Foundation and Supplemental Topics


Configuring Cisco IPS Signatures

Monitoring network traffic, identifying intrusive activity, and responding to network attacks is the core functionality provided by Cisco IPS. Cisco IPS provides numerous signatures that enable your sensors to determine which traffic on your network represents potential attacks or violates your security policy. To efficiently protect your network from attack, you should understand the numerous signatures that are provided and the actions they perform when intrusive activity is detected.

This chapter focuses on the following signature-related topics:

  • Signature groups

  • Alarm summary modes

  • Basic signature configuration

Signature Groups

To facilitate configuring Cisco IPS signatures, you can view signatures based on the following groups:

  • Attack

  • L2/L3/L4 Protocol

  • Operating System

  • Signature Release

  • Service

  • Signature Identification

  • Signature Name

  • Signature Action

  • Signature Engine

The following sections explain how to view the Cisco IPS signatures by using these different groups.

Displaying Signatures by Attack

Sometimes you want to view the signatures that fall into a specific attack category. To do this, go to the Select By field of the signature configuration screen and select Attack (see Figure 5-1).

Figure 5-1. Viewing Signatures by Attack Type


After selecting Attack, you can choose to view the signatures for any of the following attack categories:

  • Adware/Spyware

  • Code Execution

  • Command Execution

  • DDos

  • DoS

  • File Access

  • General Attack

  • IDS Evasion

  • Informational

  • Policy Violation

  • Reconnaissance

  • Viruses/Worms/Trojans

You select a specific attack category by using the pull-down menu for the Select Attack field.

Adware and spyware are programs that typically get installed on your system without your knowledge while you are normally accessing websites on the Internet. These programs surreptitiously monitor you actions and can impact the performance of your system. The signatures in the Adware/ Spyware category identify traffic that indicates the operation of common spyware and adware applications on systems on your network.

Code Execution and Command Execution attacks are those in which an attacker attempts to either run code on a system on your network (such as through a buffer overflow attack) or use known system vulnerabilities to execute commands on a system.

Denial-of-service (DoS) attacks are those in which an attacker tries to disrupt the operation of devices on your network. Distributed denial-of-service (DDoS) attacks are those in which an attacker uses a large number of compromised systems to disrupt the operation of devices on your network. By using a large number of attacking systems (thus increasing the traffic volume), a DDoS is much more effective at disrupting the operation of your network.

In File Access attacks, an attacker attempts to retrieve files from systems on your network by using known system vulnerabilities. Most of these attacks exploit vulnerabilities associated with web servers, but they may also involve specific signatures for other protocols such Trivial File Transfer Protocol (TFTP) and Server Message Block (SMB) protocol.

The General attacks category includes attacks that do not logically fit into any of the more specific categories. These attacks range from detecting bad IP options to identifying traffic to ports associated with well-known back doors created by various attacks.

IDS Evasion signatures detect attacks that are specifically designed to evade intrusion-detection systems. The informational signatures represent traffic patterns that may represent a potential attack or just normal user activity. For instance, signatures in this category include those that detect both successful logins and login failures on numerous protocols. Informational signatures also include signatures that detect simple malformed packet signatures (such as invalidly specifying an incorrect length in a Simple Network Management Protocol [SNMP] request).

Policy Violation signatures detect traffic on your network that indicates that users are running applications that your security policy forbids. The applications that typically fall into this category include peer-to-peer software (such as Kazaa) as well as instant messenger software (such as Yahoo! Messenger).

The first step in attacking a network usually involves identifying the systems (or targets) on the network. Besides locating potential systems, an attacker also needs to identify network services running on those systems. Reconnaissance signatures detect network traffic that indicates someone is trying to map out systems or services on your network.

Viruses, worms, and Trojan horses exploit known vulnerabilities on systems in your network. The signatures in the Viruses/Worms/Trojans category detect known network traffic that is associated with systems infected by viruses and worms. The category also includes signatures that identify traffic associated with well-known Trojan horse programs (such as Back Orifice).

Displaying Signatures by L2/L3/L4 Protocol

The Open Systems Interconnection (OSI) model divides network stacks into the following layers (from lowest to highest):

  • Physical Layer (Layer 1)

  • Data Link Layer (Layer 2)

  • Network Layer (Layer 3)

  • Transport Layer (Layer 4)

  • Session Layer (Layer 5)

  • Presentation Layer (Layer 6)

  • Application Layer (Layer 7)

The Data Link Layer (Layer 2) involves protocols that send frames on the physical hardware. An example protocol is the Address Resolution Protocol (ARP), which enables a system to associate an IP address with a specific Ethernet address. The Network Layer (Layer 3) handles the routing of IP packets based on the IP address in the packets. The most common Layer 3 protocol is the Internet Protocol (IP). The Transport Layer (Layer 4) enables systems to establish connections between each other to transfer information. The two common transport protocols are the Transmission Control Protocol (TCP) and the User Datagram Protocol (UDP).

Another way to view signatures is by the protocol that the signature is examining. To do this, go to the Select By field of the signature configuration screen and select L2/L3/L4 Protocol (see Figure 5-2).

Figure 5-2. Viewing Signatures by L2/L3/L4 Protocol


After selecting L2/L3/L4 Protocol, you can choose to view the signatures based on any of the following options:

  • ARP

  • General ICMP

  • General IP

  • General Protocol

  • General TCP

  • General UDP

  • ICMP Floods

  • ICMP Host Sweeps

  • ICMP Protocol Anomalies

  • IP Fragments

  • TCP Anomalies

  • TCP Floods

  • TCP Hijacks

  • TCP Host Sweeps

  • TCP Port Sweeps

  • TCP/UDP Combo Sweeps

  • UDP Floods

  • UDP Port Sweeps

  • UDP Protocol Anomalies

You select the specific protocol by using the pull-down menu for the Select Protocol field.

Displaying Signatures by Operating System

Another way to view signatures is by the operating system (OS) that they apply to. To do this, you select OS in the Select By field of the signature configuration screen (see Figure 5-3).

Figure 5-3. Viewing Signatures by Operating System


After selecting OS, you can choose to view the signatures for any of the following operating systems:

  • AIX

  • General Linux

  • General OS

  • General UNIX

  • General Windows

  • General Windows NT/2000/XP

  • Gentoo L0inux

  • HP-UX

  • IOS

  • IRIX

  • MacOS

  • Mandrake Linux

  • Netware

  • Red Hat Linux

  • Solaris

  • SuSE Linux

  • WinNT

You select the specific operating system by using the pull-down menu for the Select OS field.

Displaying Signatures by Signature Release

Many times you may want to view signatures based on either the Cisco IPS software release or a specific Cisco IPS signature update. To do this, you select Release in the Select By field of the signature configuration screen (see Figure 5-4).

Figure 5-4. Viewing Signatures by Signature Release


Note

Viewing signatures by signature release enables you to quickly see which new signatures were added by a specific signature release.


After selecting Release, you can choose to view the signatures for the various Cisco IPS software and signature releases. Some sample software and signature releases are as follows:

  • 1.0

  • 2.1.1

  • 2.1.1.3

  • 2.1.1.4

  • 2.1.1.5

  • 2.1.1.6

  • S10

  • S100

  • S101

  • S102

  • S11

You select the specific release by using the pull-down menu for the Select Release field.

Displaying Signatures by Service

Another way to view signatures is by the service or protocol that they apply to. To do this, you select Service in the Select By field of the signature configuration screen (see Figure 5-5).

Figure 5-5. Viewing Signatures by Service


After selecting Service, you can choose to view the signatures for any of the services shown in Table 5-2. You select the specific service category by using the pull-down menu for the Select Service field.

Table 5-2. Signature Service Options

Service

Description

DHCP

Used to monitor Dynamic Host Configuration Protocol (DHCP) traffic (RFC 2131). DHCP enables systems to dynamically request an IP address for the local network.

DNS

Used to monitor Domain Name System (DNS) traffic. DNS provides the ability for a system, given the DNS (human-readable) name of the system, to request the IP address for a system.

FTP

Used to monitor FTP traffic. FTP is a TCP protocol that enables you to transfer files between two systems on the network.

File Sharing

Used to monitor peer-to-peer file sharing applications (such as Kazaa).

Finger

Used to monitor traffic from the Finger application. The Finger application enables a user to locate the users currently logged in to another UNIX system.

General Service

Used for signatures that do not fall into one of the more specific service categories.

HTTP

Used to monitor HTTP traffic (RFC 2616). HTTP enables a user to efficiently retrieve files from an HTTP server using a web browser.

HTTPS

Used to monitor HTTP Secure (HTTPS) traffic. The difference between HTTP and HTTPS is that HTTPS traffic is encrypted when traversing the network.

IMAP

Used to monitor Internet Message Access Protocol (IMAP) traffic (RFC 3501). IMAP can be used to retrieve mail messages from an e-mail server.

Ident

The signatures associated with the Ident service option involve signatures that monitor traffic for the Identification protocol specified by RFC 931, "Authentication Server."

LPR

Used to monitor traffic to the Line Printer (LPR) utility on UNIX and Linux systems.

MSRPC

Used to monitor Microsoft remote procedure call (MSRPC) traffic.

NetBIOS/SMB

Used to monitor Network Basic Input/Output System (NetBIOS) and Server Message Block (SMB) traffic. These protocols enable systems to perform operations such as sharing files and printers.

NNTP

Used to monitor Network News Transfer Protocol (NNTP) traffic (see RFC 977). NNTP is used to transfer news articles between servers and to enable the reading and posting of news articles.

NTP

Used to monitor Network Time Protocol (NTP) traffic (see RFC 1305). NTP enables systems to synchronize their clocks over the network.

POP

Used to monitor Post Office Protocol (POP) traffic (see RFC 1725). POP is one of the protocols by which users can retrieve mail messages from a mail server.

R-Services

Used to monitor remote login (rlogin) traffic (see RFC 1258). The rlogin protocol allows users to remotely connect to a UNIX system that is more robust than Telnet.

RPC

Used to monitor remote-procedure call (RPC) traffic (see RFC 1831). RPC enables one system to execute procedures or applications remotely on another system across the network.

SMTP

Used to monitor Simple Mail Transfer Protocol (SMTP) traffic (see RFC 0821). SMTP enables the efficient and reliable transportation of mail between mail servers.

SNMP

Used to monitor Simple Network Management Protocol (SNMP) traffic (see RFC 1157). SNMP provides a protocol to manage devices on your network.

SOCKS

Used to monitor SOCKS traffic. SOCKS is a generic proxy protocol for TCP-based networking applications.

SQL

Used to monitor Structured Query Language (SQL) traffic. SQL is a computer language for accessing and manipulating database systems.

SSH

Used to monitor Secure Shell (SSH) traffic. SSH is a protocol that enables you to securely log in to a computer across the network and to execute commands on the remote system.

Telnet

Used to monitor Telnet traffic (see RFC 0854). Telnet provides a simple TCP communication protocol.

TFTP

Used monitor Trivial File Transfer Protocol (TFTP) traffic (see RFC 1350). TFTP provides a simple unauthenticated file transfer protocol.


Displaying Signatures by Signature Identification

When displaying signatures by signature identification, you select Sig ID in the Select By field of the signature configuration screen (see Figure 5-6). Next you specify a signature number (in the Enter Sig ID field) and then click on Find. This will search for the specific signature that you entered (see Figure 5-7).

Figure 5-6. Viewing Signatures by Signature Identification


Figure 5-7. Viewing Signatures with Sig ID 1200


Displaying Signatures by Signature Name

When displaying signatures by signature name, you select Sig Name in the Select By field of the signature configuration screen (see Figure 5-8).

Figure 5-8. Viewing Signatures by Signature Name


Next you specify a text string (in the Enter Sig Name field) and then click on Find. This will search for any signatures where the signature name contains the text string that you entered (see Figure 5-9).

Figure 5-9. Viewing Signatures with "flood" in the Name


Displaying Signatures by Response Action

Displaying signatures by response action enables you to easily view which signatures are configured for a specific action. To view signatures by response action, you select Action in the Select By field of the signature configuration screen (see Figure 5-10).

Figure 5-10. Viewing Signatures by Assigned Action


You can view the signatures for the following specific signature response actions:

  • Deny Attacker Inline

  • Deny Connection Inline

  • Deny Packet Inline

  • Log Attacker Packets

  • Log Pair Packets

  • Log Victim Packets

  • Modify Packet Inline

  • Produce Alert

  • Produce Verbose Alert

  • Request Block Connection

  • Request Block Host

  • Request SNMP Trap

  • Reset TCP Connection

Note

For more information on Cisco IPS response actions, refer to Chapter 9, "Cisco IPS Response Configuration."


You select the specific response action by using the pull-down menu for the Select Action field.

Displaying Signatures by Signature Engine

You can view all of the signatures that use a specific signature engine by selecting Engine in the Select By field of the signature configuration screen (see Figure 5-11).

Figure 5-11. Viewing Signatures by Signature Engine


You can view signatures for the following signature engines:

  • AIC FTP

  • AIC HTTP

  • Atomic ARP

  • Atomic IP

  • Flood Host

  • Flood Net

  • Meta

  • Multi-String

  • Normalizer

  • Other

  • Service DNS

  • Service FTP

  • Service Generic

  • Service H225

  • Service HTTP

  • Service Ident

  • Service MSRPC

  • Service MSSQL

  • Service NTP

  • Service RPC

  • Service SMB

  • Service SNMP

  • Service SSH

  • State

  • String ICMP

  • String TCP

  • String UDP

  • Sweep

  • Sweep Other TCP

  • Trojan ICMP

  • Trojan Bo2K

  • Trojan Tfn22K

  • Trojan UDP

You select the specific signature engine by using the pull-down menu for the Select Engine field.

Note

For more information on the various Cisco IPS signature engines, refer to Chapter 6, "Cisco IPS Signature Engines."


Alarm Summary Modes

Managing alarms efficiently is vital to the success of your Cisco IDS deployment. To enhance your ability to control the volume of alarms generated by your sensors, Cisco IDS supports several alarm modes. Each of the following alarm summary modes is designed to assist you in regulating the number of alarms generated by intrusive traffic in different situations:

  • Fire Once

  • Fire All

  • Summarize

  • Alarm Summarization

  • Variable Alarm Summarization

The following sections explain the alarm summary modes in detail. To understand these alarm summary modes, however, you also need to understand the summary key. This parameter determines which alarms are considered duplicates. The summary key can be based on the source (attacker) and destination (victim) IP address as well as the source and destination port (for a given signature). The various alarming modes regulate the number of alarms generated, but you need to be able to determine which instances of an attack are considered duplicates of an alarm that has already been generated. The summary key can be one of the following values:

  • Attacker address

  • Attacker address and victim port

  • Attacker and victim addresses

  • Attacker and victim addresses and ports

  • Victim address

For instance, assume that you have the alarms listed in Table 5-3.

Table 5-3. Sample Alarm List

Alarm

Source IP Address

Source Port

Destination IP Address

Destination Port

1

10.89.100.10

3201

10.90.10.100

25

2

10.89.100.10

3201

10.90.10.200

25

3

10.89.100.10

3201

10.90.10.100

25

4

10.91.10.100

2500

10.90.10.200

512

5

10.89.100.10

2300

10.90.15.100

25

6

10.89.100.10

100

10.90.10.100

80


Assuming that a specific signature is configured with the different values for the summary key, the following alarms would be considered duplicate alarms:

  • Alarms 1, 2, 3, 5, and 6 for the summary key "attacker address"

  • Alarms 1, 3 and 6 for the summary key "victim address"

  • Alarms 1, 3, and 5 for the summary key "attacker address and victim port"

  • Alarms 1 and 3 for the summary key "attacker and victim addresses and ports"

  • Alarms 1, 3, and 6 for the summary key "attacker and victim addresses"

Note

The different alarm modes determine duplicate alarms using only instances of the same signature in conjunction with the summary key information.


Fire Once

A signature configured with the Fire Once alarm summary mode will trigger a single alarm for a configured summary key value and then wait a predefined period of time (usually specified by the Summary Interval parameter) before triggering another duplicate alarm for the same signature.

For instance, assume the summary key value is set to "attacker address." If host A causes the signature to fire, then the same signature will not trigger from host A again until the time specified by the Summary Interval parameter has expired.

Fire All

A signature with the Fire All alarm summary mode triggers an alarm for all activity that matches the signature's characteristics. This is effectively the opposite of the Fire Once alarm summary mode and can generate a large number of alarms during an attack.

Alarm Summarization

Besides the basic alarm firing options, signatures can also take advantage of the following alarm fixed summarization modes:

  • Summarize

  • Global Summarize

Like Fire Once, these alarm summary modes limit the number of alarms generated and make it difficult for an attacker to consume resources on your sensor. With the summarization modes, however, you will also receive information on the number of times that the activity that matches a signature's characteristics was observed during a user-specified period of time.

When you use alarm summarization, the first instance of intrusive activity triggers a normal alarm. Other instances of the same activity (duplicate alarms) are counted until the end of the signature's summary interval. When the length of time specified by the Summary Interval parameter has elapsed, a summary alarm is sent, indicating the number of alarms that occurred during the time interval specified by the Summary Interval parameter.

Both summarization modes operate essentially the same way, except Global Summarize mode is based on a summary key, which consolidates alarms for all address and port combinations.

Variable Alarm Summarization

Setting the Summary Threshold or Global Summary Threshold parameters with the following alarm summary modes enables a signature to use variable alarm summarization:

  • Fire All

  • Summarize

When traffic causes the signature to trigger, the alarms are generated according to the initial Alarm Summary mode (see Figure 5-12). If the number of alarms for the signature exceeds the value configured for the Summary Threshold parameter (during a summary interval), the signature automatically switches to the next higher summary alarming mode (generating fewer alarms). If the number of alarms for the signature exceeds the Global Summary Threshold (during the same summary interval), the signature switches to Global Summarize (if not already at this level, since this is the maximum level of alarm consolidation). At the end of the summary interval, the signature reverts back to its configured alarming mode.

Figure 5-12. Automatic Alarm Summarization


For instance, assume that you have a signature with the following values:

  • Summary Threshold 10

  • Summary Interval 5 seconds

  • Global Summary Threshold 30

  • Alarm Summary Mode Fire All

Initially, every time the signature is triggered an alarm is generated. Then if the number of alarms for the signature exceeds 10 (during a 5-second period), the signature automatically switches to Summarize mode. Finally, if the number of alarms exceeds 30 (during the same 5-second period), the signature automatically switches to Global Summarize mode. At the end of the Summary Interval (after 5 seconds), the signature reverts back to the Fire All alarm summary mode. After switching to one of the summarization modes, a summary alarm is generated at the end of the summary interval. The summary alarm indicates the number of alarms that were detected during the summarization period.

The variable alarming modes provide you with the flexibility of having signatures that trigger an alarm on every instance of a signature but then reduce the number of alarms generated when the alarms start to significantly impact the resources on the IDS. The reduction in alarms also improves the ability of the network security administrator to analyze the alarms being generated.

Basic Signature Configuration

After locating signatures by using signature groups, you can perform various configuration operations on signatures or groups of signatures. These configuration operations fall into the following categories:

  • Viewing Network Security Database (NSDB) information

  • Enabling signatures

  • Creating new signatures

  • Editing existing signatures

  • Retiring signatures

  • Defining signature responses

Besides understanding the basic signature configuration operations, it is helpful to understand the fields that an alert contains. Table 5-4 describes the major fields found in an alert.

Table 5-4. Alert Fields

Field

Description

Alert Type

Type of alert event generated. Valid types are Error, NAC, Status, or Alert.

Application Name

Application on the sensor that generated the alert.

Attacker Address

IP address of the system that originated the traffic.

Attacker Port

Source port on the system originating the traffic.

Block Requested

Indicates if the event generated an IP blocking response action.

Description

Name of the signature that triggered the alert.

Dropped Packet

Indicates if the traffic was dropped by an inline drop response action.

Event ID

Numerical identifier that the sensor assigned to the event.

Host ID

Name of the sensor on which the traffic was detected.

Interface

Sensor interface on which the traffic was detected.

IP Logged

Indicates that the event generated an IP Logging response action.

Interface Group

Name of the inline interface pair on which the traffic was detected.

Protocol

Protocol of the traffic that caused the signature to trigger.

Risk Rating

Risk Rating of the event associated with the alert.

Sensor UTC Time

Time that the event occurred.

Severity

Severity of the signature that caused the alert.

SigID

Numerical identifier of the signature that fired and caused the alert event.

Signature Version

Identifies the signature release when the signature was first incorporated into the sensor software.

SubSig ID

Identifies the sub-signature ID of the signature that caused the alert event.

Target Address

IP address of the system receiving the traffic.

Target Port

Destination port to which the traffic is sent.

TCP Reset

Indicates if the alert generated a TCP reset response action.

Trigger Packet

Actual packet that caused the signature to trigger. Only available if signature is configured to capture the trigger packet.

Vendor

Identifies the vendor who developed the signature.

VLAN

Virtual LAN (VLAN) on which the traffic was detected.


Viewing NSDB Information

The NSDB links to an online Cisco HTML-based encyclopedia of network vulnerability information (also known as the Cisco Secure Encyclopedia [CSEC]). CSEC was developed as a central "warehouse" of security knowledge to provide Cisco security professionals with an interactive database of security-vulnerability information. CSEC contains detailed information about security vulnerabilities such as countermeasures, affected systems and software, and Cisco Secure products that can help you test for vulnerabilities or detect when malicious users attempt to exploit your systems. The CSEC can be found at http://www.cisco.com/go/csec.

Signature Information

Each signature has an Exploit Signature page (located in the NSDB) that describes the characteristics of the signature. A typical NSDB Exploit Signature page contains numerous fields that provide information about the signature that triggered the alarm. The following three fields provide you with valuable information:

  • Description

  • Benign Trigger(s)

  • Recommended Signature Filter

The Description field describes what type of network traffic the signature is looking for. The Benign Trigger(s) field identifies situations in which the signature may trigger on normal user traffic, thus generating a false positive. The final field, Recommended Signature Filter, identifies a recommended filter that you can apply to your monitoring application to reduce the chances that the signature will generate false positives. Figure 5-13 shows an NSDB Exploit Signature page for the Windows Shell External Handler signature.

Figure 5-13. NSDB Exploit Signature Page


Related Threats Information

Each signature page provides a link (in the Related Threats field) to an NSDB Threats page that provides information on the threats associated with a given exploit. A typical NSDB Threats page (see Figure 5-14) provides information such as the threatened systems, known countermeasures, and consequences of the threat.

Figure 5-14. NSDB Threats Page


Viewing NSDB Information

From IDM, you can access the NSDB information for a specific signature by performing the following steps:

Step 1.

Access IDM by entering the following URL in your web browser: https://sensor_ip_address.

Step 2.

Click on the Configuration icon to display the list of configuration tasks.

Step 3.

If the items under the Signature Definition category are not displayed, click on the plus sign to the left of Signature Definition.

Step 4.

Click on Signature Configuration to access the Signature Configuration screen.

Step 5.

Highlight the signature for which you want to see NSDB information by clicking on the name of the signature.

Step 6.

Click on NSDB Link to access the NSDB information via Cisco.com. To access this information, you need to log in with a registered user account.

Step 7.

After you log in, the NSDB signature page for the highlighted signature is displayed in a new browser window (see Figure 5-13).

Step 8.

To view the threat information for the signature, simply click on the Related Threats link. This will display the threat information for the signature (see Figure 5-14).

Enabling Signatures

By default, not all signatures are enabled. Some are disabled because they are known to generate false positives unless you configure specific event filters for your network configuration. Occasionally, you may find that a signature that is enabled by default needs to be disabled because it generates false positives in your network configuration.

It is a simple task to enable or disable Cisco IPS signatures through the IDM interface. The following are the steps to enable a Cisco IPS signature:

Step 1.

Access IDM by entering the following URL in your web browser: https://sensor_ip_address.

Step 2.

Click on the Configuration icon to display the list of configuration tasks.

Step 3.

If the items under the Signature Definition category are not displayed, click on the plus sign to the left of Signature Definition.

Step 4.

Click on Signature Configuration to access the Signature Configuration screen.

Step 5.

Highlight the signature(s) that you want to enable by clicking on the name of the signature.

Note

You can highlight multiple signatures by holding down the Ctrl key while clicking on signature names. You can also highlight a signature and hold down the Shift key while clicking on another signature name to highlight all of the signatures between the two selected signatures.

Step 6.

Click on Enable to enable the highlighted signature(s).

Step 7.

Click on Apply to save the configuration to the sensor.

Note

The process for disabling a signature is the same as that for enabling a signature, except that you click on Disable instead of Enable.

Creating New Signatures

Although Cisco IPS provides numerous signatures, you may want to create your own signatures in addition to these. When creating new signatures, you have the following two options:

  • Add

  • Clone

The difference between these two options is that cloning an existing signature enables you to construct a new signature that starts with the parameters of an existing signature. You can then customize the settings to match your requirements. Adding a signature fills in default values for more of the signature parameters and allows you to construct a signature to match your custom signature requirements. For more information on creating custom signatures, refer to Chapter 7.

Editing Existing Signatures

Along with creating your own custom signatures, you can tune existing signatures by changing the signature parameters to match your network requirements. For more information on tuning existing signatures, refer to Chapter 7.

Note

You can always restore a signature to its default settings by using the Restore Defaults option on the Signature Configuration screen.


Retiring Signatures

Cisco IPS provides a large number of signatures that cover numerous operating systems and applications. Not all of these signatures may be applicable to your environment. If you choose, you can retire a Cisco IPS signature. When you retire a signature, the signature is actually removed from the signature engine (thus removing any impact that the signature has on the performance of your sensor). The steps to retire a signature are as follows:

Step 1.

Access IDM by entering the following URL in your web browser: https://sensor_ip_address.

Step 2.

Click on the Configuration icon to display the list of configuration tasks.

Step 3.

If the items under the Signature Definition category are not displayed, click on the plus sign to the left of Signature Definition.

Step 4.

Click on Signature Configuration to access the Signature Configuration screen.

Step 5.

Highlight the signature for which you want to see the NSDB information by clicking on the name of the signature.

Step 6.

Click on Retire to retire the highlighted signature(s).

Step 7.

Click on Apply to save the configuration changes to the sensor.

Note

If you decide to activate any signatures that you have retired, you can follow the steps for retiring a signature, but instead of clicking on Retire, you click on Activate. This will add the previously retired signature back into the signature engine. Rebuilding the signature engine, however, can be a time-consuming process.


Defining Signature Responses

You can configure each Cisco IPS to perform one or more of the following responses when a signature fires (see Figure 5-15):

  • Deny Attacker Inline

  • Deny Connection Inline

  • Deny Packet Inline

  • Log Attacker Packets

  • Log Pair Packets

  • Log Victim Packets

  • Produce Alert

  • Produce Verbose Alert

  • Request Block Connection

  • Request Block Host

  • Request SNMP Trap

  • Reset TCP Connection

Figure 5-15. Signature Response Actions


You can select one or more of these operations for each Cisco IPS signature. By clicking on the check box next to an action, you can toggle between selecting the operation and removing the operation. When a check mark is displayed next to an action, that action will be performed when the signature fires.



CCSP IPS Exam Certification Guide
CCSP IPS Exam Certification Guide
ISBN: 1587201461
EAN: 2147483647
Year: 2004
Pages: 119
Authors: Earl Carter

Similar book on Amazon

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net