© 2001, Cisco Systems, Inc. CSIDS Chapter 12 Cisco Secure Intrusion Detection System Architecture

© 2001, Cisco Systems, Inc. CSIDS Objectives Upon completion of this chapter, you will be able to perform the following tasks: Explain the CSIDS directory structure. Explain the communication infrastructure of CSIDS. Locate and identify CSIDS log files. Extract event records from the CSPM database to a text file.

© 2001, Cisco Systems, Inc. CSIDS Objectives (cont.) Start and stop the CSIDS software. Determine the communication status of the CSIDS components. Determine the versions of the CSIDS services. Determine the status of the CSIDS services. List the CSIDS services and their associated configuration files. Describe the CSIDS configuration tokens and their function.

© 2001, Cisco Systems, Inc. CSIDS CSIDS Software Architecture

© 2001, Cisco Systems, Inc. CSIDS Sensor Architecture nr.postofficed Log file nr.managed nr.loggerd nr.packetd fileXferd nr.sapd Director Network traffic

© 2001, Cisco Systems, Inc. CSIDS CSPM Director Architecture Pager Alarm database nr.postofficed Log file EDI nr.smid Sensor CA Sensor Policy database cvtnrlog.exe EVS IDS Config GUI

© 2001, Cisco Systems, Inc. CSIDS CSIDS Communication and Commands

© 2001, Cisco Systems, Inc. CSIDS Message Types Command IP log Error Redirect Command log Heartbeat Alarm Message Types Command IP log Error Redirect Command log Heartbeat Alarm Network monitoring Command and control communications UDP Command and control communications UDP PostOffice Protocol Internet

© 2001, Cisco Systems, Inc. CSIDS Primary communication down; switch to secondary IP address Alarm sent Alarm received PostOffice Features ReliabilityAcknowledges every message sent RedundancyCan send alarms to up to 255 destinations Fault tolerance –Up to 255 IP addresses to a single destination –When primary address fails, switches to secondary address

© 2001, Cisco Systems, Inc. CSIDS Host ID = 10 Host Name = director Org ID = 200 Org Name = acme-noc Host ID = 10 Host Name = director Org ID = 100 Org Name = cisco Host ID = 20 Host Name = sensor2 Org ID = 100 Org Name = cisco Host ID = 30 Host Name = sensor3 Org ID = 100 Org Name = cisco PostOffice Host Addressing Numeric –Host ID –Org ID Alpha –Host Name –Org Name Combination of Host ID and Org ID must be unique Host, Org, and App ID are used together to route PostOffice traffic

© 2001, Cisco Systems, Inc. CSIDS Message Addressing 1. Host ID 2. Org ID 3. App ID Receiving host Receiving service

© 2001, Cisco Systems, Inc. CSIDS Send alarm to Host ID = 4 Org ID = 100 App ID = Send alarm to Host ID = 4 Org ID = 100 App ID = PostOffice Message MessageTypeEventLevel RecordIDEventSigID GlobalTimeEventSubSigID LocalTimeProtocolType DateStrSrcIpAddr TimeStrDstIpAddr ApplIDSrcIpPort HostIDDstIpPort OrgIDSourceAddr SrcDirectionEventMessage DstDirection PostOffice Message MessageTypeEventLevel RecordIDEventSigID GlobalTimeEventSubSigID LocalTimeProtocolType DateStrSrcIpAddr TimeStrDstIpAddr ApplIDSrcIpPort HostIDDstIpPort OrgIDSourceAddr SrcDirectionEventMessage DstDirection Received from Host ID = 3 Org ID = 100 App ID = Received from Host ID = 3 Org ID = 100 App ID = Received ack from Host ID = 3 Org ID = 100 App ID = Received ack from Host ID = 3 Org ID = 100 App ID = Postoffice Message Acknowledgementfjds;afkjda;sl Postoffice Message Acknowledgementfjds;afkjda;sl Send ack to Host ID = 4 Org ID = 100 App ID = Send ack to Host ID = 4 Org ID = 100 App ID = Message Addressing (cont.)

© 2001, Cisco Systems, Inc. CSIDS CSIDS Commands nrstart nrstop nrconns nrstatus nrvers

© 2001, Cisco Systems, Inc. CSIDS CSIDS Directory Structure and Configuration Files

© 2001, Cisco Systems, Inc. CSIDS varbin CSIDS install directory etc Executable files Configuration files Log and error files CSIDS Directory Structure

© 2001, Cisco Systems, Inc. CSIDS What Are the Configuration Files? Configuration files are text files that contain configuration information for each of the CSIDS services The file structure for configuration files are as follows: [... ] For example: SigOfGeneral

© 2001, Cisco Systems, Inc. CSIDS Configuration Files

© 2001, Cisco Systems, Inc. CSIDS Intrusion Detection CSIDS service – nr.packetd Configuration file – packetd.conf

© 2001, Cisco Systems, Inc. CSIDS Packet Capture Device Token NameOfPacketDevice NameOfPacketDevice /dev/iprb0 Defines CSIDS monitoring interface

© 2001, Cisco Systems, Inc. CSIDS Internal Network Token RecordOfInternalAddress RecordOfInternalAddress Defines what network CSIDS will be identified as inside (IN) networks

© 2001, Cisco Systems, Inc. CSIDS General Signature Token SigOfGeneral [ …] SigOfGeneral Defines CSIDS signatures actions and severities for each destination

© 2001, Cisco Systems, Inc. CSIDS TCP or UDP Connection Tokens SigOfTcpPacket [ …] SigOfTcpPacket Defines CSIDS TCP or UDP connection sub-signatures actions and severities. The sub-signature identification is the TCP or UDP port number. SigOfUdpPacket [ …] SigOfUdpPacket

© 2001, Cisco Systems, Inc. CSIDS String Signatures Tokens RecordOfStringName RecordOfStringName [/]etc/[/]shadow Defines CSIDS string signature settings SigOfStringMatch SigOfStringMatch Defines CSIDS string sub-signatures actions and severities

© 2001, Cisco Systems, Inc. CSIDS ACL Signatures RecordOfFilterName RecordOfFilterName SigOfFilterName [ …] SigOfFilterName Defines CSIDS ACL signatures settings Defines CSIDS ACL sub-signature actions and severities

© 2001, Cisco Systems, Inc. CSIDS Monitoring Tokens RecordOfDataSource RecordOfDataSource Defines the CSIDS ACL Syslog source. The Sensor accepts Syslog messages from this source.

© 2001, Cisco Systems, Inc. CSIDS Signature Filtering Tokens RecordOfExcludedNetAddress RecordOfExcludedNetAddress Simple signature filtering token RecordOfExcludedPattern Advanced signature filtering token

© 2001, Cisco Systems, Inc. CSIDS Advanced Signature Filtering Examples RecordOfExcludedPattern * * /16 * RecordOfExcludedPattern * OUT IN RecordOfExcludedPattern * * IN IN RecordOfExcludedPattern * * * /24

© 2001, Cisco Systems, Inc. CSIDS Device Management CSIDS services – nr.managed – nr.packetd Configuration files – managed.conf – packetd.conf

© 2001, Cisco Systems, Inc. CSIDS Blocking Tokens NetDevice CiscoDefault NetDevice CiscoDefault cisco cisco Defines the Cisco IOS router the CSIDS Sensor will manage ShunInterfaceCisco ShunInterfaceCisco e0/1 in Defines the Cisco IOS router and interface information

© 2001, Cisco Systems, Inc. CSIDS Blocking Tokens (cont.) DupDestination. DupDestination sensor2. training Defines sensor that will be notified when a block occurs. NeverShunAddress NeverShunAddress Defines the IP address that will always be permitted access to the network

© 2001, Cisco Systems, Inc. CSIDS Blocking Tokens (cont.) MinutesOfAutoShun MinutesOfAutoShun 30 Defines the duration the ACL is applied to the Shun Interface Token is in the packetd.conf file

© 2001, Cisco Systems, Inc. CSIDS Director CSIDS service – nr.smid Configuration file – smid.conf

© 2001, Cisco Systems, Inc. CSIDS Alarm Forwarding DupDestination. [, …] DupDestination director2. training smid 3 EVENTS Defines settings for alarm forwarding

© 2001, Cisco Systems, Inc. CSIDS Logging CSIDS Service – nr.loggerd Configuration files – loggerd.conf

© 2001, Cisco Systems, Inc. CSIDS Logging Settings Log files are stored in the var CSIDS directory. The following are the var sub-directories: –logCurrent CSIDS log files –iplogCSIDS IP session log files –newOffline CSIDS log files

© 2001, Cisco Systems, Inc. CSIDS FTP Transfer CSIDS service – nr.sapd Configuration files – sapd.conf

© 2001, Cisco Systems, Inc. CSIDS FTP Transfer Tokens DBUser2 DBPass2 DBAux2 DBUsers2 ftpuser DBPass2 ftppass DBAux Defines the username, password, and IP address of the target FTP server

© 2001, Cisco Systems, Inc. CSIDS Communications CSIDS service – nr.postofficed Configuration files – postofficed.conf – organizations – hosts – routes – destinations – daemons – services – auths

© 2001, Cisco Systems, Inc. CSIDS Fault Management WatchDogInterval WatchDogResponseTimeout WatchDogNumProcessesRestart WatchDogProcTimeOutAlarmLevel WatchDogProcDeadAlarmLevel WatchDogInterval 30 WatchDogResponseTimeout 240 WatchDogNumProcessesRestart 3 WatchDogProcTimeOutAlarmLeve 5 WatchDogProcDeadAlarmLevel 5 Defines settings for the CSIDS fault management capability

© 2001, Cisco Systems, Inc. CSIDS CSIDS Organizations 5000 training 6000 consulting Defines the list of CSIDS organizations.

© 2001, Cisco Systems, Inc. CSIDS CSIDS Hosts localhost sensor.training director.training Defines the list of CSIDS hosts

© 2001, Cisco Systems, Inc. CSIDS CSIDS Routes. [ ] sensor.training director.training director.training director2. training Defines the list of hosts the postofficed service will use to transport messages.

© 2001, Cisco Systems, Inc. CSIDS CSIDS Destinations. [ …] 1 sensor.training loggerd 1 ERRORS, COMMANDS, EVENTS, IPLOGS 2 director.training smid 2 EVENTS, ERRORS, COMMANDS Defines a list of hosts and services where the CSIDS component will send messages

© 2001, Cisco Systems, Inc. CSIDS CSIDS Authorized Hosts. [ …] sensor.training GET,GETBULK,SET,UNSET,EXEC director.training GET,GETBULK,SET,UNSET,EXEC Defines the list of hosts that are authorized to remotely or locally configure or query the Sensor

© 2001, Cisco Systems, Inc. CSIDS CSIDS Services nr.postofficed nr.managed nr.eventd nr.loggerd nr.packetd CSIDS services to be started when CSIDS is launched

© 2001, Cisco Systems, Inc. CSIDS CSIDS Applications postofficed managed eventd loggerd smid sapd packetd fileXferd Defines CSIDS application identification and associated service names

© 2001, Cisco Systems, Inc. CSIDS Summary

© 2001, Cisco Systems, Inc. CSIDS Summary The CSIDS directory structure consists of the following main directories: –Install directory –bin –etc –var CSIDS communication occurs through the PostOffice protocol. Tokens to configure CSIDS exist in configuration files.

© 2001, Cisco Systems, Inc. CSIDS Summary (cont.) The CSIDS Services are as follows: –postofficed –packetd –loggerd –managed –eventd –sapd –fileXferd –smid

© 2001, Cisco Systems, Inc. CSIDS Summary (cont.) The utility cvtnrlog.exe extracts event records from the CSPM database as CSV file. The commands to start or stop the CSIDS software are nrstart and nrstop. The command to determine the status of CSIDS Services is nrstatus. The command to determine the communication status of CSIDS components is nrconns. The command to determine the versions of the CSIDS services is nrvers.