[ LiB ] |
As mentioned earlier, the NSDB is Cisco's encyclopedia of network vulnerabilities in Hypertext Markup Language (HTML) format. The Cisco Secure Encyclopedia (CSEC) is the online version of the NSDB. CSEC provides a centralized warehouse of security knowledge so that Cisco security professionals have an interactive focal point of security vulnerability intelligence. With a valid Cisco Connection Online account (CCO), you will find detailed information, including countermeasures, affected systems and software, and Cisco Secure products to help you test for vulnerabilities or detect deliberate attempts to exploit your network systems. The CSEC appears online at http://www.cisco.com/go/csec.
NSDB is a component of IEV that provides information and vulnerabilities that signatures protect against. |
Listed in Table 13.2 is the information that you typically find on the NSDB Signature Information page when you click on a signature ID from IEV or IDM.
Signature Information | Description |
---|---|
Signature name | The name of the signature. |
ID | Unique identification number for the signature. |
Sub ID | A unique subidentification number for the signature. |
Recommended alarm level | The alarm severity level recommended by the Cisco Countermeasures Research Team (C-CRT). |
Signature type | Indicates what the signature affects. |
Signature structure | Indicates whether the signature was atomic or composite. |
Implementation | Indicates whether the signature implementation is based on content or context. |
Signature description | A concise explanation of the signature and what exploits it detects. |
Benign triggers | An explanation of normal network activity that might trigger the signature (false positives). |
Related vulnerability | A link to the Related Vulnerability page, which provides background information on the vulnerability and any available countermeasures. |
User notes | A link to the interactive User Notes page, where you can enter information unique to this installation and implementation. |
Listed in Table 13.3 is the information that you typically find on the NSDB Related Vulnerability page. As mentioned in Table 13.2, you can access the Related Vulnerability page from the Signature Information page of the NSDB.
Signature Information | Description |
---|---|
Vulnerability name | Name of the vulnerability being exploited. |
Alias | Any other names that might be used to refer to the vulnerability or exploit. |
Cisco ID | Unique identification number for the vulnerability; unrelated to the signature ID. |
CVE ID | Common Vulnerability and Exposures (CVE); a list of standardized names for vulnerabilities and exposures, each of which is assigned a CVE ID. The CVE database appears at http://www.cve.mitre.org. |
Severity level | Severity level associated with the vulnerability, which might or might not match the alarm level of the signature. |
Vulnerability type | Indicates the type of damage the vulnerability causes. |
Exploit type | Indicates whether the type of exploit is reconnaissance, informational, access, or denial. |
Affected systems | A list of operating systems and their versions affected by the vulnerability. |
Affected programs | A list of applications and their versions affected by the vulnerability. |
Vulnerability description | A concise explanation of the vulnerability and how to exploit it. |
Consequences | Description of the damage that can be done by exploiting the vulnerability. |
Countermeasures | Description of what you can do to protect systems from the vulnerability. |
Advisory related information | Links to Web sites that contain additional information about the vulnerability or exploit. |
Fix/upgrade/patch links | Links to Web sites that contain fixes, upgrades, or patches for the vulnerability. |
Exploit links | Links to Web sites where you can find vulnerability exploits. |
User notes | A link to an interactive page with information unique to this installation or implementation. |
On the User Notes page, you can provide information regarding signatures and vulnerabilities unique to your installation or implementation. You can use any text or HTML editor to enter the information; files are located in the IEV subdirectory ( C:\Program Files\Cisco Systems\Cisco IDS Event Viewer\IEV\nsdb\html ) and are named note_ id , where id is the Cisco vulnerability or signature ID. Figure 13.6 shows the User Notes page for the ping-of-death signature within the NSDB. Note the blank text area at the bottom of the Web page where you can fill in your unique notes regarding this signature or vulnerability.
[ LiB ] |