Configuring Cisco IPS Signatures
Monitoring network traffic, identifying intrusive activity, and responding to network attacks is the core functionality provided by Cisco IPS. Cisco IPS provides numerous signatures that enable your sensors to determine which traffic on your network represents potential attacks or violates your security policy. To efficiently protect your network from attack, you should understand the numerous signatures that are provided and the actions they perform when intrusive activity is detected.
This chapter focuses on the following signature-related topics:
To facilitate configuring Cisco IPS signatures, you can view signatures based on the following groups:
The following sections explain how to view the Cisco IPS signatures by using these different groups.
Displaying Signatures by Attack
Sometimes you want to view the signatures that fall into a specific attack category. To do this, go to the Select By field of the signature configuration screen and select Attack (see Figure 5-1).
Figure 5-1. Viewing Signatures by Attack Type
After selecting Attack, you can choose to view the signatures for any of the following attack categories:
You select a specific attack category by using the pull-down menu for the Select Attack field.
Adware and spyware are programs that typically get installed on your system without your knowledge while you are normally accessing websites on the Internet. These programs surreptitiously monitor you actions and can impact the performance of your system. The signatures in the Adware/ Spyware category identify traffic that indicates the operation of common spyware and adware applications on systems on your network.
Code Execution and Command Execution attacks are those in which an attacker attempts to either run code on a system on your network (such as through a buffer overflow attack) or use known system vulnerabilities to execute commands on a system.
Denial-of-service (DoS) attacks are those in which an attacker tries to disrupt the operation of devices on your network. Distributed denial-of-service (DDoS) attacks are those in which an attacker uses a large number of compromised systems to disrupt the operation of devices on your network. By using a large number of attacking systems (thus increasing the traffic volume), a DDoS is much more effective at disrupting the operation of your network.
In File Access attacks, an attacker attempts to retrieve files from systems on your network by using known system vulnerabilities. Most of these attacks exploit vulnerabilities associated with web servers, but they may also involve specific signatures for other protocols such Trivial File Transfer Protocol (TFTP) and Server Message Block (SMB) protocol.
The General attacks category includes attacks that do not logically fit into any of the more specific categories. These attacks range from detecting bad IP options to identifying traffic to ports associated with well-known back doors created by various attacks.
IDS Evasion signatures detect attacks that are specifically designed to evade intrusion-detection systems. The informational signatures represent traffic patterns that may represent a potential attack or just normal user activity. For instance, signatures in this category include those that detect both successful logins and login failures on numerous protocols. Informational signatures also include signatures that detect simple malformed packet signatures (such as invalidly specifying an incorrect length in a Simple Network Management Protocol [SNMP] request).
Policy Violation signatures detect traffic on your network that indicates that users are running applications that your security policy forbids. The applications that typically fall into this category include peer-to-peer software (such as Kazaa) as well as instant messenger software (such as Yahoo! Messenger).
The first step in attacking a network usually involves identifying the systems (or targets) on the network. Besides locating potential systems, an attacker also needs to identify network services running on those systems. Reconnaissance signatures detect network traffic that indicates someone is trying to map out systems or services on your network.
Viruses, worms, and Trojan horses exploit known vulnerabilities on systems in your network. The signatures in the Viruses/Worms/Trojans category detect known network traffic that is associated with systems infected by viruses and worms. The category also includes signatures that identify traffic associated with well-known Trojan horse programs (such as Back Orifice).
Displaying Signatures by L2/L3/L4 Protocol
The Open Systems Interconnection (OSI) model divides network stacks into the following layers (from lowest to highest):
The Data Link Layer (Layer 2) involves protocols that send frames on the physical hardware. An example protocol is the Address Resolution Protocol (ARP), which enables a system to associate an IP address with a specific Ethernet address. The Network Layer (Layer 3) handles the routing of IP packets based on the IP address in the packets. The most common Layer 3 protocol is the Internet Protocol (IP). The Transport Layer (Layer 4) enables systems to establish connections between each other to transfer information. The two common transport protocols are the Transmission Control Protocol (TCP) and the User Datagram Protocol (UDP).
Another way to view signatures is by the protocol that the signature is examining. To do this, go to the Select By field of the signature configuration screen and select L2/L3/L4 Protocol (see Figure 5-2).
Figure 5-2. Viewing Signatures by L2/L3/L4 Protocol
After selecting L2/L3/L4 Protocol, you can choose to view the signatures based on any of the following options:
You select the specific protocol by using the pull-down menu for the Select Protocol field.
Displaying Signatures by Operating System
Another way to view signatures is by the operating system (OS) that they apply to. To do this, you select OS in the Select By field of the signature configuration screen (see Figure 5-3).
Figure 5-3. Viewing Signatures by Operating System
After selecting OS, you can choose to view the signatures for any of the following operating systems:
You select the specific operating system by using the pull-down menu for the Select OS field.
Displaying Signatures by Signature Release
Many times you may want to view signatures based on either the Cisco IPS software release or a specific Cisco IPS signature update. To do this, you select Release in the Select By field of the signature configuration screen (see Figure 5-4).
Figure 5-4. Viewing Signatures by Signature Release
Viewing signatures by signature release enables you to quickly see which new signatures were added by a specific signature release.
After selecting Release, you can choose to view the signatures for the various Cisco IPS software and signature releases. Some sample software and signature releases are as follows:
You select the specific release by using the pull-down menu for the Select Release field.
Displaying Signatures by Service
Another way to view signatures is by the service or protocol that they apply to. To do this, you select Service in the Select By field of the signature configuration screen (see Figure 5-5).
Figure 5-5. Viewing Signatures by Service
After selecting Service, you can choose to view the signatures for any of the services shown in Table 5-2. You select the specific service category by using the pull-down menu for the Select Service field.
Displaying Signatures by Signature Identification
When displaying signatures by signature identification, you select Sig ID in the Select By field of the signature configuration screen (see Figure 5-6). Next you specify a signature number (in the Enter Sig ID field) and then click on Find. This will search for the specific signature that you entered (see Figure 5-7).
Figure 5-6. Viewing Signatures by Signature Identification
Figure 5-7. Viewing Signatures with Sig ID 1200
Displaying Signatures by Signature Name
When displaying signatures by signature name, you select Sig Name in the Select By field of the signature configuration screen (see Figure 5-8).
Figure 5-8. Viewing Signatures by Signature Name
Next you specify a text string (in the Enter Sig Name field) and then click on Find. This will search for any signatures where the signature name contains the text string that you entered (see Figure 5-9).
Figure 5-9. Viewing Signatures with "flood" in the Name
Displaying Signatures by Response Action
Displaying signatures by response action enables you to easily view which signatures are configured for a specific action. To view signatures by response action, you select Action in the Select By field of the signature configuration screen (see Figure 5-10).
Figure 5-10. Viewing Signatures by Assigned Action
You can view the signatures for the following specific signature response actions:
For more information on Cisco IPS response actions, refer to Chapter 9, "Cisco IPS Response Configuration."
You select the specific response action by using the pull-down menu for the Select Action field.
Displaying Signatures by Signature Engine
You can view all of the signatures that use a specific signature engine by selecting Engine in the Select By field of the signature configuration screen (see Figure 5-11).
Figure 5-11. Viewing Signatures by Signature Engine
You can view signatures for the following signature engines:
You select the specific signature engine by using the pull-down menu for the Select Engine field.
For more information on the various Cisco IPS signature engines, refer to Chapter 6, "Cisco IPS Signature Engines."
Alarm Summary Modes
Managing alarms efficiently is vital to the success of your Cisco IDS deployment. To enhance your ability to control the volume of alarms generated by your sensors, Cisco IDS supports several alarm modes. Each of the following alarm summary modes is designed to assist you in regulating the number of alarms generated by intrusive traffic in different situations:
The following sections explain the alarm summary modes in detail. To understand these alarm summary modes, however, you also need to understand the summary key. This parameter determines which alarms are considered duplicates. The summary key can be based on the source (attacker) and destination (victim) IP address as well as the source and destination port (for a given signature). The various alarming modes regulate the number of alarms generated, but you need to be able to determine which instances of an attack are considered duplicates of an alarm that has already been generated. The summary key can be one of the following values:
For instance, assume that you have the alarms listed in Table 5-3.
Assuming that a specific signature is configured with the different values for the summary key, the following alarms would be considered duplicate alarms:
The different alarm modes determine duplicate alarms using only instances of the same signature in conjunction with the summary key information.
A signature configured with the Fire Once alarm summary mode will trigger a single alarm for a configured summary key value and then wait a predefined period of time (usually specified by the Summary Interval parameter) before triggering another duplicate alarm for the same signature.
For instance, assume the summary key value is set to "attacker address." If host A causes the signature to fire, then the same signature will not trigger from host A again until the time specified by the Summary Interval parameter has expired.
A signature with the Fire All alarm summary mode triggers an alarm for all activity that matches the signature's characteristics. This is effectively the opposite of the Fire Once alarm summary mode and can generate a large number of alarms during an attack.
Besides the basic alarm firing options, signatures can also take advantage of the following alarm fixed summarization modes:
Like Fire Once, these alarm summary modes limit the number of alarms generated and make it difficult for an attacker to consume resources on your sensor. With the summarization modes, however, you will also receive information on the number of times that the activity that matches a signature's characteristics was observed during a user-specified period of time.
When you use alarm summarization, the first instance of intrusive activity triggers a normal alarm. Other instances of the same activity (duplicate alarms) are counted until the end of the signature's summary interval. When the length of time specified by the Summary Interval parameter has elapsed, a summary alarm is sent, indicating the number of alarms that occurred during the time interval specified by the Summary Interval parameter.
Both summarization modes operate essentially the same way, except Global Summarize mode is based on a summary key, which consolidates alarms for all address and port combinations.
Variable Alarm Summarization
Setting the Summary Threshold or Global Summary Threshold parameters with the following alarm summary modes enables a signature to use variable alarm summarization:
When traffic causes the signature to trigger, the alarms are generated according to the initial Alarm Summary mode (see Figure 5-12). If the number of alarms for the signature exceeds the value configured for the Summary Threshold parameter (during a summary interval), the signature automatically switches to the next higher summary alarming mode (generating fewer alarms). If the number of alarms for the signature exceeds the Global Summary Threshold (during the same summary interval), the signature switches to Global Summarize (if not already at this level, since this is the maximum level of alarm consolidation). At the end of the summary interval, the signature reverts back to its configured alarming mode.
Figure 5-12. Automatic Alarm Summarization
For instance, assume that you have a signature with the following values:
Initially, every time the signature is triggered an alarm is generated. Then if the number of alarms for the signature exceeds 10 (during a 5-second period), the signature automatically switches to Summarize mode. Finally, if the number of alarms exceeds 30 (during the same 5-second period), the signature automatically switches to Global Summarize mode. At the end of the Summary Interval (after 5 seconds), the signature reverts back to the Fire All alarm summary mode. After switching to one of the summarization modes, a summary alarm is generated at the end of the summary interval. The summary alarm indicates the number of alarms that were detected during the summarization period.
The variable alarming modes provide you with the flexibility of having signatures that trigger an alarm on every instance of a signature but then reduce the number of alarms generated when the alarms start to significantly impact the resources on the IDS. The reduction in alarms also improves the ability of the network security administrator to analyze the alarms being generated.
Basic Signature Configuration
After locating signatures by using signature groups, you can perform various configuration operations on signatures or groups of signatures. These configuration operations fall into the following categories:
Besides understanding the basic signature configuration operations, it is helpful to understand the fields that an alert contains. Table 5-4 describes the major fields found in an alert.
Viewing NSDB Information
The NSDB links to an online Cisco HTML-based encyclopedia of network vulnerability information (also known as the Cisco Secure Encyclopedia [CSEC]). CSEC was developed as a central "warehouse" of security knowledge to provide Cisco security professionals with an interactive database of security-vulnerability information. CSEC contains detailed information about security vulnerabilities such as countermeasures, affected systems and software, and Cisco Secure products that can help you test for vulnerabilities or detect when malicious users attempt to exploit your systems. The CSEC can be found at http://www.cisco.com/go/csec.
Each signature has an Exploit Signature page (located in the NSDB) that describes the characteristics of the signature. A typical NSDB Exploit Signature page contains numerous fields that provide information about the signature that triggered the alarm. The following three fields provide you with valuable information:
The Description field describes what type of network traffic the signature is looking for. The Benign Trigger(s) field identifies situations in which the signature may trigger on normal user traffic, thus generating a false positive. The final field, Recommended Signature Filter, identifies a recommended filter that you can apply to your monitoring application to reduce the chances that the signature will generate false positives. Figure 5-13 shows an NSDB Exploit Signature page for the Windows Shell External Handler signature.
Figure 5-13. NSDB Exploit Signature Page
Related Threats Information
Each signature page provides a link (in the Related Threats field) to an NSDB Threats page that provides information on the threats associated with a given exploit. A typical NSDB Threats page (see Figure 5-14) provides information such as the threatened systems, known countermeasures, and consequences of the threat.
Figure 5-14. NSDB Threats Page
Viewing NSDB Information
From IDM, you can access the NSDB information for a specific signature by performing the following steps:
By default, not all signatures are enabled. Some are disabled because they are known to generate false positives unless you configure specific event filters for your network configuration. Occasionally, you may find that a signature that is enabled by default needs to be disabled because it generates false positives in your network configuration.
It is a simple task to enable or disable Cisco IPS signatures through the IDM interface. The following are the steps to enable a Cisco IPS signature:
Creating New Signatures
Although Cisco IPS provides numerous signatures, you may want to create your own signatures in addition to these. When creating new signatures, you have the following two options:
The difference between these two options is that cloning an existing signature enables you to construct a new signature that starts with the parameters of an existing signature. You can then customize the settings to match your requirements. Adding a signature fills in default values for more of the signature parameters and allows you to construct a signature to match your custom signature requirements. For more information on creating custom signatures, refer to Chapter 7.
Editing Existing Signatures
Along with creating your own custom signatures, you can tune existing signatures by changing the signature parameters to match your network requirements. For more information on tuning existing signatures, refer to Chapter 7.
You can always restore a signature to its default settings by using the Restore Defaults option on the Signature Configuration screen.
Cisco IPS provides a large number of signatures that cover numerous operating systems and applications. Not all of these signatures may be applicable to your environment. If you choose, you can retire a Cisco IPS signature. When you retire a signature, the signature is actually removed from the signature engine (thus removing any impact that the signature has on the performance of your sensor). The steps to retire a signature are as follows:
If you decide to activate any signatures that you have retired, you can follow the steps for retiring a signature, but instead of clicking on Retire, you click on Activate. This will add the previously retired signature back into the signature engine. Rebuilding the signature engine, however, can be a time-consuming process.
Defining Signature Responses
You can configure each Cisco IPS to perform one or more of the following responses when a signature fires (see Figure 5-15):
Figure 5-15. Signature Response Actions
You can select one or more of these operations for each Cisco IPS signature. By clicking on the check box next to an action, you can toggle between selecting the operation and removing the operation. When a check mark is displayed next to an action, that action will be performed when the signature fires.