© 2005 Cisco Systems, Inc. All rights reserved. IPS v Lesson 7 Describing Signature Engines
© 2005 Cisco Systems, Inc. All rights reserved. IPS v Signature Engines
© 2005 Cisco Systems, Inc. All rights reserved. IPS v Signature Engine Overview A Signature Engine is a component of the sensor that supports a category of signatures. The Cisco IPS Signature Engines enable you to tune built-in signatures and create new signatures unique to your network environment.
© 2005 Cisco Systems, Inc. All rights reserved. IPS v Engine Usage Engine CategoryUsage AtomicUsed for single-packet inspection FloodUsed to detect attempts to cause a DoS MetaUsed to perform event correlation on the sensor NormalizerUsed to detect ambiguities and abnormalities in the traffic stream
© 2005 Cisco Systems, Inc. All rights reserved. IPS v Engine Usage (Cont.) Engine CategoryUsage ServiceUsed when Layer 5, 6, and 7 services require protocol analysis State Used for state-based and regular expression–based pattern inspection and alarming functionality for TCP streams String Used for regular expression–based pattern inspection and alarm functionality for multiple transport protocols
© 2005 Cisco Systems, Inc. All rights reserved. IPS v Engine Usage (Cont.) Engine CategoryUsage SweepUsed to detect network reconnaissance TrafficUsed to detect traffic irregularities TrojanUsed to inspect nonstandard protocols AICUsed for deep-packet inspection of FTP and HTTP traffic
© 2005 Cisco Systems, Inc. All rights reserved. IPS v Engine Parameters An engine parameter is a name and value pair. The parameter name is defined by its engine. Parameter values have limits that are defined by the engine. The parameter name is constant across all signatures in a particular engine, but the value can be different for the various signatures in an engine group. Some parameters are common to all engines while others are engine-specific.
© 2005 Cisco Systems, Inc. All rights reserved. IPS v Atomic Signature Engines
© 2005 Cisco Systems, Inc. All rights reserved. IPS v Atomic Signature Engines Engine NameEngine Description Atomic ARPExamines ARP packets Atomic IPExamines ICMP, IP, TCP, and UDP packets
© 2005 Cisco Systems, Inc. All rights reserved. IPS v Atomic ARP Parameters Specify Type of ARP Sig Specify Request Inbalance Storage Key
© 2005 Cisco Systems, Inc. All rights reserved. IPS v Atomic IP Parameters Specify Layer 4 Protocol Fragment Status: Not Fragmented Layer 4 Protocol: TCP Protocol TCP Flags: SYN TCP Mask: Syn, Ack Specify Payload Inspection
© 2005 Cisco Systems, Inc. All rights reserved. IPS v Flood Signature Engines
© 2005 Cisco Systems, Inc. All rights reserved. IPS v Flood Signature Engines Engine NameEngine Description Flood Net Looks for an excessive number of packets sent to a network segment Flood Host Looks for an excessive number of ICMP or UDP packets sent to a target host
© 2005 Cisco Systems, Inc. All rights reserved. IPS v Flood Net Parameters Gap Peaks Rate Protocol
© 2005 Cisco Systems, Inc. All rights reserved. IPS v Flood Host Parameters Rate: 25 Protocol: ICMP ICMP Type: 8
© 2005 Cisco Systems, Inc. All rights reserved. IPS v Meta Signature Engine
© 2005 Cisco Systems, Inc. All rights reserved. IPS v The Meta Event Generator S Signature = NIMDA If the five signatures fire within a three-second interval, the meta signature, NIMDA, fires. NIMDA Meta Reset Interval = 3 seconds Signature 5124 IIS CGI Decode Signature 3215 Dot Dot Execute Signature 5114 IIS Unicode Attack Signature 5081 cmd.exe Access Signature 3216 Dot Dot Crash
© 2005 Cisco Systems, Inc. All rights reserved. IPS v Meta Engine Parameters Component List Meta Reset Interval Component List in Order
© 2005 Cisco Systems, Inc. All rights reserved. IPS v Normalizer Signature Engine
© 2005 Cisco Systems, Inc. All rights reserved. IPS v Normalizer Engine The normalizer engine detects and corrects ambiguities and abnormalities in traffic as packets flow through the data path. The traffic the normalizer engine inspects is guaranteed unambiguous because it is normalized before it is inspected. The normalizer engine performs such functions as the following: –Properly sequencing packets in a TCP stream –Reassembling fragmented IP packets
© 2005 Cisco Systems, Inc. All rights reserved. IPS v Normalizer Engine Parameters Specify Fragment Reassembly Timeout Fragment Reassembly Timeout Specify Hijack Max Old ACK Max Old ACK Specify SYN Flood Max Embryonic SYN Flood Max Embryonic
© 2005 Cisco Systems, Inc. All rights reserved. IPS v Service Signature Engines
© 2005 Cisco Systems, Inc. All rights reserved. IPS v Service Signature Engines Engine NameEngine Description Service DNSExamines TCP and UDP DNS packets Service FTPExamines FTP traffic Service Generic Emergency response engine that supplements the string and state engines Service H225Examines the call signaling and setup in VoIP traffic Service HTTP Examines HTTP traffic for string-based pattern matching Service IDENTExamines TCP port 113 traffic Service MSRPCExamines Microsoft RPC traffic
© 2005 Cisco Systems, Inc. All rights reserved. IPS v Service Signature Engines (Cont.) Engine NameEngine Description Service MSSQLExamines traffic used by Microsoft SQL Service NTPExamines NTP traffic Service RPCExamines RPC traffic Service SMBExamines SMB traffic Service SNMPExamines SNMP traffic Service SSHExamines SSH traffic
© 2005 Cisco Systems, Inc. All rights reserved. IPS v Service DNS Parameters Protocol Query Value Query Src Port 53 Specify Query Src Port 53 Specify Query Value
© 2005 Cisco Systems, Inc. All rights reserved. IPS v Service FTP Parameters Direction Swap Attacker Victim Service Ports
© 2005 Cisco Systems, Inc. All rights reserved. IPS v Service Generic Parameters Specify Dst Port Specify Payload Source Payload Source Dst Port
© 2005 Cisco Systems, Inc. All rights reserved. IPS v H.323 Calls and the Service H225 Engine Gatekeeper Gateway AGateway B H.225 RAS (UDP) IP QoS Network H.225 (Q.931) Call Setup (TCP) QoS=quality of service RAS=registration, admission, and status
© 2005 Cisco Systems, Inc. All rights reserved. IPS v Service H225 Engine Service H225 engine features: TPKT validation and length checking Q.931 IE validation and length checking Setup message validation ASN.1 PER encode error checking Regex signatures for text fields in Q.931 IEs Signatures that provide regex and length checking for fields such as URL-ID and -ID
© 2005 Cisco Systems, Inc. All rights reserved. IPS v Service H225 Parameters Value Range: 1-3 Message Type: Q.931 Policy Type: Length Check Specify Value Range: Yes
© 2005 Cisco Systems, Inc. All rights reserved. IPS v Service HTTP Parameters De-Obfuscate Request Regex Service Ports Specify Request Regex
© 2005 Cisco Systems, Inc. All rights reserved. IPS v Service Ident Parameters Service Ports Direction Inspection Type
© 2005 Cisco Systems, Inc. All rights reserved. IPS v Service MSRPC Parameters Protocol Regex String
© 2005 Cisco Systems, Inc. All rights reserved. IPS v Service MSSQL Parameters SQL Username Password Present Specify SQL Username
© 2005 Cisco Systems, Inc. All rights reserved. IPS v Service NTP Parameters Inspection Type Operation Mode Max Control Data Size Control Opcode
© 2005 Cisco Systems, Inc. All rights reserved. IPS v Service RPC Parameters Protocol RPC Program Direction Service Ports Specify RPC Program
© 2005 Cisco Systems, Inc. All rights reserved. IPS v Service SMB Parameters Word Count Service Ports Specify Word Count
© 2005 Cisco Systems, Inc. All rights reserved. IPS v Service SNMP Parameters Inspection Type Specify Community Name Specify Object ID Community Name
© 2005 Cisco Systems, Inc. All rights reserved. IPS v Service SSH Parameters Length Type Specify Packet Depth Packet Depth Service Ports
© 2005 Cisco Systems, Inc. All rights reserved. IPS v State Signature Engine
© 2005 Cisco Systems, Inc. All rights reserved. IPS v State Signature Engine State Machine Direction Service Ports
© 2005 Cisco Systems, Inc. All rights reserved. IPS v String Signature Engines
© 2005 Cisco Systems, Inc. All rights reserved. IPS v String Signature Engines Engine NameEngine Description String ICMPSearches ICMP packets for a string pattern String TCPSearches TCP packets for a string pattern String UDPSearches UDP packets for a string pattern
© 2005 Cisco Systems, Inc. All rights reserved. IPS v String ICMP Parameters ICMP Type Direction
© 2005 Cisco Systems, Inc. All rights reserved. IPS v String TCP Parameters Service Ports Direction
© 2005 Cisco Systems, Inc. All rights reserved. IPS v String UDP Parameters Service Ports Direction
© 2005 Cisco Systems, Inc. All rights reserved. IPS v Sweep Signature Engines
© 2005 Cisco Systems, Inc. All rights reserved. IPS v Sweep Signature Engines Engine NameEngine Description Sweep Detects a single source scanning multiple hosts or multiple ports on one host Sweep Other TCPDetects odd sweeps and scans such as Queso
© 2005 Cisco Systems, Inc. All rights reserved. IPS v Sweep Engine The sweep engine controls the following types of signatures: –ICMP –TCP –UDP Signatures controlled by the sweep engine detect the following types of sweeps: –Host sweeps –Port sweeps –Service sweeps
© 2005 Cisco Systems, Inc. All rights reserved. IPS v Sweep Engine Parameters Protocol TCP Flags Port Range Mask Specify Port Range Storage Key Unique
© 2005 Cisco Systems, Inc. All rights reserved. IPS v Sweep Other TCP Engine The sweep other TCP Signature Engine supports signatures that fire when a mixture of TCP packets with different flags set is detected on the network. The sweep other TCP engine does not do Unique counting like the SWEEP Signature Engine.
© 2005 Cisco Systems, Inc. All rights reserved. IPS v Sweep Other TCP Parameters TCP Flags
© 2005 Cisco Systems, Inc. All rights reserved. IPS v Traffic and Trojan Signature Engines
© 2005 Cisco Systems, Inc. All rights reserved. IPS v Trojan Signature Engines Engine NameEngine Description Trojan BO2K Examines UDP and TCP traffic for nonstandard BackOrifice traffic Trojan TFN2K Examines UDP, TCP, or ICMP traffic for irregular traffic patterns and corrupted headers Trojan UDPExamines UDP traffic for Trojan attacks
© 2005 Cisco Systems, Inc. All rights reserved. IPS v Trojan Parameters TCP Flags
© 2005 Cisco Systems, Inc. All rights reserved. IPS v Traffic ICMP Parameters Want Request Inspection Type Reply Ratio
© 2005 Cisco Systems, Inc. All rights reserved. IPS v AIC Signature Engines
© 2005 Cisco Systems, Inc. All rights reserved. IPS v AIC Signature Engines Engine NameEngine Description AIC FTPUsed for FTP-specific policy enforcement AIC HTTPUsed for HTTP-specific policy enforcement
© 2005 Cisco Systems, Inc. All rights reserved. IPS v Enabling Application Policy Enforcement Configuration Signature Definition Miscellaneous Application Policy Enable HTTP Enable FTP Max HTTP Requests AIC Web Ports
© 2005 Cisco Systems, Inc. All rights reserved. IPS v AIC FTP Engine Capabilities of the AIC FTP engine: –Controls which recognized FTP commands are permitted into the network –Controls whether unrecognized FTP commands are permitted into the network The AIC FTP engine controls the following types of signatures: –Define FTP command: Used to associate an action with a specific FTP command –Unrecognized FTP command: Used to have the sensor take an action when it detects an FTP command that is not recognized
© 2005 Cisco Systems, Inc. All rights reserved. IPS v AIC FTP Parameter Example Selected Engine: AIC FTP Unrecognized FTP command Enable
© 2005 Cisco Systems, Inc. All rights reserved. IPS v AIC HTTP Engine Capabilities Enforcing RFC compliance Authorizing and enforcing HTTP request methods Validating response messages Enforcing MIME types Validating transfer encoding types Controlling content based on message content and type of data being transferred Enforcing URI length Enforcing message size according to policy configured and the header Enforcing tunneling, P2P, and instant messaging
© 2005 Cisco Systems, Inc. All rights reserved. IPS v AIC HTTP Signatures The AIC HTTP engine controls the following types of signatures: Define Web Traffic Policy: Used to specify whether traffic not compliant to the HTTP RFC is allowed into the protected network through web ports Content Type: Used for policies associated with MIME types Msg Body Pattern: Used to define patterns the sensor should look for in an HTTP message Request Methods: Used to define policies associated with HTTP request methods Transfer Encodings: Used to define policies associated with transfer encoding methods Max Outstanding Requests Overrun: Used to have the sensor take an action when the Max HTTP Requests value is exceeded
© 2005 Cisco Systems, Inc. All rights reserved. IPS v AIC HTTP Parameter Example Selected Engine: AIC HTTP Content Type image/gif
© 2005 Cisco Systems, Inc. All rights reserved. IPS v AIC HTTP Parameter Example (Cont.) Signature Type Content Types Name Content Type Details Event Action
© 2005 Cisco Systems, Inc. All rights reserved. IPS v Summary
© 2005 Cisco Systems, Inc. All rights reserved. IPS v Summary A Signature Engine is a component of the sensor that supports a category of signatures. Each Signature Engine is designed for a specific type of traffic. Each engine has a set of parameters that helps define the behavior of the signatures controlled by the engine. Parameters can be modified so that signatures meet the needs of your network environment. Cisco IDS signatures can summarize alarms to reduce the number of single alarms generated.