© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Lesson 9 Signature Configuration
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Objectives
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Objectives Upon completion of this lesson, you will be able to perform the following tasks: Configure a signatures enable status, severity level, and action. Tune a signature to perform optimally based on a networks characteristics. Create a custom signature given an attack scenario.
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Signature Configuration
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Signature Configuration Tasks Basic signature configuration includes the following: Enabling or disabling the signature Assigning the severity level Assigning the signature action
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Accessing the Signature Configuration Page Choose Configuration > Sensing Engine > Virtual Sensor Configuration > Signature Configuration Mode.
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS All Signatures Group Choose Configuration > Sensing Engine > Virtual Sensor Configuration > Signature Configuration Mode, and select All Signatures. NSDB Information on signature 1001
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Basic Signature Configuration AlarmSeverity EventAction Enabled
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Engines Group Choose Configuration > Sensing Engine > Virtual Sensor Configuration > Signature Configuration Mode, and select Engines.
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Attack Group Choose Configuration > Sensing Engine > Virtual Sensor Configuration > Signature Configuration Mode, and select Attack.
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS L2/L3/L4 Protocol Group Choose Configuration > Sensing Engine > Virtual Sensor Configuration > Signature Configuration Mode, and select L2/L3/L4 Protocol.
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS OS Group Choose Configuration > Sensing Engine > Virtual Sensor Configuration > Signature Configuration Mode, and select OS.
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Service Group Choose Configuration > Sensing Engine > Virtual Sensor Configuration > Signature Configuration Mode, and select Service.
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Signature Tuning
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Tuning Signatures Complete the following tasks to tune a signature: Choose the signature to tune. Modify the signature parameter values. Save and apply the new signature parameter settings to the Sensor.
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Tuning ScenarioFTP Login A company FTP server stores software that is being beta tested by customers. The company wants to detect unauthorized login attempts. By examining the FTP service signatures, the network security administrator discovers signature 6250, the Auth Failure FTP signature. After examining the parameters for signature 6250, the administrator decides to tune the signature to do the following: –Trigger a high-severity alarm after two failed login attempts. –Send an alarm event every time the attack is detected. –Terminate the session.
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Tuning ScenarioFTP Login (Cont.) The administrator decides to modify the values of the following signature parameters to satisfy the current needs: –AlarmSeverityTo trigger a high-severity alarm –AlarmThrottleTo send an alarm event every time the attack is detected –EventActionTo terminate the session when the signature fires –MinHitsTo trigger the alarm after two failed login attempts The default values of the remaining parameters are accepted.
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Login Scenario Configuration Choose Configuration > Sensing Engine > Virtual Sensor Configuration > Signature Configuration Mode, and select Service. FTP
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Login Scenario Configuration (Cont.) AlarmSeverity EventAction AlarmThrottle MinHits
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Login Scenario Configuration (Cont.) Auth Failure FTP Signature
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Custom Signatures
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Creating Custom Signatures The Signature Wizard in IDM: Guides you through the process of creating custom signatures Enables you to create custom signatures without detailed knowledge of all the signature engines and their parameters Consists of six tasks: –Choosing the signature type –Identifying the signature –Setting the engine-specific parameters –Setting the alert response –Setting the alert behavior –Completing the custom signature
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Start the Signature Wizard Choose Configuration > Sensing Engine > Virtual Sensor Configuration > Signature Wizard.
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Select the Signature Type
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Configure the Signature Identification Parameters
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Configure Web Server Service Ports for Web Server Signatures
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Configure the Engine-Specific ParametersWeb Server Signatures
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Engine-Specific ParametersWeb Server Signatures (Cont.)
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Configure the Engine-Specific ParametersTCP Packet Signatures
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Configure the Engine-Specific ParametersUDP Packet Signatures
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Configure the Engine-Specific ParametersIP Packet Signatures
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Configure the Engine-Specific ParametersStream Signatures
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Configure the Alert Response Actions
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Fine-Tune the Alert Behavior
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Set the Alert Frequency
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Configure the Alert Dynamic Response
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Configure the Alert Summary Key
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Create the New Signature
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Acknowledge Configuration Completion
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Wizard Complete
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Commit Changes Activity: (save changes icon)
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Custom Signature Scenarios
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS IP Address and Packet Capture Scenario A network security administrator wants to create a custom signature that meets the following requirements: The signature should trigger on and capture all SYN packets from the /24 network, but not SYN-ACK packets. The number of alarms sent to the eventStore should be limited.
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS IP Address and Packet Capture Scenario (Cont.) The administrator determines that a custom TCP packet signature can meet this need because of the following: The SrcIpAddr and SrcIpMask parameters can be used to specify the IP address of interest. The TcpFlags and Mask parameters can be used to specify the flags of interest. The AlarmThrottle, ChokeThreshold, and ThrottleInterval parameters can be used to limit the number of alarms. The CapturePacket parameter can be set to true to instruct the Sensor to capture any packet that triggers an alarm.
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Select the Signature Type
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Configure the Signature Identification Parameters
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Configure the Engine-Specific Parameters
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Configure the Alert Response Actions
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Fine-Tune the Alert Behavior
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Set the Alert Frequency
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Configure the Alert Dynamic Response
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS FTP Login Scenario A network security administrator wants to create a custom signature to detect login failures to an FTP server. The administrator knows the following about FTP and TCP: The FTP server sends the 530 user access denied error when an FTP login failure occurs. FTP uses TCP port 21. The FTP server uses the TCP PSH operation to force prompts and user input. The TCP ACK flag indicates an acknowledgment.
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS FTP Login Scenario (Cont.) The network security administrator, using knowledge of TCP and FTP, determines that the signature can trigger based on the contents of a single packet. The SinglePacketRegex parameter can be set to have the signature to look for the 530 error message in a packet. The TCPFlags and Mask parameters can be set to have the signature to look for packets with the PSH and ACK flags set.
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS FTP Login ScenarioSelect the Signature Type
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS FTP Login ScenarioConfigure the Signature Identification Parameters
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS FTP Login ScenarioConfigure the Engine-Specific Parameters
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS FTP Login ScenarioConfigure the Alert Response Actions
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS FTP Login ScenarioSet the Alert Frequency
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS String Pattern Scenario A network security administrator wants to create a signature that detects the word confidential in common electronic communication methods. The administrator knows the port numbers of the traffic to be inspected: FTP20 and 21 Telnet23 SMTP25 HTTP80 POP3110
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS String Pattern Scenario (Cont.) The administrator decides to create a TCP stream signature because all the protocols to be examined are TCP-based and because of the following: The Regular Expression parameter can be used to specify the string pattern 'confidential'. The Service Ports parameter can be used to specify the range of ports. The Direction parameter can be used to instruct the Sensor to inspect traffic destined for the service ports specified.
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS String Pattern ScenarioSelect the Signature Type
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS String Pattern ScenarioConfigure the Signature Identification Parameters
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS String Pattern ScenarioConfigure the Engine-Specific Parameters
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS File Access Scenario A network security administrator wants to create a signature that that fires when the file msbadfile.asp is accessed via an HTTP request. The administrator decides to create a custom web server signature because the UriRegex parameter can be used to examine the URI section of an HTTP request to see whether it matches the regular expression specified, which is msbadfile.asp in this scenario.
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS File Access ScenarioSelect the Signature Type
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS File Access ScenarioConfigure the Signature Identification Parameters
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS File Access ScenarioConfigure the Engine-Specific Parameters
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS File Access ScenarioConfigure the Engine-Specific Parameters (Cont.)
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Port-Specific Scenario A network security administrator wants to create a custom signature to detect packets destined for port that have only the TCP flags FIN and URG set. The administrator determines that a custom TCP packet signature can meet this need because of the following: –The DstPort parameter can be used to specify the destination port, which is port in this scenario. –The Mask and TcpFlags parameters can be used to specify the TCP flags of interest.
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Summary
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Summary All signatures have the following basic configurable parameters: –EnableEnables or disables the signature –AlarmSeverityAssigns the severity level: information, low, medium, or high –EventActionAssigns the action to take if the signature is triggered: log, reset, block host, or block connection Cisco IDS signatures can be tuned to adjust to company network security policy or network traffic pattern. Custom signatures can be created to meet a unique security requirement.
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Summary (Cont.) Custom signatures can be created via the IDM Signature Wizard. Consider the following before creating a signature with the Signature Wizard: –The network protocol –The target address –The target port –The type of attack –Whether payload inspection is required –Whether the signature can be triggered on the contents of a single packet
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Lab Exercise
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS sensorP.4 sensorQ Q P.0 Lab Visual Objective Student PC.2 Student PC Router.1.2 Router P Q P Q.0 RTS Web FTP RBB