IDSIPS Logging, Alerting, and Blocking

IDS/IPS Logging, Alerting, and Blocking

The logging and alerting functions of many IDS/IPS products are perhaps the most confusing part of intrusion detection and prevention. This is due, in part, to the disparity between what the various IDS/IPS vendors mean by alerting and what most of us expect. For many IDS/IPS vendors , alerting simply means that an event will be logged, and it is up to you to review the logs to identify the event. For most of us, alerting means that we are getting a page or e-mail telling us that we need to investigate something in more detail. This disparity is what I am going to try to address by offering some examples of how you can perform more effective logging and alerting.

Logging with PureSecure

PureSecure uses a MySQL database as the logging destination for all network events that are triggered. This functionality and the respective web GUI for event review are two of the biggest reasons I recommend it over a plain- vanilla Snort installation. You can review the events that have been logged into the database by clicking the Events button in the PureSecure console, shown here:

click to expand

The default event list provides a general view of all events that have been logged over time, including the signature, classification, traffic type, source, destination, sensor that logged the entry, and time stamp. You can view a specific event in more detail by clicking the signature value. For example, if I click MS-SQL Worm propagation attempt, I am presented with this signature information screen:

click to expand

From this screen, I can perform basic network diagnostics, such as running a whois, trace route, ping, or DNS lookup against a given source or destination. I can also scroll down and view the raw data payload that triggered the event.

A benefit of logging to a MySQL database is that the data can be accessed and reports can be built using any standard database reporting tool, such as Crystal Reports. Although configuring Crystal Reports and designing the reports are beyond the scope of this book, if you have DBAs in your organization, they can greatly enhance the logging functionality of PureSecure by designing custom reports and queries that allow you to be very specific about what data you want to view, and so on.

Configuring PureSecure to Log to a syslog Server

As I have mentioned in other chapters, logging to syslog is a valuable way of correlating events throughout your network. In addition to logging to MySQL, you can configure PureSecure to log data to a syslog server. This allows you to leverage an exiting syslog infrastructure as well as take advantage of any reporting or alert-generation functionality that you have built into your syslog infrastructure.

Configuring PureSecure to log to a syslog server is a two-step process. The first step is to edit the file psd.conf, located in the c:\puresecure\sensor\conf directory ( assuming you installed to the default locations). Locate the line that begins with snort_options and modify it as follows , adding “s to the value:

 snort_options = " -o -N -s " 

The next step is to edit the snort.conf file as previously described in this chapter. Edit the file, as shown next , by entering the following value:

 output alert_syslog: host=<SyslogServerIP>, LOG_AUTH LOG_ALERT 

When you are finished, select Update and click Go. The last step is to restart the PureSecure service on the sensor. The sensor will now log to the syslog server you defined. For more information about how to customize your syslog server to generate e- mails on events, and so on, see Chapter 10. For additional security, you should also remember to encrypt your syslog traffic as outlined in Chapter 10.

Logging with Cisco IDS

Cisco provides a very extensive logging and reporting functionality for their IDS with their Monitoring Center for Security (Security Monitor), which is part of the CiscoWorks VPN/Security Management Solution (VMS) product.

You can launch the Security Monitor by clicking Security Monitor from the Table of Contents under VPN/Security Management Solution Monitoring Center.

The first step is to add the devices you want the Monitoring Center to monitor. You can do this by clicking the Devices tab and then clicking Add. This will take you through a wizard that prompts you for the device configuration information.

When you have successfully added the sensor, you can monitor it by clicking the Monitor tab. Cisco takes a nice approach to the logging in that they use a pull-based methodology. This ensures that the Security Monitor is always ready to accept events and doesn t miss them because it is busy processing other items.

Although Cisco does not support exporting to syslog, the built-in logging is more than an effective equivalent to syslog. You can view the log in real time by navigating to the Monitor Events screen and selecting the event type you want to view as well as the event start and stop time. Once you have selected the event options you want to display, click Launch Event Viewer. This will cause the specified event criteria to be displayed in the monitor for further review, as shown here:

You can expand or collapse the rows to display individual events that match a certain event category (for example, you could expand the Root.exe access row to view the 36 unique occurrences of the event).

click to expand

Reporting on Events

Cisco provides some extensive reporting capabilities with the Security Monitor. You can access the reporting features by clicking the Reports tab. There are three options:

  • Generate Report This choice presents a wizard for generating the various reports.

  • Scheduled This choice will show you the status of the reports that have been generated.

  • View This choice will allow you to view the reports that have been generated.

Generating a report is a straightforward process. Follow these steps:

  1. Click Generate Reports to begin the wizard.

  2. At the Select Report screen, select the type of report you want to generate (for example, IDS Alarms by Day report). When you are finished, click Select.

  3. At the Report Filtering screen, specify the filtering options you want to use. This allows you to build reports on as many or as few events as you choose. When you are finished, click Next.

  4. At the Schedule Report screen, specify the scheduling options you want to configure. One of the nicest features is the ability to schedule the report to run on a regular basis and to e-mail the report to a list of e-mail addresses. This allows you to preconfigure all the standard and routine reports that management may require, as shown next. You can select to export the HTML report to a file by entering the exact filename in the Export To text field. This could be used to export the report to a directory that allows it to be viewed from a website, for example. You can also set the scheduling options as well as define who the report should be e-mailed to. When you are finished, click Finish.

    click to expand

The report will be listed at the Reports View screen when it has been generated. This may take several minutes, however, depending on how much data needs to be processed . When the report is displayed in the Completed Report section, simply check the report you want to view and click Open in Window.

Alerting with PureSecure

PureSecure is one of the few IDS/IPS vendors that provides a relatively intuitive mechanism for configuring the system to generate e-mails on specific events. E-mail alerts can be generated for the following situations:

Network IDS alerts

For IDS events

Service alerts

For service events that are being monitored

System integrity alerts

For system integrity verification events

General alerts

For any general events that are logged

You can configure all the alerts by clicking the appropriate alert notification at the PureSecure Configuration Menu screen. For example, if I wanted to generate an e-mail alert for specific IDS events, I would click Network IDS Event Notification and be presented with the Define Network IDS Alert Notification Rule screen (the other alert notification methods use a similar intuitive interface for configuring e-mail notification), as shown next. For this screen, I can enter the e-mail recipient and signature that I want to generate an alert on (for example, WEB-IIS cmd.exe access).

I would then specify the notification period, priority level, and e-mail detail level and then click Add Event.

click to expand

Alerting with Cisco IDS

Alerting with Cisco IDS is handled by the Security Monitor program, much like logging is. There are two methods of generating e-mail alerts. The first method is relatively simple but does not provide as much detail in the e-mail as you will probably require. The second method is more complex and requires writing some scripts as well as the use of some third-party utilities; however, it provides much more detail in regard to the details contained in the e-mail. We will look at both methods.

Configuring Simple E-mail Alerting

Configuring the Security Monitor to send e-mail alarms is a multistep process. The first step is to configure an SMTP server to be used at the Admin System Configuration Email Server screen. The second step is to configure an event rule at the Admin Event Rules screen. The following steps detail how to configure the event rule:

  1. At the Event Rules screen, click Add.

  2. At the Identify the Rule screen, enter an appropriate name and description and click Next.

  3. At the Specify the Event Filter screen, enter the filtering rules you want to apply. For example, if you want to generate an e-mail whenever an exploit using the WWW WinNT cmd.exe flaw is attempted, you could select Signature Name for the first filtering rule and select (5081) WWW WinNT cmd.exe access, as shown next. When you are finished defining the event filter rules, click Next.

    click to expand
  4. At the Choose the Actions screen, select the rule action you want to apply. For example, if you want an e-mail to be generated, you can check Notify via Email and enter the recipient of the e-mail, as shown next. The message body will display only what is shown on this screen, so unfortunately there is no mechanism to provide more comprehensive details, such as the source and destination address, and so on. That will need to be located by viewing the event log, as previously described. When you are finished, click Next.

    click to expand
  5. At the Specify the Thresholds and Intervals screen, enter thresholds that will prevent you from being inundated by e-mail alarms, but will still provide you with adequate notice of a potential security incident. When you are done, click Finish.

  6. The final step is to activate the new rule by selecting the rule and clicking Activate. When you are finished, the value for Active will change to yes.

Configuring Complex E-mail Alerting

You can configure more complex e-mail alerting by using a third-party SMTP client utility called blat, which is provided as part of VMS. The following steps detail the procedures for implementing e-mail alerting using blat:

  1. The first step is to ensure that blat is installed and configured properly. Blat needs to be in the path of the VMS server. You can verify whether blat is in the path by opening a command prompt and typing blat and then pressing ENTER . If you receive the error file not found, you will need to place the blat executable in a directory that is in the path. By default, blat is located in the $BASE\CSCOpx\bin directory.

  2. Next you need to install and configure blat. You can do this by running the following command at a command prompt on the VMS server:

     blat -install <SMTP server IP address> <sender's email address> 
  3. Next you need to write a script that will handle the parsing of the event and building the information that will be e-mailed. An alternative to writing the script from scratch is to download the following script from Cisco and copy it to the $BASE\CSCOpx\MDC\etc\ids\scripts directory on the VMS server: products_configuration_example09186a00801fc770.shtml#foursensor 

    These procedures will assume that you named the file You may need to modify these instructions if you use a different name.

  4. The script from Cisco is extensively documented internally with descriptions of the various sections. You may need to edit certain values to match your environment. One value that does need to be edited is the $EmailRcpt value near the top of the script. This variable represents the e-mail address of the person to whom the alarm should be e-mailed. Edit it to reflect the e-mail address you want to receive the alarm. Once you have finished editing the script, save it and open the Security Monitor.

    start sidebar
    Heads Up

    Make sure you escape the @ symbol in the e-mail address by putting a backslash in front of it; otherwise , you'll get a Perl syntax error when the script attempts to run. For example, if you wanted to send the e-mail to, you would enter it as user \

    end sidebar
  5. Navigate to the Admin Event Rules screen and click Add to build a new event rule, as described previously.

  6. At the Identify the Rule screen, enter a rule name and description and then click Next.

  7. At the Specify the Event Filter screen, select the filtering rules you want to use. For example, if you wanted to generate an e-mail alert for all high-severity events, you could select Severity and specify that it must be equal to a value of High. When you are finished, click Next.

  8. At the Choose the Actions screen, check the box Execute a Script and then select the e-mail script file you defined in step 3. In the Arguments section, enter "${Query}" exactly as it is shown next. When you are finished, click Next.

    click to expand
  9. At the Specify the Thresholds and Intervals screen, enter the appropriate values and click Finish.

  10. The last step is to activate the event rule by selecting the rule and clicking Activate.

start sidebar
One Step Further

If you do not receive e-mail alerts, you can test blat to make sure it is working by typing the following:

 Blat <filenamewithtext> -t <email address> -s "Test Message" 

Blat will attempt to send the contents of the filename to the specified e-mail address. If this does not work, blat is not functioning properly. If it does work, you can test the Perl script by opening a command prompt and running the following command while in the $BASE\CSCOpx\MDC\etc\ids\scripts directory: ${Query} 

If you receive any path or Perl errors, verify that the script does not contain any typos. For example, verify that you entered the e-mail address using the backslash character (\) in front of the @ symbol.

end sidebar

Blocking Traffic Using Cisco IDS and Cisco PIX Firewalls

A nice feature that the Cisco IDS supports is the ability to integrate with Cisco devices and configure routers, switches, and PIX firewalls to block traffic that generates alarms on the IDS. This allows the IDS to provide some intrusion prevention functionality. Configuring blocking is a three-step process. The first step is to configure a logical device to provide the authentication parameters to use. You can do this by using the IDS Device Manager and navigating to the Configuration Blocking Logical Devices screen and clicking Add. At the Adding screen, enter the appropriate authentication values and click Apply to Sensor.

The second step is to configure blocking at the Configuration Blocking Blocking Devices screen by clicking Add to add a new blocking device. At the Adding screen, enter the IP address of the device you want to configure blocking on. Select the proper device type and communication method. When you are finished, click Apply to Sensor.

start sidebar
Heads Up

Although 3DES/SSH is more secure than Telnet, using 3DES/SSH requires that you configure a known host key for the remote device. To do this, you can run the command ssh host-key < ipaddressofremotehost > at the sensor CLI.

end sidebar

The third step is to configure the signatures on which you want to enable the block action by customizing them using the procedure previously described in this chapter. Navigate to the Configuration Sensing Engine Virtual Sensor Configuration Signature Configuration Mode screen and edit the signature you want to modify. In the EventAction field, select shunHost or shunConnection, as shown next. When you are finished, click OK and commit the changes to the sensor.

click to expand
start sidebar
Heads Up

Be aware that configuring blocking using the shunHost option can result in a self-imposed denial of service in the event that the alarm is a false positive.

end sidebar
start sidebar
One Step Further

You can configure blocking with routers and Catalyst 6000 series switches as well by following most of these same procedures. In addition to the just process detailed, you will need to configure the blocking interface for the router or Catalyst 6000 series switch.

end sidebar

Hardening Network Infrastructure. Bulletproof Your Systems Before You Are Hacked.
Hardening Network Infrastructure. Bulletproof Your Systems Before You Are Hacked.
Year: 2004
Pages: 125 © 2008-2017.
If you may any questions please contact us: