Cisco IDS Signatures

Previous page
Table of content
Next page
[ LiB ]  

Cisco IDS signatures are the instructions and rulesets that the IDS uses to detect and respond to malicious activity on the network. Signature classes define signatures based on the goal of the attacker, whereas signature types are determined by the type of network traffic involved. In Chapter 2, "Introduction to Network Security," we introduced and described different attack types and the ways to mitigate the risks introduced by these attacks. In this chapter, you will see that the Cisco signature series addresses a full range of attack types from simple Internet Control Message Protocol (ICMP)-based port scans to notorious distributed denial-of-service (DDoS) attacks such as the Trojan Tribal Flood Network 2000 (TFN2K). This latter attack type turns innocent hosts into " zombies " that join and uphold the escalating attack by performing traffic floods.

The most critical attack signatures are enabled by default. This defined set of built-in signatures is fixed; you cannot add to or delete from the list of built-in signatures, nor can the signatures in this group be renamed . However, you can and should tune these signatures to your specific network environment and the unique threats that it faces. In cases where signature tuning still does not fulfill the specific intrusion-detection requirements of your network, you can configure custom signatures based on Cisco's signature engines . (Signature tuning is discussed in Chapter 10, "Global Sensing and Signature Configuration.") Custom signatures are signatures that you create which are not a part of the suite of built-in, or default, signatures. Signature engines are the configuration component that provide the structure and framework for you to create your custom signatures.

Some signatures are divided into subcategories called subsignatures. When changes are made to a subsignature, they only apply to the subsignature's parameters.

graphics/note_icon.gif

For a full reference to all the parameters for the Cisco Signature Engines, refer to the appendix available at the Web site http://www.cisco.com/en/US/partner/products/sw/secure/ps2113/products_installation_and_configuration_guide_chapter09186a008014a214.html#/wp803372.


Again, there is no escaping the tedious task of knowing the signature engine categories and their related parameters. You aren't expected to memorize this material, but you are expected to thoroughly research the topics using reference materials such as the online reference mentioned in the preceding note, as well as the multitude of resources available for aspiring and experienced hackers. (See the section "Need to Know More?" at the end of this chapter for more resources.)

A strong command of all signature engine categories is an imperative component of your exam preparation, as are an awareness and understanding of their key parameters. We will make these tasks easier for you by going through each of the signature engine categories and highlighting their key parameters, emphasizing the key points that you need to master for the 642-531 exam.

Signature Characteristics and Features

The next sections describe the Cisco IDS signatures' features and characteristics.

Alarm Summarization and Threshold Configuration

Alarm summarization can limit the number of times an alarm is fired by aggregating alarms when the signature is triggered, thus lightening the load for your network's first line of support staff. You configure alarm summarization by tuning the AlarmThrottle and ChokeThreshold master signature engine parameters so that the signature is optimized to your network environment.

Anti-Evasive Techniques

Anti-evasive techniques include antideobfuscation and IP fragment inspection. You can configure antideobfuscation with the Service.HTTP signature engines, described in the corresponding section later in this chapter, and you can configure IP fragment inspection through the Sensor's IP Fragment Reassembly options.

Regular Expression String Pattern Matching

The flexibility and robustness of regular expression (Regex) syntax allow you to articulate patterns of text to use for pattern matching.

graphics/note_icon.gif

The Regex tool is not Cisco proprietary and can be useful for many other aspects of computing.


So whether you want to search for specific files accessed on the Internet or certain username and password combinations, Regex is the tool that allows you to explicitly define your search rules. Table 9.1 lists the IDS regular expression syntax.

Table 9.1. Regex Syntax

Metacharacter

Name

Description

?

Question mark

Repeat 0 or 1 times

*

Star, asterisk

Repeat 0 or more times

+

Plus

Repeat 1 or more times

{x}

Quantifier

Repeat exactly x times

{x,}

Minimum quantifier

Repeat at least x times

.

Dot

Any one character except new line ( 0x0A )

[abc]

Character class

Any character listed

[^abc]

Negated character class

Any character not listed

[a-z]

Range character class

Any character listed in the inclusion range

()

Parentheses

Used to limit the scope of other metacharacters

Alternation, or

Matches either expression it separates

^

Caret

The beginning of the line

\char

Escaped character

When char is a metacharacter or not, matches the literal char

char

Character

When char is not a metacharacter, matches the literal char

\r

Carriage return

Matches the carriage return character ( 0x0d )

\n

New line

Matches the new line character ( 0x0A )

\t

Tab

Matches the tab character ( 0x09 )

\f

Form feed

Matches the form feed character ( 0x0C )

\xNN

Escaped hexadecimal character

Matches the character with the hexadecimal code 0xNN(0<=N<F)

\NNN

Escaped octal character

Matches the character with the hexadecimal code 0xNN (0<=N<=8)


The examples of Regex syntax listed in Table 9.2 show how you can use Regex to specify patterns of text.

Table 9.2. Examples of Regex Syntax

To Match

Regular Expression

Kristina

Kris t ina

Kristina or kristina

[Kk]ristina

Variations of manalo, mananalo, manananalo

ma(na)+lo

The words meet and London or london on the same line with anything except a new line between them

meet.*[Ll]ondon

Either London or Amsterdam

LondonAmsterdam

Either noon or soon

(ns)oon


graphics/alert_icon.gif

To search for the text pattern kristina or Kristina, use the Regex syntax [Kk]ristina .


Response Actions

You can configure a signature to respond to a trigger with one of four responses:

  • Perform a Transmission Control Protocol (TCP) reset

  • Start an IP log session

  • Block (or shun) a host

  • Block (or shun) a connection

You configure the response using the EventAction master signature parameter.

graphics/alert_icon.gif

Remember that the four responses to a signature trigger are to perform a TCP reset, to start an IP log session, to block a host, or to block a connection.


[ LiB ]  

Previous page
Table of content
Next page
CSIDS Exam Cram 2 (Exam 642-531)
CSIDS Exam Cram 2 (Exam 642-531)
ISBN: N/A
EAN: N/A
Year: 2004
Pages: 213
BUY ON AMAZON
OpenSSH: A Survival Guide for Secure Shell Handling (Version 1.0)
High-Speed Signal Propagation[c] Advanced Black Magic
Kanban Made Simple: Demystifying and Applying Toyotas Legendary Manufacturing Process
Cisco IOS Cookbook (Cookbooks (OReilly))
.NET-A Complete Development Cycle
VBScript in a Nutshell, 2nd Edition
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy