[ LiB ]  

As mentioned earlier, the NSDB is Cisco's encyclopedia of network vulnerabilities in Hypertext Markup Language (HTML) format. The Cisco Secure Encyclopedia (CSEC) is the online version of the NSDB. CSEC provides a centralized warehouse of security knowledge so that Cisco security professionals have an interactive focal point of security vulnerability intelligence. With a valid Cisco Connection Online account (CCO), you will find detailed information, including countermeasures, affected systems and software, and Cisco Secure products to help you test for vulnerabilities or detect deliberate attempts to exploit your network systems. The CSEC appears online at http://www.cisco.com/go/csec.


NSDB is a component of IEV that provides information and vulnerabilities that signatures protect against.

Signature Information

Listed in Table 13.2 is the information that you typically find on the NSDB Signature Information page when you click on a signature ID from IEV or IDM.

Table 13.2. Information at the Signature Information page in the Cisco NSDB Within IDM or IEV

Signature Information


Signature name

The name of the signature.


Unique identification number for the signature.

Sub ID

A unique subidentification number for the signature.

Recommended alarm level

The alarm severity level recommended by the Cisco Countermeasures Research Team (C-CRT).

Signature type

Indicates what the signature affects.

Signature structure

Indicates whether the signature was atomic or composite.


Indicates whether the signature implementation is based on content or context.

Signature description

A concise explanation of the signature and what exploits it detects.

Benign triggers

An explanation of normal network activity that might trigger the signature (false positives).

Related vulnerability

A link to the Related Vulnerability page, which provides background information on the vulnerability and any available countermeasures.

User notes

A link to the interactive User Notes page, where you can enter information unique to this installation and implementation.

Related Vulnerability Information

Listed in Table 13.3 is the information that you typically find on the NSDB Related Vulnerability page. As mentioned in Table 13.2, you can access the Related Vulnerability page from the Signature Information page of the NSDB.

Table 13.3. Information at the Related Vulnerability Page Within the NSDB

Signature Information


Vulnerability name

Name of the vulnerability being exploited.


Any other names that might be used to refer to the vulnerability or exploit.

Cisco ID

Unique identification number for the vulnerability; unrelated to the signature ID.


Common Vulnerability and Exposures (CVE); a list of standardized names for vulnerabilities and exposures, each of which is assigned a CVE ID. The CVE database appears at http://www.cve.mitre.org.

Severity level

Severity level associated with the vulnerability, which might or might not match the alarm level of the signature.

Vulnerability type

Indicates the type of damage the vulnerability causes.

Exploit type

Indicates whether the type of exploit is reconnaissance, informational, access, or denial.

Affected systems

A list of operating systems and their versions affected by the vulnerability.

Affected programs

A list of applications and their versions affected by the vulnerability.

Vulnerability description

A concise explanation of the vulnerability and how to exploit it.


Description of the damage that can be done by exploiting the vulnerability.


Description of what you can do to protect systems from the vulnerability.

Advisory related information

Links to Web sites that contain additional information about the vulnerability or exploit.

Fix/upgrade/patch links

Links to Web sites that contain fixes, upgrades, or patches for the vulnerability.

Exploit links

Links to Web sites where you can find vulnerability exploits.

User notes

A link to an interactive page with information unique to this installation or implementation.

User Notes

On the User Notes page, you can provide information regarding signatures and vulnerabilities unique to your installation or implementation. You can use any text or HTML editor to enter the information; files are located in the IEV subdirectory ( C:\Program Files\Cisco Systems\Cisco IDS Event Viewer\IEV\nsdb\html ) and are named note_ id , where id is the Cisco vulnerability or signature ID. Figure 13.6 shows the User Notes page for the ping-of-death signature within the NSDB. Note the blank text area at the bottom of the Web page where you can fill in your unique notes regarding this signature or vulnerability.

Figure 13.6. The User Notes page within the NSDB for the ping-of-death signature.


[ LiB ]  

CSIDS Exam Cram 2 (Exam 642-531)
CSIDS Exam Cram 2 (Exam 642-531)
Year: 2004
Pages: 213

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net