[ LiB ] |
Cisco IDS signatures are the instructions and rulesets that the IDS uses to detect and respond to malicious activity on the network. Signature classes define signatures based on the goal of the attacker, whereas signature types are determined by the type of network traffic involved. In Chapter 2, "Introduction to Network Security," we introduced and described different attack types and the ways to mitigate the risks introduced by these attacks. In this chapter, you will see that the Cisco signature series addresses a full range of attack types from simple Internet Control Message Protocol (ICMP)-based port scans to notorious distributed denial-of-service (DDoS) attacks such as the Trojan Tribal Flood Network 2000 (TFN2K). This latter attack type turns innocent hosts into " zombies " that join and uphold the escalating attack by performing traffic floods.
The most critical attack signatures are enabled by default. This defined set of built-in signatures is fixed; you cannot add to or delete from the list of built-in signatures, nor can the signatures in this group be renamed . However, you can and should tune these signatures to your specific network environment and the unique threats that it faces. In cases where signature tuning still does not fulfill the specific intrusion-detection requirements of your network, you can configure custom signatures based on Cisco's signature engines . (Signature tuning is discussed in Chapter 10, "Global Sensing and Signature Configuration.") Custom signatures are signatures that you create which are not a part of the suite of built-in, or default, signatures. Signature engines are the configuration component that provide the structure and framework for you to create your custom signatures.
Some signatures are divided into subcategories called subsignatures. When changes are made to a subsignature, they only apply to the subsignature's parameters.
For a full reference to all the parameters for the Cisco Signature Engines, refer to the appendix available at the Web site http://www.cisco.com/en/US/partner/products/sw/secure/ps2113/products_installation_and_configuration_guide_chapter09186a008014a214.html#/wp803372. |
Again, there is no escaping the tedious task of knowing the signature engine categories and their related parameters. You aren't expected to memorize this material, but you are expected to thoroughly research the topics using reference materials such as the online reference mentioned in the preceding note, as well as the multitude of resources available for aspiring and experienced hackers. (See the section "Need to Know More?" at the end of this chapter for more resources.)
A strong command of all signature engine categories is an imperative component of your exam preparation, as are an awareness and understanding of their key parameters. We will make these tasks easier for you by going through each of the signature engine categories and highlighting their key parameters, emphasizing the key points that you need to master for the 642-531 exam.
The next sections describe the Cisco IDS signatures' features and characteristics.
Alarm summarization can limit the number of times an alarm is fired by aggregating alarms when the signature is triggered, thus lightening the load for your network's first line of support staff. You configure alarm summarization by tuning the AlarmThrottle and ChokeThreshold master signature engine parameters so that the signature is optimized to your network environment.
Anti-evasive techniques include antideobfuscation and IP fragment inspection. You can configure antideobfuscation with the Service.HTTP signature engines, described in the corresponding section later in this chapter, and you can configure IP fragment inspection through the Sensor's IP Fragment Reassembly options.
The flexibility and robustness of regular expression (Regex) syntax allow you to articulate patterns of text to use for pattern matching.
The Regex tool is not Cisco proprietary and can be useful for many other aspects of computing. |
So whether you want to search for specific files accessed on the Internet or certain username and password combinations, Regex is the tool that allows you to explicitly define your search rules. Table 9.1 lists the IDS regular expression syntax.
Metacharacter | Name | Description |
---|---|---|
? | Question mark | Repeat 0 or 1 times |
* | Star, asterisk | Repeat 0 or more times |
+ | Plus | Repeat 1 or more times |
{x} | Quantifier | Repeat exactly x times |
{x,} | Minimum quantifier | Repeat at least x times |
. | Dot | Any one character except new line ( 0x0A ) |
[abc] | Character class | Any character listed |
[^abc] | Negated character class | Any character not listed |
[a-z] | Range character class | Any character listed in the inclusion range |
() | Parentheses | Used to limit the scope of other metacharacters |
| Alternation, or | Matches either expression it separates |
^ | Caret | The beginning of the line |
\char | Escaped character | When char is a metacharacter or not, matches the literal char |
char | Character | When char is not a metacharacter, matches the literal char |
\r | Carriage return | Matches the carriage return character ( 0x0d ) |
\n | New line | Matches the new line character ( 0x0A ) |
\t | Tab | Matches the tab character ( 0x09 ) |
\f | Form feed | Matches the form feed character ( 0x0C ) |
\xNN | Escaped hexadecimal character | Matches the character with the hexadecimal code 0xNN(0<=N<F) |
\NNN | Escaped octal character | Matches the character with the hexadecimal code 0xNN (0<=N<=8) |
The examples of Regex syntax listed in Table 9.2 show how you can use Regex to specify patterns of text.
To Match | Regular Expression |
---|---|
Kristina | Kris t ina |
Kristina or kristina | [Kk]ristina |
Variations of manalo, mananalo, manananalo | ma(na)+lo |
The words meet and London or london on the same line with anything except a new line between them | meet.*[Ll]ondon |
Either London or Amsterdam | LondonAmsterdam |
Either noon or soon | (ns)oon |
To search for the text pattern kristina or Kristina, use the Regex syntax [Kk]ristina . |
You can configure a signature to respond to a trigger with one of four responses:
Perform a Transmission Control Protocol (TCP) reset
Start an IP log session
Block (or shun) a host
Block (or shun) a connection
You configure the response using the EventAction master signature parameter.
Remember that the four responses to a signature trigger are to perform a TCP reset, to start an IP log session, to block a host, or to block a connection. |
[ LiB ] |