (ICMP Information Reply). | |
| 2011 | ICMP Address Mask Request | X | Triggers when an IP datagram is received with the "protocol" field in the IP header set to 1 (ICMP) and the "type" field in the ICMP header set to 17 (Address Mask Request). | |
| 2012 | ICMP Address Mask Reply | X | Triggers when an IP datagram is received with the "protocol" field in the IP header set to 1 (ICMP) and the "type" field in the ICMP header set to 18 (Address Mask Reply). | |
| 2150 | Fragmented ICMP Traffic | X | Triggers when an IP datagram is received with the protocol field in the IP header set to 1 (ICMP) and either the more fragments flag is set to 1 (ICMP) or an offset is indicated in the offset field. | |
| 2151 | Large ICMP Traffic | X | Triggers when an IP datagram is received with the protocol field in the IP header set to 1 (ICMP) and the IP length is greater than 1024. | |
| 2154 | Ping of Death | X | Triggers when an IP datagram is received with the protocol field in the IP header set to 1 (ICMP), the Last Fragment bit is set, and (IP offset * 8) + (IP data length) > 65535. In other words, the IP offset (which represents the starting position of this fragment in the original packet, and which is in 8-byte units) plus the rest of the packet is greater than the maximum size for an IP packet. | |
| 3040 | TCPno bits set in flags | X | Triggers when a TCP packet is received with no bits set in the flags field. | |
| 3041 | TCPSYN and FIN bits set | X | Triggers when a TCP packet is received with both the SYN and FIN bits set in the flag field. | |
| 3042 | TCPFIN bit with no ACK bit in flags | X | Triggers when a TCP packet is received with the FIN bit set but with no ACK bit set in the flags field. | |
| 3050 | Half- open SYN Flood | X | Triggers when multiple TCP sessions have been improperly initiated on any of several well-known service ports. Detection of this signature is currently limited to FTP, Telnet, HTTP, and e-mail servers (TCP ports 21, 23, 80, and 25, respectively). | |
| 3100 | Smail Attack | X | Triggers on the very common "smail" attack against SMTP-compliant e-mail servers (frequently sendmail). | |
| 3101 | Sendmail Invalid Recipient | X | Triggers on any mail message with a "pipe" () symbol in the recipient field. | |
| 3102 | Sendmail Invalid Sender | X | Triggers on any mail message with a "pipe" () symbol in the From: field. | |
| 3103 | Sendmail Reconnaissance | X | Triggers when expn or vrfy commands are issued to the SMTP port. | |
| 3104 | Archaic Sendmail Attacks | X | Triggers when wiz or debug commands are issued to the SMTP port. | |
| 3105 | Sendmail Decode Alias | X | Triggers on any mail message with : decode @ in the header. | |
| 3106 | Mail Spam | X | Counts the number of Rcpt to: lines in a single mail message and sounds the alarm after a user -definable maximum has been exceeded (the default is 250). | |
| 3107 | Majordomo Execute | X | A bug in the Majordomo program allows remote users to execute arbitrary commands at the server's privilege level. | |
| 3150 | FTP Remote Command Execution | X | Triggers when someone tries to execute the FTP SITE command. | |
| 3151 | FTP SYST Command Attempt | X | Triggers when someone tries to execute the FTP SYST command. | |
| 3152 | FTP CWD ~root | X | Triggers when someone tries to execute the CWD ~root . command. | |
| 3153 | FTP Improper Address | X | Triggers if a port command is issued with an address that is not the same as the requesting host. | |
| 3154 | FTP Improper Port | X | Triggers if a port command is issued with a data port specified that is less than 1024 or greater than 65535. | |
| 4050 | UDP Bomb | X | Triggers when the UDP length specified is less than the IP length specified. | |
| 4100 | TFTP Passwd File | X | Triggers on an attempt to access the passwd file (typically /etc/passwd) via TFTP. | |
| 6100 | RPC Port Registration | X | Triggers when attempts are made to register new RPC services on a target host. | |
| 6101 | RPC Port Unregistration | X | Triggers when attempts are made to unregister existing RPC services on a target host. | |
| 6102 | RPC Dump | X | Triggers when an RPC dump request is issued to a target host. | |
| 6103 | Proxied RPC Request | X | Triggers when a proxied RPC request is sent to the portmapper of a target host. | |
| 6150 | ypserv Portmap Request | X | Triggers when a request is made to the portmapper for the YP server daemon (ypserv) port. | |
| 6151 | ypbind Portmap Request | X | Triggers when a request is made to the portmapper for the YP bind daemon (ypbind) port. | |
| 6152 | yppasswdd Portmap Request | X | Triggers when a request is made to the portmapper for the YP password daemon (yppasswdd) port. | |
| 6153 | ypupdated Portmap Request | X | Triggers when a request is made to the portmapper for the YP update daemon (ypupdated) port. | |
| 6154 | ypxfrd Portmap Request | X | Triggers when a request is made to the portmapper for the YP transfer daemon (ypxfrd) port. | |
| 6155 | mountd Portmap Request | X | Triggers when a request is made to the portmapper for the mount daemon (mountd) port. | |
| 6175 | rexd Portmap Request | X | Triggers when a request is made to the portmapper for the remote execution daemon (rexd) port. | |
| 6180 | rexd Attempt | X | Triggers when a call to the rexd program is made. The remote execution daemon is the server responsible for remote program execution. This might be indicative of an attempt to gain unauthorized access to system resources. | |
| 6190 | statd Buffer Overflow | X | Triggers when a large statd request is sent. This could be an attempt to overflow a buffer and gain access to system resources. | |
| 8000 | FTP Retrieve Password File | X | SubSig ID: 2101 Triggers on the string "passwd" issued during an FTP session. Might indicate that someone is attempting to retrieve the password file from a machine in order to crack it and gain unauthorized access to system resources. |
Configuration
-
Set IOS IDS thresholds.
-
Set a spam attack threshold for SMTP:
(global) ip audit smtp spam number
A spam e-mail attack is suspected if a single e-mail message contains more than number recipients (1 to 65535; the default is 250 recipients).
-
Set the maximum number of event notifications:
(global) ip audit po max-events number
The router's event queue can contain up to number (1 to 65535; the default is 100 events) event notifications to send.
-
-
(Cisco Secure notifications) Configure the Post Office parameters.
-
Set the type of notifications to send:
(global) ip audit notify { nr-director log }
Attack notifications can be sent to regular SYSLOG servers ( log ) or to Cisco Secure IDS Director or Cisco Secure Policy Manager applications ( nr-director ) using the Post Office Protocol.
-
Identify the router's IDS sensor:
(global) ip audit po local hostid host-id orgid org-id
The local router is identified with a unique host ID, host-id (1 to 65535; the default is 1), and an IDS organization ID, org-id (1 to 65535; the default is 1). These ID values are defined and configured in the Cisco Secure IDS and Policy Manager applications.
-
Identify the IDS director or management platform host:
(global) ip audit po remote hostid host-id orgid org-id rmtaddress ip-address localaddress ip-address [ port port ] [ preference preference ] [ timeout seconds ] [ application { director logger }]
The management platform is identified by its unique host ID, host-id (1 to 65535; the default is 1), organization ID, org-id (1 to 65535; the default is 1), and IP address ip-address. The localaddress keyword identifies the local router's IDS sensor interface (the source address used in notifications). The management platform listens for notifications on UDP port (the default is 45000).
If multiple management stations exist, they can be defined and prioritized with the preference (1 is the highest priority and also is the default). The timeout keyword defines how often a heartbeat keepalive message is sent to the management station, in seconds (the default is 5). The application keyword defines the type of target application that receives notifications: a Cisco Secure IDS Director or Policy Manager ( director, the default) or another IDS Sensor ( logger ).
-
Reload the router to enact Post Office configuration changes.
NOTE
After the Post Office Protocol is configured or changed, the router must be reloaded. Be sure to save the router configuration to nonvolatile memory before requesting a reload.
-
-
Define audit rules.
-
Set the default notification actions:
(global) ip audit info { action [ alarm ] [ drop ] [ reset ]} (global) ip audit attack { action [ alarm ] [ drop ] [ reset ]}
The default action is set for info and attack types of IDS signatures: alarm (send an alarm to an IDS director or syslog server; the default), drop (drop the packet), and reset (reset the TCP connection). Any or all actions can be defined.
-
Create audit rules:
(global) ip audit name name { info attack }[ action [ alarm ] [ drop ] [ reset ]}
An IDS audit rule is defined with an arbitrary name and an info or attack action: alarm (send an alarm to an IDS director or syslog server), drop (drop the packet), or reset (reset the TCP connection). Any or all actions can be defined. Use the same rule name if both info and attack actions will be defined.
-
Disable any signatures that are obviously not needed:
(global) ip audit signature signature-id disable
The disabled signature is identified by its signature-id (a number obtained from the Signature column of Table 13-1). By default, all 59 available signatures are monitored .
-
-
Apply the audit rules.
-
Apply the rule to an interface:
(interface) ip audit audit-name { in out }
The audit rule named audit-name is applied to monitor inbound or outbound traffic on the interface.
-
(Optional) Flag attacks detected toward protected networks:
(global) ip audit po protected ip-address [ to end-ip-address ]
IDS notifications can flag source and/or destination addresses used in an attack as belonging to a "protected" network. A single host address can be identified with ip-address, and a range of addresses can be identified by adding the to keyword and the range's ending IP address.
-
-
Filter out false positive notifications.
-
Identify any false positive alerts from the IDS director or SYSLOG reports .
-
Filter out "trusted" sources of false positives:
(global) access-list access-list deny trusted-ip-address mask (global) access-list access-list permit any
The standard IP access-list (1 to 99) identifies "trusted" sources of false alarms with the deny keyword and the host's IP address. All other host addresses are filtered through the audit rule by the permit any command.
-
(Optional) Limit the hosts involved in an audit rule:
(global) ip audit name name list access-list { info attack }[ action [ alarm ] [ drop ] [ reset ]}
The audit rule command in Step 3b can be extended to filter out any "trusted" sources of false alarms. The list keyword identifies a standard IP access-list (1 to 99) that uses deny to remove a host's IP address from the rule and permit to allow addresses into the rule.
-
(Optional) Limit the hosts that are filtered through a signature:
(global) (global) ip audit signature signature-id { disable list access-list }
A signature identified by its signature-id (a number obtained from the Signature column of Table 13-1) can be disabled entirely ( disable ). Also, the audit signature command in Step 3c can be extended to filter out any "trusted" sources of false alarms. The list keyword identifies a standard IP access-list (1 to 99) that uses deny to prevent a host's IP address from passing through the signature and permit to allow addresses through the signature.
-
Example
A router IDS sensor is configured to detect e-mail spam if more than 150 recipient addresses appear in a single message. The sensor sends both Post Office Protocol and SYSLOG notifications, because one Cisco Secure IDS Director and one SYSLOG server are used to collect alerts. The local router is identified as 192.168.71.90 (host ID 8, Org ID 1000) and the IDS Director as 172.17.31.4 (host ID 29, Org ID 1000).
The sensor will generate alarms if info signatures are detected and will generate alarms, drop packets, and reset TCP connections when attack signatures are detected. Signature 3154 identifies an improper FTP port. However, host 100.71.81.4 has an FTP application that needs to use a nonstandard port. Therefore, signature 3154 is defined with an access list to remove that host from consideration. The IDS sensor is applied to inbound traffic on interface Fast Ethernet 0/1.
ip audit smtp spam 150 ip audit notify nr-director ip audit notify log ip audit po local hostid 8 orgid 1000 ip audit po remote hostid 29 orgid 1000 rmtaddress 172.17.31.4 localaddress 192.168.71.90
NOTE
The router must be reloaded here to enact Post Office Protocol changes.
ip audit name IDS info action alarm ip audit name IDS attack action alarm drop reset ip audit signature 3154 list 10 access-list 10 deny 100.71.81.4 access-list 10 permit any interface fastethernet 0/1 ip address 192.168.71.90 255.255.255.0 ip audit IDS in
![Cisco Field Manual[c] Router Configuration](/icons/blank_book.jpg "Cisco Field Manual[c] Router Configuration"){kind=icon}
EAN: N/A
Pages: 185