Foundation and Supplemental Topics

Configuring Cisco IPS Signatures

Monitoring network traffic, identifying intrusive activity, and responding to network attacks is the core functionality provided by Cisco IPS. Cisco IPS provides numerous signatures that enable your sensors to determine which traffic on your network represents potential attacks or violates your security policy. To efficiently protect your network from attack, you should understand the numerous signatures that are provided and the actions they perform when intrusive activity is detected.

This chapter focuses on the following signature-related topics:

• Signature groups

• Alarm summary modes

• Basic signature configuration

Signature Groups

To facilitate configuring Cisco IPS signatures, you can view signatures based on the following groups:

• Attack

• L2/L3/L4 Protocol

• Operating System

• Signature Release

• Service

• Signature Identification

• Signature Name

• Signature Action

• Signature Engine

The following sections explain how to view the Cisco IPS signatures by using these different groups.

Displaying Signatures by Attack

Sometimes you want to view the signatures that fall into a specific attack category. To do this, go to the Select By field of the signature configuration screen and select Attack (see Figure 5-1).

Figure 5-1. Viewing Signatures by Attack Type

After selecting Attack, you can choose to view the signatures for any of the following attack categories:

• Adware/Spyware

• Code Execution

• Command Execution

• DDos

• DoS

• File Access

• General Attack

• IDS Evasion

• Informational

• Policy Violation

• Reconnaissance

• Viruses/Worms/Trojans

You select a specific attack category by using the pull-down menu for the Select Attack field.

Adware and spyware are programs that typically get installed on your system without your knowledge while you are normally accessing websites on the Internet. These programs surreptitiously monitor you actions and can impact the performance of your system. The signatures in the Adware/ Spyware category identify traffic that indicates the operation of common spyware and adware applications on systems on your network.

Code Execution and Command Execution attacks are those in which an attacker attempts to either run code on a system on your network (such as through a buffer overflow attack) or use known system vulnerabilities to execute commands on a system.

Denial-of-service (DoS) attacks are those in which an attacker tries to disrupt the operation of devices on your network. Distributed denial-of-service (DDoS) attacks are those in which an attacker uses a large number of compromised systems to disrupt the operation of devices on your network. By using a large number of attacking systems (thus increasing the traffic volume), a DDoS is much more effective at disrupting the operation of your network.

In File Access attacks, an attacker attempts to retrieve files from systems on your network by using known system vulnerabilities. Most of these attacks exploit vulnerabilities associated with web servers, but they may also involve specific signatures for other protocols such Trivial File Transfer Protocol (TFTP) and Server Message Block (SMB) protocol.

The General attacks category includes attacks that do not logically fit into any of the more specific categories. These attacks range from detecting bad IP options to identifying traffic to ports associated with well-known back doors created by various attacks.

IDS Evasion signatures detect attacks that are specifically designed to evade intrusion-detection systems. The informational signatures represent traffic patterns that may represent a potential attack or just normal user activity. For instance, signatures in this category include those that detect both successful logins and login failures on numerous protocols. Informational signatures also include signatures that detect simple malformed packet signatures (such as invalidly specifying an incorrect length in a Simple Network Management Protocol [SNMP] request).

Policy Violation signatures detect traffic on your network that indicates that users are running applications that your security policy forbids. The applications that typically fall into this category include peer-to-peer software (such as Kazaa) as well as instant messenger software (such as Yahoo! Messenger).

The first step in attacking a network usually involves identifying the systems (or targets) on the network. Besides locating potential systems, an attacker also needs to identify network services running on those systems. Reconnaissance signatures detect network traffic that indicates someone is trying to map out systems or services on your network.

Viruses, worms, and Trojan horses exploit known vulnerabilities on systems in your network. The signatures in the Viruses/Worms/Trojans category detect known network traffic that is associated with systems infected by viruses and worms. The category also includes signatures that identify traffic associated with well-known Trojan horse programs (such as Back Orifice).

Displaying Signatures by L2/L3/L4 Protocol

The Open Systems Interconnection (OSI) model divides network stacks into the following layers (from lowest to highest):

• Physical Layer (Layer 1)

• Data Link Layer (Layer 2)

• Network Layer (Layer 3)

• Transport Layer (Layer 4)

• Session Layer (Layer 5)

• Presentation Layer (Layer 6)

• Application Layer (Layer 7)

The Data Link Layer (Layer 2) involves protocols that send frames on the physical hardware. An example protocol is the Address Resolution Protocol (ARP), which enables a system to associate an IP address with a specific Ethernet address. The Network Layer (Layer 3) handles the routing of IP packets based on the IP address in the packets. The most common Layer 3 protocol is the Internet Protocol (IP). The Transport Layer (Layer 4) enables systems to establish connections between each other to transfer information. The two common transport protocols are the Transmission Control Protocol (TCP) and the User Datagram Protocol (UDP).

Another way to view signatures is by the protocol that the signature is examining. To do this, go to the Select By field of the signature configuration screen and select L2/L3/L4 Protocol (see Figure 5-2).

Figure 5-2. Viewing Signatures by L2/L3/L4 Protocol

After selecting L2/L3/L4 Protocol, you can choose to view the signatures based on any of the following options:

• ARP

• General ICMP

• General IP

• General Protocol

• General TCP

• General UDP

• ICMP Floods

• ICMP Host Sweeps

• ICMP Protocol Anomalies

• IP Fragments

• TCP Anomalies

• TCP Floods

• TCP Hijacks

• TCP Host Sweeps

• TCP Port Sweeps

• TCP/UDP Combo Sweeps

• UDP Floods

• UDP Port Sweeps

• UDP Protocol Anomalies

You select the specific protocol by using the pull-down menu for the Select Protocol field.

Displaying Signatures by Operating System

Another way to view signatures is by the operating system (OS) that they apply to. To do this, you select OS in the Select By field of the signature configuration screen (see Figure 5-3).

Figure 5-3. Viewing Signatures by Operating System

After selecting OS, you can choose to view the signatures for any of the following operating systems:

• AIX

• General Linux

• General OS

• General UNIX

• General Windows

• General Windows NT/2000/XP

• Gentoo L0inux

• HP-UX

• IOS

• IRIX

• MacOS

• Mandrake Linux

• Netware

• Red Hat Linux

• Solaris

• SuSE Linux

• WinNT

You select the specific operating system by using the pull-down menu for the Select OS field.

Displaying Signatures by Signature Release

Many times you may want to view signatures based on either the Cisco IPS software release or a specific Cisco IPS signature update. To do this, you select Release in the Select By field of the signature configuration screen (see Figure 5-4).

Figure 5-4. Viewing Signatures by Signature Release

Note

Viewing signatures by signature release enables you to quickly see which new signatures were added by a specific signature release.

After selecting Release, you can choose to view the signatures for the various Cisco IPS software and signature releases. Some sample software and signature releases are as follows:

• 1.0

• 2.1.1

• 2.1.1.3

• 2.1.1.4

• 2.1.1.5

• 2.1.1.6

• S10

• S100

• S101

• S102

• S11

You select the specific release by using the pull-down menu for the Select Release field.

Displaying Signatures by Service

Another way to view signatures is by the service or protocol that they apply to. To do this, you select Service in the Select By field of the signature configuration screen (see Figure 5-5).

Figure 5-5. Viewing Signatures by Service

After selecting Service, you can choose to view the signatures for any of the services shown in Table 5-2. You select the specific service category by using the pull-down menu for the Select Service field.

Displaying Signatures by Signature Identification

When displaying signatures by signature identification, you select Sig ID in the Select By field of the signature configuration screen (see Figure 5-6). Next you specify a signature number (in the Enter Sig ID field) and then click on Find. This will search for the specific signature that you entered (see Figure 5-7).

Figure 5-6. Viewing Signatures by Signature Identification

Figure 5-7. Viewing Signatures with Sig ID 1200

Displaying Signatures by Signature Name

When displaying signatures by signature name, you select Sig Name in the Select By field of the signature configuration screen (see Figure 5-8).

Figure 5-8. Viewing Signatures by Signature Name

Next you specify a text string (in the Enter Sig Name field) and then click on Find. This will search for any signatures where the signature name contains the text string that you entered (see Figure 5-9).

Figure 5-9. Viewing Signatures with "flood" in the Name

Displaying Signatures by Response Action

Displaying signatures by response action enables you to easily view which signatures are configured for a specific action. To view signatures by response action, you select Action in the Select By field of the signature configuration screen (see Figure 5-10).

Figure 5-10. Viewing Signatures by Assigned Action

You can view the signatures for the following specific signature response actions:

• Deny Attacker Inline

• Deny Connection Inline

• Deny Packet Inline

• Log Attacker Packets

• Log Pair Packets

• Log Victim Packets

• Modify Packet Inline

• Produce Alert

• Produce Verbose Alert

• Request Block Connection

• Request Block Host

• Request SNMP Trap

• Reset TCP Connection

Note

For more information on Cisco IPS response actions, refer to Chapter 9, "Cisco IPS Response Configuration."

You select the specific response action by using the pull-down menu for the Select Action field.

Displaying Signatures by Signature Engine

You can view all of the signatures that use a specific signature engine by selecting Engine in the Select By field of the signature configuration screen (see Figure 5-11).

Figure 5-11. Viewing Signatures by Signature Engine

You can view signatures for the following signature engines:

• AIC FTP

• AIC HTTP

• Atomic ARP

• Atomic IP

• Flood Host

• Flood Net

• Meta

• Multi-String

• Normalizer

• Other

• Service DNS

• Service FTP

• Service Generic

• Service H225

• Service HTTP

• Service Ident

• Service MSRPC

• Service MSSQL

• Service NTP

• Service RPC

• Service SMB

• Service SNMP

• Service SSH

• State

• String ICMP

• String TCP

• String UDP

• Sweep

• Sweep Other TCP

• Trojan ICMP

• Trojan Bo2K

• Trojan Tfn22K

• Trojan UDP

You select the specific signature engine by using the pull-down menu for the Select Engine field.

Note

For more information on the various Cisco IPS signature engines, refer to Chapter 6, "Cisco IPS Signature Engines."

Alarm Summary Modes

Managing alarms efficiently is vital to the success of your Cisco IDS deployment. To enhance your ability to control the volume of alarms generated by your sensors, Cisco IDS supports several alarm modes. Each of the following alarm summary modes is designed to assist you in regulating the number of alarms generated by intrusive traffic in different situations:

• Fire Once

• Fire All

• Summarize

• Alarm Summarization

• Variable Alarm Summarization

The following sections explain the alarm summary modes in detail. To understand these alarm summary modes, however, you also need to understand the summary key. This parameter determines which alarms are considered duplicates. The summary key can be based on the source (attacker) and destination (victim) IP address as well as the source and destination port (for a given signature). The various alarming modes regulate the number of alarms generated, but you need to be able to determine which instances of an attack are considered duplicates of an alarm that has already been generated. The summary key can be one of the following values:

• Attacker address

• Attacker address and victim port

• Attacker and victim addresses

• Attacker and victim addresses and ports

• Victim address

For instance, assume that you have the alarms listed in Table 5-3.

Assuming that a specific signature is configured with the different values for the summary key, the following alarms would be considered duplicate alarms:

• Alarms 1, 2, 3, 5, and 6 for the summary key "attacker address"

• Alarms 1, 3 and 6 for the summary key "victim address"

• Alarms 1, 3, and 5 for the summary key "attacker address and victim port"

• Alarms 1 and 3 for the summary key "attacker and victim addresses and ports"

• Alarms 1, 3, and 6 for the summary key "attacker and victim addresses"

Note

The different alarm modes determine duplicate alarms using only instances of the same signature in conjunction with the summary key information.

Fire Once

A signature configured with the Fire Once alarm summary mode will trigger a single alarm for a configured summary key value and then wait a predefined period of time (usually specified by the Summary Interval parameter) before triggering another duplicate alarm for the same signature.

For instance, assume the summary key value is set to "attacker address." If host A causes the signature to fire, then the same signature will not trigger from host A again until the time specified by the Summary Interval parameter has expired.

Fire All

A signature with the Fire All alarm summary mode triggers an alarm for all activity that matches the signature's characteristics. This is effectively the opposite of the Fire Once alarm summary mode and can generate a large number of alarms during an attack.

Alarm Summarization

Besides the basic alarm firing options, signatures can also take advantage of the following alarm fixed summarization modes:

• Summarize

• Global Summarize

Like Fire Once, these alarm summary modes limit the number of alarms generated and make it difficult for an attacker to consume resources on your sensor. With the summarization modes, however, you will also receive information on the number of times that the activity that matches a signature's characteristics was observed during a user-specified period of time.

When you use alarm summarization, the first instance of intrusive activity triggers a normal alarm. Other instances of the same activity (duplicate alarms) are counted until the end of the signature's summary interval. When the length of time specified by the Summary Interval parameter has elapsed, a summary alarm is sent, indicating the number of alarms that occurred during the time interval specified by the Summary Interval parameter.

Both summarization modes operate essentially the same way, except Global Summarize mode is based on a summary key, which consolidates alarms for all address and port combinations.

Variable Alarm Summarization

Setting the Summary Threshold or Global Summary Threshold parameters with the following alarm summary modes enables a signature to use variable alarm summarization:

• Fire All

• Summarize

When traffic causes the signature to trigger, the alarms are generated according to the initial Alarm Summary mode (see Figure 5-12). If the number of alarms for the signature exceeds the value configured for the Summary Threshold parameter (during a summary interval), the signature automatically switches to the next higher summary alarming mode (generating fewer alarms). If the number of alarms for the signature exceeds the Global Summary Threshold (during the same summary interval), the signature switches to Global Summarize (if not already at this level, since this is the maximum level of alarm consolidation). At the end of the summary interval, the signature reverts back to its configured alarming mode.

For instance, assume that you have a signature with the following values:

• Summary Threshold 10

• Summary Interval 5 seconds

• Global Summary Threshold 30

• Alarm Summary Mode Fire All

Initially, every time the signature is triggered an alarm is generated. Then if the number of alarms for the signature exceeds 10 (during a 5-second period), the signature automatically switches to Summarize mode. Finally, if the number of alarms exceeds 30 (during the same 5-second period), the signature automatically switches to Global Summarize mode. At the end of the Summary Interval (after 5 seconds), the signature reverts back to the Fire All alarm summary mode. After switching to one of the summarization modes, a summary alarm is generated at the end of the summary interval. The summary alarm indicates the number of alarms that were detected during the summarization period.

The variable alarming modes provide you with the flexibility of having signatures that trigger an alarm on every instance of a signature but then reduce the number of alarms generated when the alarms start to significantly impact the resources on the IDS. The reduction in alarms also improves the ability of the network security administrator to analyze the alarms being generated.

Basic Signature Configuration

After locating signatures by using signature groups, you can perform various configuration operations on signatures or groups of signatures. These configuration operations fall into the following categories:

• Viewing Network Security Database (NSDB) information

• Enabling signatures

• Creating new signatures

• Editing existing signatures

• Retiring signatures

• Defining signature responses

Besides understanding the basic signature configuration operations, it is helpful to understand the fields that an alert contains. Table 5-4 describes the major fields found in an alert.

Viewing NSDB Information

The NSDB links to an online Cisco HTML-based encyclopedia of network vulnerability information (also known as the Cisco Secure Encyclopedia [CSEC]). CSEC was developed as a central "warehouse" of security knowledge to provide Cisco security professionals with an interactive database of security-vulnerability information. CSEC contains detailed information about security vulnerabilities such as countermeasures, affected systems and software, and Cisco Secure products that can help you test for vulnerabilities or detect when malicious users attempt to exploit your systems. The CSEC can be found at http://www.cisco.com/go/csec.

Signature Information

Each signature has an Exploit Signature page (located in the NSDB) that describes the characteristics of the signature. A typical NSDB Exploit Signature page contains numerous fields that provide information about the signature that triggered the alarm. The following three fields provide you with valuable information:

• Description

• Benign Trigger(s)

• Recommended Signature Filter

The Description field describes what type of network traffic the signature is looking for. The Benign Trigger(s) field identifies situations in which the signature may trigger on normal user traffic, thus generating a false positive. The final field, Recommended Signature Filter, identifies a recommended filter that you can apply to your monitoring application to reduce the chances that the signature will generate false positives. Figure 5-13 shows an NSDB Exploit Signature page for the Windows Shell External Handler signature.

Figure 5-13. NSDB Exploit Signature Page

Related Threats Information

Each signature page provides a link (in the Related Threats field) to an NSDB Threats page that provides information on the threats associated with a given exploit. A typical NSDB Threats page (see Figure 5-14) provides information such as the threatened systems, known countermeasures, and consequences of the threat.

Figure 5-14. NSDB Threats Page

Viewing NSDB Information

From IDM, you can access the NSDB information for a specific signature by performing the following steps:

Enabling Signatures

By default, not all signatures are enabled. Some are disabled because they are known to generate false positives unless you configure specific event filters for your network configuration. Occasionally, you may find that a signature that is enabled by default needs to be disabled because it generates false positives in your network configuration.

It is a simple task to enable or disable Cisco IPS signatures through the IDM interface. The following are the steps to enable a Cisco IPS signature:

Creating New Signatures

Although Cisco IPS provides numerous signatures, you may want to create your own signatures in addition to these. When creating new signatures, you have the following two options:

• Add

• Clone

The difference between these two options is that cloning an existing signature enables you to construct a new signature that starts with the parameters of an existing signature. You can then customize the settings to match your requirements. Adding a signature fills in default values for more of the signature parameters and allows you to construct a signature to match your custom signature requirements. For more information on creating custom signatures, refer to Chapter 7.

Editing Existing Signatures

Along with creating your own custom signatures, you can tune existing signatures by changing the signature parameters to match your network requirements. For more information on tuning existing signatures, refer to Chapter 7.

Note

You can always restore a signature to its default settings by using the Restore Defaults option on the Signature Configuration screen.

Retiring Signatures

Cisco IPS provides a large number of signatures that cover numerous operating systems and applications. Not all of these signatures may be applicable to your environment. If you choose, you can retire a Cisco IPS signature. When you retire a signature, the signature is actually removed from the signature engine (thus removing any impact that the signature has on the performance of your sensor). The steps to retire a signature are as follows:

Note

If you decide to activate any signatures that you have retired, you can follow the steps for retiring a signature, but instead of clicking on Retire, you click on Activate. This will add the previously retired signature back into the signature engine. Rebuilding the signature engine, however, can be a time-consuming process.

Defining Signature Responses

You can configure each Cisco IPS to perform one or more of the following responses when a signature fires (see Figure 5-15):

• Deny Attacker Inline

• Deny Connection Inline

• Deny Packet Inline

• Log Attacker Packets

• Log Pair Packets

• Log Victim Packets

• Produce Alert

• Produce Verbose Alert

• Request Block Connection

• Request Block Host

• Request SNMP Trap

• Reset TCP Connection

Figure 5-15. Signature Response Actions

You can select one or more of these operations for each Cisco IPS signature. By clicking on the check box next to an action, you can toggle between selecting the operation and removing the operation. When a check mark is displayed next to an action, that action will be performed when the signature fires.