Accessing Signatures Through Signature Groups

[ LiB ]  

We've seen in the previous section how to configure global sensing. Now we go through the signature groups, which you need to understand to access a signature for tuning or to create a custom signature. You access signatures from Configuration, Settings, Signatures. You use a drop-down menu to access the signature group of interest. Figure 10.3 shows how you can use the signature drop-down menu to select a group of signatures to access.

Figure 10.3. Use the signature drop-down menu to access signatures by group or Signature ID.


The signatures are grouped in the following way:

  • Signature ID

  • L2/L3/L4 protocol

  • Service signatures

  • Attack signatures

  • OS signatures

Figure 10.3 also shows that by selecting Signature ID from the drop-down menu, you can select the General check box to access all preloaded signatures or the Custom check box, which allows you to access all custom signatures.

L2/L3/L4 Protocol Signatures

L2/L3/L4 signatures operate at Layers 2, 3, and 4 and include Address Resolution Protocol (ARP), TCP, User Datagram Protocol (UDP), and Internet Control Message Protocol (ICMP) signature engines. When you select the L2/L3/L4 option in the drop-down menu from the Signatures page, the list of signatures and numbers appears (see Table 10.2).

Table 10.2. L2/L3/L4 Signatures and the Numbers Enabled

L2/L3/L4 Signatures Group Name


ARP Signatures

2 of 4

General IP Signatures

22 of 23

General TCP Signatures

585 of 667

TCP Flood Signatures

0 of 1

TCP Hijacks Signatures

2 of 2

TCP Host Sweeps Signatures

8 of 8

TCP Anomalies Signatures

8 of 8

TCP Port Sweeps Signatures

12 of 12

General UDP Signatures

180 of 191

UDP Flood Signatures

1 of 2

UDP Protocol Anomalies Signatures

1 of 1

UDP Port Sweeps Signatures

2 of 2

General ICMP Signatures

8 of 22

ICMP Floods Signatures

1 of 4

ICMP Host Sweeps Signatures

3 of 3

ICMP Protocol Anomalies Signatures

1 of 2

Miscellaneous Protocol Signatures

5 of 5

TCP/UDP Combo Sweeps Signatures

2 of 2

The steps to edit and enable a specific signaturein this example, the Back Door UDP port 21 signatureare as follows :

  1. Navigate to Configuration, Settings, Signatures.

  2. Select the L2/L3/L4 options from the Signatures drop-down menu.

  3. Click on the General UDP Signatures group name to display the list of signatures in the group.

  4. Click on the name of the signature that you want to configure, in this case, the Back Door UDP port 21 signature.

  5. Choose settings within the Edit Signatures page. These settings are listed and described in Table 10.3.

Table 10.3. Options in the Edit Signatures Page

IDS MC Edit Signatures Settings


Enable check box

Allows you to enable or disable the signature.

Severity drop-down menu

Allows you to set the severity level for the signature. The available options are info , low, medium, and high.

Actions check boxes

Allow you to set the action that will be performed when the signature is triggered. The available options are log, reset, block host, and block connection.

You can enable a set of signature groups by selecting the check boxes to the left of the signature group and clicking the Enable button. Figure 10.4 shows that all ARP Signatures, General TCP Signatures, and TCP Floods Signatures will be enabled when you click Enable.

Figure 10.4. Enable multiple signature groups by selecting the check boxes and clicking the Enable button.



You can enable multiple signature groups by selecting a signature group using the Group Signatures drop-down menu on the Configuration, Settings, Signatures page, selecting the check boxes for the desired signature groups, and then clicking the Enable button.

The steps listed here to edit and enable a signature or to enable a group of signatures are the same for all signatures, so we don't repeat them for the remaining signature groups.

Attack Signatures

The attack signature group consists of signatures which detect attacks that have predefined host or network targets. Table 10.4 lists the attack signature groups and the number of signatures enabled within the group.

Table 10.4. Attack Signatures and the Numbers Enabled

Attack Signatures Group Name


General Attack Signatures

76 of 118

DoS (Denial-of-Service) Signatures

69 of 81

DDoS (Distributed DoS) Signatures

12 of 12

Information Signatures

82 of 86

Reconnaissance Signatures

163 of 177

File Access Signatures

100 of 124

Code Execution Signatures

231 of 246

Viruses/Worms/Trojans Signatures

27 of 27

Service Signatures

Signatures based on services that are operating systemindependent are grouped together in the service signature group.


Service signatures are based on services provided on the network that are operating systemindependent.

Table 10.5 lists the service signatures and the numbers enabled.

Table 10.5. Service Signatures and the Numbers Enabled

Service Signatures Group Name


General Service Signatures

149 of 197

SQL (Structured Query Language) Signatures

1 of 1

DNS (Domain Name Service) Signatures

34 of 34

Finger Signatures

10 of 10

FTP (File Transfer Protocol) Signatures

27 of 28

HTTP (Hypertext Transfer Protocol) Signatures

344 of 397

Ident Signatures

4 of 4

IMAP (Internet Message Access Protocol) Signatures

2 of 2

NNTP (Network News Transfer Protocol) Signatures

2 of 2

LPR Signatures

1 of 1

NetBIOS/SMB (Server Message Block) Signatures

18 of 18

NTP (Network Time Protocol) Signatures

1 of 1

POP (PostOffice Protocol) Signatures

5 of 5

R-services Signatures

3 of 3

RPC (Remote Procedure Call) Signatures

66 of 70

SMTP (Simple Mail Transfer Protocol) Signatures

22 of 22

SNMP (Simple Network Management Protocol) Signatures

51 of 51

SSH (Secure Shell) Signatures

2 of 2

Telnet Signatures

12 of 13

SOCKS Signatures

0 of 1

TFTP (Trivial File Transfer Protocol) Signatures

3 of 3

HTTPS (Secure HTTP) Signatures

1 of 1

DHCP (Dynamic Host Configuration Protocol) Signatures

0 of 1

OS Signatures

OS signature groups target specific operating systems. You can use OS signature option to access these signatures. Table 10.6 lists the OS signature groups and the numbers enabled.

Table 10.6. OS Signatures and the Numbers Enabled

OS Signatures Group Name


General Unix Signatures

182 of 188

General Linux Signatures

1 of 1

Red Hat Linux Signatures

1 of 2

SuSE Linux Signatures

2 of 2

Mandrake Linux Signatures

1 of 1

General Solaris Signatures

17 of 18

HP-UX Signatures

1 of 1

AIX Signatures

2 of 2

IRIX Signatures

9 of 11

General Windows Signatures

108 of 124

General Windows NT Signatures

48 of 55

WinNT Signatures

13 of 14

IOS Signatures

11 of 14

General OS Signatures

353 of 431

NetWare Signatures

1 of 1

MacOS Signatures

3 of 3

[ LiB ]  

CSIDS Exam Cram 2 (Exam 642-531)
CSIDS Exam Cram 2 (Exam 642-531)
Year: 2004
Pages: 213 © 2008-2017.
If you may any questions please contact us: