Signature Actions | Intrusion Prevention Fundamentals

Whenever a signature observes the activity that it is configured to detect, the signature triggers one or more actions. These actions fall into various categories, such as the following:

Generating an alert
Dropping or preventing the activity
Logging the activity
Resetting a TCP connection
Blocking future activity
Allowing the activity

Alert Signature Action

Monitoring the alerts generated by your Network-based and Host-based IPS systems is vital to understanding the attacks being launched against your network. If an attacker causes a flood of bogus alerts, examining them can overload your security analysts. Therefore, both network and host IPS solutions incorporate the following types of alerts to enable you to efficiently monitor the operation of your network:

Atomic alerts
Summary alerts

Understanding each of these types of alerts is vital to providing the most effective protection for your network.

Atomic Alerts

Atomic alerts (like atomic signatures) are generated every time a signature triggers. In some situations, this behavior is useful and indicates all occurrences of a specific attack. Other times, an attacker might be able to flood your monitor console with alerts if he can generate thousands of bogus alerts against your IPS devices or applications.

Note

As a hybrid between atomic alerts and summary alerts, some IPS solutions also enable you to generate a single atomic alert and then disable alerts (for that signature and source address) for a specific period of time. This prevents you from getting overwhelmed with alerts while still giving you an indication that a specific system is doing something suspicious.

Summary Alerts

Instead of generating alerts for each instance of a signature, some IPS solutions enable you to generate summary alerts. A summary alert is a single alert that indicates multiple occurrences of the same signature from the same source address and or port.

Alarm summary modes limit the number of alerts generated and make it difficult for an attacker to consume resources on your sensor. With the summarization modes, however, you also receive information on the number of times that the activity that matches a signature's characteristics was observed during a specific period of time.

When using alarm summarization, the first instance of intrusive activity usually triggers a normal alert. Then, other instances of the same activity (duplicate alarms) are counted until the end of the signature's summary interval. When the length of time specified by the summary interval has elapsed, a summary alarm is sent, indicating the number of alarms that occurred during the time interval specified by the summary interval parameter.

Automatic Summarization

Besides configuring a signature to generate summary alerts, some IPS solutions also enable you to cause summarization to occur automatically (even though the default behavior is to generate atomic alerts). In this situation, if the number of atomic alerts exceeds a configured threshold in a specified amount of time, the signature automatically switches to generating summary alerts (instead of atomic alerts). Then, after a defined period of time, the signature reverts to its original configuration. Automatic summarization enables you to automatically regulate the amount of alerts being generated.

Drop Signature Action

One of the most powerful actions for an IPS device is the capability to drop packets or prevent an activity from occurring. This action enables the device to stop an attack before it has the chance to perform malicious activity. Unlike a traditional IDS device, the IPS device actively forwards packets across two of its interfaces. Therefore, the analysis engine has the option to decide which packets should be forwarded and which packets should be dropped.

Besides dropping individual packets, the drop action can be expanded to drop all packets for a specific session or even all packets from a specific host for a certain amount of time. By dropping traffic for a connection or host, the IPS conserves resources by efficiently dropping traffic without having to analyze each packet separately.

Log Signature Action

In some situations, you do not necessarily have enough information to stop an activity, but you want to log the actions or packets that are seen so that you can analyze this information in more detail. By performing a detailed analysis, you can identify exactly what is taking place and make a decision as to whether it should be allowed or denied in the future.

Suppose you have a signature that looks for the string /etc/password and you configure the string with the logging action (based on the attacker IP address). Whenever the signature triggers, the IPS devices begins logging the traffic from the attacker's IP address for a specified period of time (or specified number of bytes). This log information is usually stored on the IPS device in a specific file. Because the signature also generates an alert, you observe the alert on your management console. Then you can retrieve the log data from the IPS device and analyze the activity that the attacker performed on the network after triggering the initial alarm.

Block Signature Action

Most IPS devices have the capability to block future traffic by having the IPS device update the access control lists (ACLs) on one of your infrastructure devices. This ACL stops traffic from an attacking system without requiring the IDS to consume resources analyzing the traffic. After a configured period of time, the IDS device removes the ACL. Network IPS devices usually provide this blocking functionality along with the other actions such as dropping unwanted packets. One advantage of utilizing the blocking action is that a single IPS device can stop traffic at multiple locations throughout your network, regardless of the location of the IPS device itself. For example, an IPS device located deep within the network can apply ACLs at your perimeter router or firewall.

TCP Reset Signature Action

A basic action that can be used to terminate TCP connections is generating a packet for the connection with the TCP RST flag set. Many IPS devices use the TCP reset action to abruptly end a TCP connection that is performing unwanted operations.

Allow Signature Action

The final action might seem a little confusing, because most IPS devices are designed to stop or prevent unwanted traffic on your network. The allow action is necessary so that you can define exceptions to your configured signatures. When you configure your IPS device to disallow certain activities, you sometimes need to allow a few systems or users to be exceptions to the configured rule. Configuring exceptions enables you to take a more restrictive approach to security because you first deny everything and then allow only the activities that are needed.

For example, suppose that the IT department routinely scans your network using a common vulnerability scanner. This scanning causes your IPS to trigger various alerts. These are the same alerts that the IPS generates if an attacker scans your network. By allowing the alerts from the approved IT scanning host, you can protect your network from intrusive scans while eliminating the false positives generated by the routine IT approved scanning.

Note

Some IPS devices provide the allow action indirectly through other mechanisms, such as signature filters. If an IPS does not provide the allow action directly (through an action such as permit or allow), you need to search the product's documentation to find the mechanism you can use to enable exceptions to signatures.