© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Lesson 10 Sensor Tuning

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Objectives

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Objectives Upon completion of this lesson, you will be able to perform the following tasks: Explain the evasive techniques used by hackers and how Cisco IDS defeats those techniques. Define Sensor tuning. Describe Sensor tuning methods. Explain automatic and manual IP logging. Explain IP fragment and TCP stream reassembly options. Define and configure system variables. Define and configure signature filters.

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Intrusion Detection Evasive Techniques

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Evasive Techniques Attempting to elude intrusion detection is accomplished using intrusion detection evasive techniques. Common intrusion detection evasive techniques are: –Flooding –Fragmentation –Encryption –Obfuscation

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Flooding Saturating the network with noise traffic while also trying to launch an attack against the target is referred to as flooding.

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Fragmentation Splitting malicious packets into smaller packets to avoid detection is known as fragmentation.

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Encryption Launching an attack via an encrypted session can avoid network-based intrusion detection. This type of evasive technique assumes the attacker has already established a secure session with the target network or host. SSL session

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Obfuscation Disguising an attack using special characters to conceal it from an IDS is commonly referred to as obfuscation. The following are forms of obfuscation: –Control characters –Hex representation –Unicode representation

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Tuning the Sensor

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Sensor Tuning Tuning is the process of configuring your IDS system so that it provides the desired level of information to efficiently monitor and protect your network.

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Sensor Tuning (Cont.) To tune your Sensors successfully, you must have knowledge of the network and the individual devices being protected. This knowledge enables you to recognize normal versus abnormal network activity.

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Tuning Considerations Important information to gather before you begin tuning includes: The network topology The network address space under observation Which of the inside addresses are statically assigned to servers and which are DHCP addresses The operating system running on each server Applications running on the servers The security policy

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Sensor Location The location of the Sensor is important to tuning for the following reasons: The nature of the traffic that a Sensor monitors varies. The security policy with which the Sensor interacts varies.

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Phases of Tuning The phases of tuning correspond to the length of time the IDS has been running at the current location. The following are the phases: Deployment phase Tuning phase Maintenance phase

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Methods of Tuning Some tuning methods involve configuring the Sensor, while others involve configuring your monitoring application. The following points show tuning methods and where they are performed: On the Sensor –Enabling and disabling signatures –Changing alarm severity up or down –Changing the parameters of signatures –Creating alarm filters On the monitoring application –Specifying by severity level the alarms you want to view

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Global Sensor Tuning This topic provides guidelines for maximizing the efficiency of your IDS via settings for the following: –Individual signatures –Monitoring applications Other topics in this lesson provide guidelines for the following settings, which apply to the Sensor globally and ensure that valuable system resources are not wasted: –IP logging –IP fragment reassembly –TCP stream reassembly

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Logging

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Event Logging The Sensor logs all events locally by default. There are several types of events: –Application errors –Intrusion detection alerts –Status changes, such as the creation of an IP log –Shun requests –Record of control transactions processed by the Sensor's applications

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS IP Logging The Sensor IP logging feature can be configured to capture packets using one of the following methods: –Log packets automatically when IP log is a signature response. –Log packets containing an IP address you specify manually. The IP log file is in libpcap format.

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Automatic IP LoggingGlobal Setting Choose Configuration > Sensing Engine > Virtual Sensor Configuration > IP Log.

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Automatic IP LoggingSignature Setting Choose Configuration > Sensing Engine > Signature Configuration Mode and locate the signature for which you want to configure IP logging.

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Manual IP Logging Choose Administration > IP Logging.

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Manual IP Logging (Cont.) Choose Administration > IP Logging and select Add.

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Viewing IP Logs Choose Monitoring > IP Logs and select the Log ID.

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Reassembly Options

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Reassembly Overview You can configure Sensor reassembly settings for both of the following: –IP fragments –TCP streams Reassembly settings affect the Sensors overall sensing function but are not necessarily specific to a particular signature or set of signatures. Reassembly settings ensure that valuable system resources are not wasted.

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS IP Fragment Reassembly Options Choose Configuration > Sensing Engine > Virtual Sensor Configuration > IP Fragment Reassembly.

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS TCP Stream Reassembly Options Choose Configuration > Sensing Engine > Virtual Sensor Configuration > TCP Stream Reassembly.

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Alarm Channel System Variables

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS System Variables Overview System variables enable you to use the same value within multiple signature filters.

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Alarm Channel System Variables Choose Configuration > Sensing Engine > Alarm Channel Configuration > System Variables.

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Alarm Channel System Variables (Cont.) Choose Configuration > Sensing Engine > Alarm Channel Configuration > System Variables and select Edit.

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Alarm Channel Event Filtering

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Filtering Overview Alarm channel event filtering enables you to do the following: Reduce the number of false positives. Limit the number of security events reported.

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Filtering Overview (Cont.) An alarm channel event filter is defined by specifying the following: Signature Source address Destination address Whether the filter constitutes an exception to another filter

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Filtering Process The Sensor sensing engine performs the following filtering processes: The Sensor detects the attack against the protected network. The Sensor sensing engine determines whether a signature filter exists. The Sensor checks the filter parameters and compares them against the network traffic. If the traffic does not match the filter, the Sensor generates an alert. If the traffic matches the filter, the Sensor does not generate an alert. If the traffic matches the filter and the filter is an exception, the Sensor generates an alert.

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Configuring Alarm Channel Event Filters Choose Configuration > Sensing Engine > Alarm Channel Configuration > Event Filters.

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Alarm Channel Event FilterAdd Choose Configuration > Sensing Engine > Alarm Channel Configuration > Event Filters and select Add.

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Filter Exceptions As you configure filter exceptions, keep the following in mind: If you want to define an exception to a filter, you must create two filters and define one filter as an exception to the other. If you define two filters and one constitutes an exception to the other, the exception filter takes precedence.

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Alarm Channel Event Filters Versus Alarm on IP Address Alarm channel filtering compares to the Sensor alarm on IP address feature as follows: Both provide the ability to limit alarms to specific IP addresses. Alarm channel filtering performs post-filtering so that the alarm is dropped only after the signature has fired and the alarm has been generated. This processing has an impact on performance. Alarm on IP address performs pre-filtering so that the signature fires only if the address in the traffic matches the address specified in the signature. Therefore, there is little impact on performance.

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Summary

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Summary Cisco IDS signatures use anti-evasive mechanisms to defeat IP fragmentation and obfuscation. To enable your IDS to serve you most efficiently, configure the following on your Sensor according to the needs of your particular network: –Signature parameters –IP logging –Reassembly options –Alarm channel event filters You should also configure your monitoring application for optimal functionality in your particular network. IP fragment reassembly options and TCP stream reassembly options apply to Sensors globally and enable you to conserve valuable system resources. Alarm channel system variables facilitate the use and modification of values in alarm channel event filters.

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Summary (Cont.) Event logging is the logging of application errors, alerts, status changes, blocking requests, and records of controls transactions in the Sensor EventStore. IP logging is capturing raw, unaltered IP packets that can be used for confirmation, damage assessment, and forensic evidence. You can configure a Sensor to automatically generate an IP log when it detects an attack by specifying it when you configure a signature. You can also configure the Sensor to log all IP traffic going to and from a specified address whether there is an attack or not. Alarm channel event filtering enables you to reduce the number of false positives and the number of security events reported. Alarm channel event filtering causes the Sensor to analyze the data stream but not generate an alarm. An alarm channel event filter is defined by specifying a signature, a source address, a destination address, and whether this filter constitutes an exception to another filter.

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Lab Exercise

© 2004, Cisco Systems, Inc. All rights reserved. CSIDS sensorP sensorQ Q P.0 Lab Visual Objective Student PC.2 Student PC Router.1.2 Router P Q P Q.0 RTS Web FTP RBB