Scribd Logo
Upload

Welcome to Scribd!

  • IPS50SL08

    Uploaded by

    api-3699464
    46 views52 pages
    IPS v5.0--8-3 Sig Description Signature Name Alert Notes User Comments Alert Traits Release Common Parameters Specify Alert Frequency Summary mode to control the number of alarms generated by a specific signature. Automatic alert summarization enables a signature to change alert modes automatically based on the number of alerts detected.

    Original Description:

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Available Formats

    PPS, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    IPS v5.0--8-3 Sig Description Signature Name Alert Notes User Comments Alert Traits Release Common Parameters Specify Alert Frequency Summary mode to control the number of alarms generated by a specific signature. Automatic alert summarization enables a signature to change alert modes automatically based on the number of alerts detected.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PPS, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pps, pdf, or txt
    46 views52 pages

    IPS50SL08

    Uploaded by

    api-3699464
    IPS v5.0--8-3 Sig Description Signature Name Alert Notes User Comments Alert Traits Release Common Parameters Specify Alert Frequency Summary mode to control the number of alarms generated by a specific signature. Automatic alert summarization enables a signature to change alert modes automatically based on the number of alerts detected.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PPS, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pps, pdf, or txt
    of 52

    Lesson 8

    Configuring Signatures

    © 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—8-1


    Parameters Common to
    All Signature Engines

    © 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—8-2


    Common Parameters
    Signature ID

    SubSignature ID

    Alert Severity
    Sig Signature
    Description Name
    Sig Fidelity
    Rating
    Alert Notes
    Promiscuous Delta
    User
    Comments
    Engine

    Alert
    Event Counter Traits
    Event Count
    Release
    Event
    Count Key

    Specify
    Alert
    Interval
    © 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—8-3
    Common Parameters (Cont.)

    Alert
    Frequency
    Summary
    Mode

    Summary
    Interval

    Summary
    Key
    Status

    Enabled Specify Global


    Summary
    Retired Threshold

    © 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—8-4


    Key Terminology

    • A = source address
    • a = source port
    • B = destination address
    • b = destination port
    • x = does not matter

    AxBx = The source and destination


    addresses matter, but the source
    and destination ports do not.
    © 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—8-5
    Summary Modes

    You can use the value of the common


    Parameter Summary mode to control the
    number of alarms generated by a specific
    signature. The Summary Mode parameter can
    have one of the following values:
    • Fire once
    • Fire all
    • Summarize
    • Global summarize

    © 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—8-6


    Threshold Parameters and Automatic Alarm
    Summarization

    Automatic alert summarization enables a signature to


    change alert modes automatically based on the number of
    alerts detected within the Summary Interval parameter.

    Summary Interval

    Summary Mode Summary Threshold Global Summary Threshold

    Global
    FireAll Summarize
    Summarize

    Summarize Global
    Summarize
    © 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—8-7
    Signature Tuning

    © 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—8-8


    Signature Tuning

    Configuration

    Signature
    Definition

    Signature
    Configuration
    Edit

    © 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—8-9


    Signature Tuning Scenario 1

    • A company FTP server stores software that is


    being beta tested by customers. The company
    wants to detect unauthorized login attempts.
    • Using the signature search features in the IDM, the
    network security administrator discovers signature
    6250, the FTP Authorization Failure signature.
    • After examining the parameters for signature 6250,
    the administrator decides to tune the signature as
    follows:
    – Change the severity level from informational to high
    – Add the Deny Connection Inline action to the default
    action of Produce Alert

    © 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—8-10


    Signature Tuning Scenario 1 (Cont.)

    Alert Severity

    Event
    Action

    © 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—8-11


    Signature Tuning Scenario 2

    • You are replacing D-Link devices on your network with Linksys


    wireless devices, but you still have some old D-Link systems that
    have not yet been replaced. Until they are replaced, you want to
    make sure that they are not being attacked. You would like to do
    the following to protect the D-Link devices and other devices on
    your network:
    – Alert on any attempt to access a D-Link configuration file from any system
    other than your management system
    – Generate a single alert every 5 minutes when the signature is being triggered
    by a single-source IP address
    – Use the Deny Packet Inline action to drop traffic from non-D-Link devices
    • You discover that Signature 4611 detects TFTP requests for D-
    Link configuration files, but it does not meet your requirements
    to do the following:
    – Generate a single alert for a single-source IP every 5 minutes
    – Drop the TFTP request before it reaches its target

    © 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—8-12


    Signature Tuning Scenario 2 (Cont.)

    Enter Sig
    ID: 4611

    Configuration Find

    Signature
    Definition
    Edit

    Select By:
    Signature Sig ID
    Configuration

    © 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—8-13


    Signature Tuning Scenario 2 (Cont.)

    Event
    Action

    Event
    Event
    Counter
    Count
    Key

    Specify
    Alert
    Alert Interval
    Frequency

    Summary Alert
    Mode Interval
    OK

    © 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—8-14


    Custom Signatures

    © 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—8-15


    Creating Custom Signatures

    • Creating a custom signature requires detailed


    knowledge of the attack for which you create it.
    • Poorly written signatures can generate false positives
    and false negatives.
    • You should test a custom signature carefully before
    you deploy it.
    • The Signature Wizard in the IDM guides you through
    the process of creating custom signatures and enables
    you to create custom signatures in either of the
    following ways:
    – Using a signature engine
    – Without using a signature engine
    • You can also create custom signatures without using
    the Signature Wizard.
    © 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—8-16
    Custom Signature Scenario 1

    A network security administrator wants to create


    a custom signature that is triggered by SYN
    packets destined for port 23. The administrator
    decides to use the atomic IP engine for the
    following reasons:
    • Atomic signatures can trigger on the contents of a
    single packet.
    • The atomic IP engine allows you to select a Layer 4
    protocol.
    • You can use the TCP Flags and TCP Mask parameters
    to specify the flag of interest.
    • You can use the Destination Port Range parameter to
    specify the destination port of interest.
    © 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—8-17
    Using the Custom Signature Wizard

    Configuration

    Signature
    Definition

    Custom
    Signature
    Wizard

    Start the
    Wizard

    © 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—8-18


    Specifying a Signature Engine

    Select
    Engine

    Next

    © 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—8-19


    Configuring the Signature Identification
    Parameters

    Signature
    ID

    Signature
    Name

    Next

    © 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—8-20


    Configuring the Engine-Specific
    Parameters

    Specify
    Layer 4
    Protocol

    Layer 4
    Protocol
    TCP
    Flags

    TCP
    Mask

    Next

    © 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—8-21


    Configuring the Engine-Specific
    Parameters (Cont.)

    Specify
    Destination
    Port Range

    Destination
    Port Range

    Next

    © 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—8-22


    Configuring the Alert Response

    Signature
    Fidelity
    Rating

    Severity of
    the Alert

    Next

    © 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—8-23


    Configuring the Alert Behavior

    Advanced

    Finish
    © 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—8-24
    Custom Signature Scenario 2

    A network security administrator wants to


    create a signature that can detect and drop
    traffic containing the word “confidential.” The
    administrator wants the signature to fire if the
    traffic is directed to the following ports:
    • FTP: 20 and 21
    • Telnet: 23
    • SMTP: 25
    • HTTP: 80
    • POP3: 110

    © 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—8-25


    Custom Signature Scenario 2 (Cont.)

    The administrator wants to configure the


    signature to send alerts to the Event Store as
    follows:
    • Send an alert to the Event Store every time the
    signature fires.
    • If the alert rate exceeds 20 alerts in 30 seconds,
    dynamically change its response as follows:
    – Send a summary alert for firings of the signature on
    the same victim address during the interval.
    – If the alert rate exceeds 25 in the 30-second interval,
    send a global summary alert, which counts the
    number of times the signature fires for all attacker
    and victim IP addresses and ports.
    © 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—8-26
    Using the Custom Signature Wizard
    Without Specifying a Signature Engine

    No

    Next

    © 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—8-27


    Selecting the Protocol Type

    TCP

    Next

    © 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—8-28


    Configuring the TCP Traffic Type

    Single TCP
    Connection

    Next

    © 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—8-29


    Configuring the Service Type

    OTHER

    Next

    © 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—8-30


    Configuring the Signature Identification

    Signature ID

    SubSignature ID Signature Name

    Alert Notes

    User Comments

    Next

    © 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—8-31


    Configuring the Engine-Specific Parameters

    Event Action

    Regex String

    Service Ports

    Direction
    Next

    © 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—8-32


    Configuring the Alert Response

    Signature
    Fidelity Rating

    Severity of
    the Alert

    Next

    © 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—8-33


    Configuring the Alert Behavior

    Advanced

    © 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—8-34


    Configuring the Event Count and Interval

    Event Count

    Event Count
    Key
    Use Event Interval
    Event
    Interval

    Next

    © 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—8-35


    Configuring Alert Summarization

    Alert Every
    Time the
    Signature
    Fires

    Next

    © 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—8-36


    Configuring Alert Dynamic Response

    Summary Key

    Use Dynamic Summary


    Summarization Threshold

    Summary
    Specify Interval
    Global (seconds)
    Summary
    Threshold
    Finish
    Global
    Summary
    Threshold

    © 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—8-37


    Completing the Custom Signature Creation

    Finish
    © 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—8-38
    Custom Signature Scenario 3

    • A network security administrator wants to create a signature that fires


    when a Nimda attack is occurring.
    • Nimda triggers the following built-in signatures, which are components
    of a Nimda attack:
    – 5081: cmd.exe Access
    – 5124: IIS CGI Decode
    – 5114: IIS Unicode Attack
    – 3215: Dot Dot Execute
    – 3216: Dot Dot Crash
    • The administrator wants the sensor to generate an alert for the new
    signature if the component signatures are triggered by the same
    attacker within a 60-second time frame.
    • To limit the number of alerts that are generated, the administrator
    wants the sensor to generate alerts only for the new signature and not
    for the component signatures.
    © 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—8-39
    Creating a Custom Signature Without the
    Signature Wizard

    Configuration
    Select Engine

    Signature Select By
    Definition
    Add

    Signature
    Configuration

    © 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—8-40


    Creating a Meta Signature

    Signature
    ID
    Alert
    SubSignature Severity
    ID
    Sig Fidelity
    Sig Rating
    Description

    Signature
    Name

    Engine

    Event
    Action

    © 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—8-41


    Creating a Meta Signature (Cont.)

    Component
    List

    © 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—8-42


    Listing the Component Signatures

    Entry Key

    Component
    Add Sig ID

    Component
    SubSig ID

    OK

    © 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—8-43


    Listing the Component Signatures (Cont.)

    Available
    Entries
    Selected
    Entries
    Select

    OK

    © 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—8-44


    Configuring the Meta Reset Interval and
    Meta Key

    Meta
    Reset
    Interval

    Meta
    Key

    OK

    © 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—8-45


    Removing “Produce Alert” from
    Component Signatures

    Enter
    Sig ID
    Configuration

    Select
    By

    Actions

    Signature
    Definition

    Signature
    Configuration
    Produce
    Alert
    © 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—8-46
    Summary

    © 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—8-47


    Summary

    • Cisco IPS signatures can be tuned to company


    network security policy or network traffic pattern.
    • Custom signatures can be created to meet a
    unique security requirement.
    • Custom signatures can be created via the IDM
    Custom Signature Wizard.
    • The Custom Signature Wizard enables you to
    create custom signatures with or without using a
    signature engine.

    © 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—8-48


    Summary (Cont.)

    • Consider the following before creating a signature


    with the Signature Wizard:
    – The network protocol
    – The target address
    – The target port
    – The type of attack
    – Whether payload inspection is required
    – Whether the signature can be triggered by the
    contents of a single packet
    • Be sure to carefully test custom signatures before
    deploying them.
    © 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—8-49
    Lab Exercise

    © 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—8-50


    Lab Visual Objective

    Web
    FTP
    .50
    172.26.26.0
    .150
    172.30.P.0 .1 .1 172.30.Q.0
    .2 .2
    RBB
    prP prQ
    172.16.Q.0
    172.16.P.0 .1 .1
    .4 .4

    sensorP sensorQ
    .2 .2

    rP rQ

    10.0.P.0 .2 .2 10.0.Q.0
    .100
    .100

    RTS
    RTS

    Student PC Student PC
    10.0.Q.12 10.0.Q.12
    © 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—8-51

    You might also like