© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Lesson 8 Cisco Intrusion Detection System Alarms and Signatures
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Objectives
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Objectives Upon completion of this lesson, you will be able to perform the following tasks: Explain the Cisco IDS signature features. Explain the master Cisco IDS signature parameters. Explain the signature engine-specific parameters.
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Cisco IDS Signatures
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS A Cisco IDS signature is a set of rules that your Sensor uses to detect typical intrusive activity. The Sensor supports the following types of signatures: Built-in signaturesKnown attack signatures that are included in the Sensor software Tuned signaturesBuilt-in signatures that you modify Custom signaturesNew signatures that you create Signature Characteristics
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Signature Features Regular expression string pattern matching Response actions Alarm summarization Threshold configuration Anti-evasive techniques
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Regular Expressions Syntax Regular expressions syntax is characterized by the following: Enables you to configure your Sensor to detect textual patterns in the traffic it analyzes Allows you to describe simple as well as complex textual patterns Consists of special characters such as the following: –() –| –[abc]
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Examples of Regex Patterns To MatchRegular Expression Hacker or hacker[Hh]acker Either hot or coldhot|cold
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Signature Responses Cisco IDS signatures can take one or all of the following actions when triggered: Terminate the TCP session between the source of an attack and the target host Log subsequent IP packets from the source of an attack Initiate the blocking of IP traffic from the source of an attack
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Cisco IDS Alarms
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Alarm Overview The following information is an overview of alarms: The Cisco IDS Sensor generates an alarm when a signature is triggered. The alarm event is stored on the Sensor and can be pulled to a host running IEV or the CiscoWorks Monitoring Center for Security. The alarm severity level is determined by the level assigned to the Cisco IDS signature.
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Alarm Overview (Cont.) Cisco IDS signatures have defined severity levels: –Informational –Low –Medium –High
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Cisco IDS Signature Engines
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Engine Overview A signature engine is a component of the Sensor that supports a category of signatures. Cisco IDS signature engines enable you to tune and create signatures unique to your network environment.
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Engine Usage Engine CategoryUsage AtomicUsed for single-packet conditions FloodUsed to detect attempts to cause a DoS Service Used when services with Layer 5, 6, and 7 require protocol analysis State.String Used for state-based and regular expression-based pattern inspection and alarming functionality for TCP streams String Used for regular expression-based pattern inspection and alarm functionality for multiple transport protocols SweepUsed to detect network reconnaissance TrafficUsed to detect traffic irregularities TrojanUsed to target nonstandard protocols OTHERUsed to group generic signatures
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Engine Parameters An engine parameter is a name and value pair. The parameter name is defined by its engine. Parameter values have limits that are defined by the engine. The parameter name is constant across all signatures in a particular engine, but the value can be different for the various signatures in an engine group. Engine parameters have the following attributes: –ProtectedThe parameter cannot be changed for the default signatures. –RequiredThe parameter value must be defined for all signatures.
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Master and Local Parameters Cisco IDS signature engines have master and local parameters. The most common parameters are the master parameters. The master signature engine parameters exist in each engine. Local signature engine parameters are engine specific.
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Packet CaptureIn Perspective Context DataPacket CaptureIP Logging Describes PAST TCP stream data leading up to the trigger PRESENT Packet that triggered the alarm FUTURE Packets that came after the trigger Reported in evAlert IP logs Activated by Always on for TCP stream signatures Signature configuration (CapturePacket) By IP address or signature configuration (EventAction=log) Contains Portion of Layer 5 dataEntire frame
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS StorageKey and SummaryKey Parameters The StorageKey and SummaryKey parameters are similar; however, they differ as follows: The StorageKey parameter is for pre-alarm counters. The SummaryKey parameter is for post-alarm counters.
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS StorageKey and SummaryKey Terminology A = source address a = source port B = destination address b = destination port x = does not matter AxBx = The source and destination addresses matter, but the source and destination ports do not.
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS The AlarmThrottle Parameter and Alarm Summarization You can use the value of the master parameter AlarmThrottle to control the number of alarms generated by a specific signature. The AlarmThrottle parameter can be one of the following values: FireOnce FireAll Summarize GlobalSummarize
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS FireAll Summarize ChokeThreshold 2*ChokeThreshold Summarize Global Summarize Global Summarize ThrottleInterval AlarmThrottle The ChokeThreshold Parameter and Automatic Alarm Summarization Automatic alarm summarization enables a signature to change alarm modes automatically based on the number of alarms detected within the ThrottleInterval parameter.
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Master Engine Configuration Restrictions When configuring master parameters, keep the following restrictions in mind: You cannot use AlarmThrottle FireOnce with certain other parameters. ChokeThreshold does not make sense when the AlarmThrottle is GlobalSummary. Using AlarmInterval dictates specific settings for other parameters. You cannot set a SummaryKey with ports when the protocol of the inspector does not have ports.
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Atomic Signature Engines
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Atomic Signature Engines Engine NameEngine Description Atomic.ARPExamines ARP packets Atomic.ICMPExamines ICMP packets Atomic.IPOptionsExamines the IP options list in IP packets Atomic.L3. IPExamines IP packets Atomic.TCPExamines TCP packets Atomic.UDPExamines UDP packets
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Atomic.ARP Parameters The following are Atomic.ARP parameters: ArpOperationDefines the operation code that the signature examines RequestInbalanceSpecifies the number by which the amount of ARP requests can exceed the number of ARP replies for a certain IP address before the signature fires
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Atomic.ICMP Parameters The following are Atomic.ICMP parameters: IcmpCodeDefines the code value to match in the ICMP header code field IcmpIDDefines the identification value to match the ICMP header identifier field IcmpSeqDefines the sequence value of the ICMP header seq field IcmpTypeDefines the type value to match in the ICMP header type field
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Atomic.IPOptions Parameters The following are Atomic.IPOptions parameters: HasBadOptionDefines whether the list of IP options is malformed IPOptionDefines the IP option code
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Atomic.L3. IP Parameters The following are Atomic.L3. IP parameters: MaxProtoConfigures the signature to fire if the IP protocol value is greater than this value MinProtoConfigures the signature to fire if the IP protocol number is less than this value isRFC1918Defines whether the packet is from the RFC 1918 address pool
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Atomic.TCP Parameters The following are Atomic.TCP parameters: DstPortDefines the destination port to match in the TCP header MaskDefines the mask used in TCP flags comparisons SinglePacketRegexDefines string patterns to search for in a single TCP packet SrcPortDefines a single source port to match in the TCP header TcpFlagsDefines the TCP flags to match when masked by Mask
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Atomic.UDP Parameters The following are Atomic.UDP parameters: DstPortDefines a single destination port to match MinUDPLengthDefines the minimum length of the UDP packet, after which the signature fires
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Atomic signatures can be tuned to trigger only on specific source or destination IP addresses. The following tuning parameters are available for each ATOMIC signature engine: SrcIpAddr and SrcIpMask DstIpAddr and DstIpMask Parameters for All Atomic Engines
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Flood Signature Engines
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Flood Signature Engines Engine NameEngine Description Flood.Host.ICMP Looks for an excessive number of ICMP packets sent to a target host Flood.Host.UDP Looks for an excessive number of UDP packets sent to a target host Flood.Net Looks for an excessive number of packets sent to a network segment
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Flood.Host.ICMP Parameters The following are Flood.Host.ICMP parameters: IcmpTypeDefines the type of value to match in the ICMP header type field RateDefines the maximum number of ICMP packets with the specified type allowed per second
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Flood.Host.UDP Parameters The following are Flood.Host.UDP parameters: ExcludeDst1Defines the destination port to exclude from flood counting ExcludeDst2Defines the destination port to exclude from flood counting RateDefines the maximum number of UDP packets with the specified type allowed per second
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Flood.Net Parameters The following are Flood.Net parameters: GapDefines an interval (in seconds) at which the peak count is reset to 0 if the matched traffic remains below the defined rate PeaksDefines the maximum period of time (above the specified rate) necessary to trigger the signature RateDefines the maximum number of packets per second for a suspect second
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Service Signature Engines
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Service Signature Engines Engine NameEngine Description Service.DNSExamines TCP and UDP DNS packets Service.FTPExamines FTP traffic Service.Generic Emergency response engine that supplements the String and State engines Service.HTTP Examines HTTP traffic for string-based pattern matching Service.IDENTExamines TCP port 113 traffic Service.MSSQLExamines traffic used by Microsoft SQL
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Service Signature Engines (Cont.) Engine NameEngine Description Service.NTPExamines NTP traffic Service.RPCExamines RPC traffic Service.SMBExamines SMB traffic Service.SMTPExamines SMTP traffic Service.SNMPExamines SNMP traffic Service.SSHExamines SSH traffic Service.SyslogExamines Syslog traffic
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Service.DNS Parameters The following are Service.DNS parameters: QuerySrcPort53Determines if the DNS packet source port is 53 QueryValueDetermines if the DNS query will be a query or response
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Service.FTP Parameters The following are Service.FTP parameters: ServicePortsDefines a list of ports where the target service may reside BadPortCmdPortInvalid port specified in the port command
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Service.Generic Parameters The following are Service.Generic parameters: DstPortDefines the destination port of interest IntermediateInstructionsAssembly or machine code in string form NoteOnly expert users should attempt to create custom signatures with the Service.Generic engine.
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Service.HTTP Parameters The following are Service.HTTP parameters: UriRegexExamines the URI section of the HTTP request to match the regular expression RequestRegexExamines the entire HTTP request to match the regular expression De-obfuscateDetermines whether to apply anti-evasive HTTP de-obfuscation before examination
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Service.IDENT Parameters The following are Service.IDENT parameters: MaxBytesDefines the maximum amount of data in the payload hasBadPortDefines whether the signature fires due to a bad port number
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Service.MSSQL Parameters The following are Service.MSSQL parameters: sqlUsernameDefines the username to match passwordPresentDefines whether a password was or was not used in a Microsoft SQL login
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Service.NTP Parameters The following are Service.NTP parameters: ModeDefines the mode of operation of NTP packets isInvalidDataPacketDetermines whether the NTP data packet is the correct size
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Service.RPC Parameters The following are Service.RPC parameters: RpcProgramDefines the RPC program number to match in the RPC message UniqueDefines the maximum amount of unique ports used by an RPC mapper before the signature fires isSweepDetermines whether to listen for RPC sweeps
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Service.SMB Parameters The following are Service.SMB parameters: AccountNameDefines the account name to watch FileNameDefines the name of the file that, when opened, causes an alarm to fire
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Service.SNMP Parameters The following are Service.SNMP parameters: BruteForceCountDefines the number of unique community strings before the signature fires IsBruteForceDetermines whether the signature is going to use BruteForceCount IsValidPacketDetermines whether the signature is going to fire if the packet is valid
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Service.SSH Parameters The following are Service.SSH parameters: KeyLengthDefines the RSA key length UserLengthDefines the maximum length of the username
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Service.Syslog Parameters The following are Service.Syslog parameters: AclDataSourceDefines a list of IP addresses that are valid sources of ACL violations AclFilterNameDefines the name of the ACL filter
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS State Signature Engines
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS State.String Signature Engines Engine NameEngine Description State.String.CiscologinExamines Cisco login attempts State.String.LPRformatExamines the LPR protocol Service.SMTP Checks for specific patterns at different states in the SMTP protocol
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS State.String Parameters The following are State.String parameters: DirectionDefines whether examined traffic is traveling to or from the service port RegexStringDefines the regular expression StateNameDefines the name of the StateMachine to restrict the match of the RegexString
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS State.String.Ciscologin Transitions Regex StringRequired StateNext StateDirection User[]Access[]VerificationStartCiscoDeviceFromService Cisco[]Systems[]ConsoleStartCiscoDeviceFromService assword[:]CiscoDevicePassPromptFromService \x03PassPromptControlCToService (enable)ControlCEnableBypassFromService \x03[\x00-\xFF]ControlCPassPromptToService
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS State.String.Lprformat Transitions Regex StringRequired StateNext StateDirection [1-9]StartAbortToService %StartCiscoDeviceToService [\x0a\x0d]FormatCharAbortToService
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Service.SMTP Transitions Regex StringRequired StateNext StateDirection [\r\n]250[]StartSmtpCommandsFromService 220[ ][^\r\n[\x7f-\xff]*SNMPStartSmtpCommandsFromService (HE|EH)LOStartSmtpCommandsToService [\r\n](235|220.*TLS)StartAbortFromService [\r\n](235|220.*TLS)SmtpCommandsAbortFromService [Dd][Aa][Tt][Aa]|[Bb][Dd][Aa][Tt]SmtpCommandsMailHeaderToService [\r\n]354SmtpCommandsMailHeaderFromService [\r\n][.][\r\n]MailHeaderSmtpCommandsToService
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS String Signature Engines
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS String Signature Engines Engine NameEngine Description String.ICMPSearches ICMP packets for a string pattern String.TCPSearches TCP packets for a string pattern String.UDPSearches UDP packets for a string pattern
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS String Parameters The following are String parameters: DirectionDefines whether examined traffic is traveling to or from the service port RegexStringDefines the string pattern to match in the packet
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Sweep Signature Engines
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Sweep Signature Engines Engine NameEngine Description Sweep.Host.ICMP Single source scanning multiple network addresses using ICMP packets Sweep.Host.TCP Single source scanning multiple network addresses using TCP packets Sweep.Port.TCP TCP connections to multiple destination ports between two network addresses Sweep.Port.UDP UDP connections to multiple destination ports between two network addresses Sweep.OTHEROdd sweeps and scans such as nmap Sweep.MultiUDP and TCP combined port sweeps
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Sweep.Host.ICMP Parameters The following are Sweep.Host.ICMP parameters: IcmpTypeDefines the type value to match in the ICMP type field UniqueDefines the maximum number of unique ICMP packets to the target host
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Sweep.Host.TCP Parameters The following are Sweep.Host.TCP parameters: MaskDefines the mask used in TcpFlags comparison TcpFlagsDefines the TCP flags to match when masked by Mask UniqueDefines the number of unique connections allowed
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Sweep.Port.TCP Parameters The following are Sweep.Port.TCP parameters: MaskDefines the mask used in TcpFlags comparison PortRangeDefines the port range to examine TcpFlagsDefines the TCP flags to match when masked by Mask UniqueDefines the maximum number of unique connections allowed
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Sweep.Port.UDP Parameters The following are Sweep.Port.UDP parameters: PortsIncludeDefines the list of ports or port ranges to examine UniqueDefines the maximum number of unique port connections allowed
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Sweep.OTHER.TCP Parameters The following are Sweep.OTHER.TCP parameters: PortRangeDefines the list of ports or port ranges to examine TcpFlags1Defines the TCP flags for an equality comparison TcpFlags2Defines the TCP flags for an equality comparison
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Sweep.Multi Parameters The following are Sweep.Multi parameters: TcpInterestDefines predefined TCP ports of interest UdpInterestDefines predefined UDP ports of interest UniqueTcpPortsDefines the number of unique TCP connections allowed UniqueUdpPortsDefines the number of unique UDP connections allowed
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Miscellaneous Signature Engines
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Trojan Signature Engines Engine NameEngine Description Trojan.BO2K Examines UDP and TCP traffic for nonstandard Back Orifice traffic Trojan.TFN2K Examines UDP, TCP, or ICMP traffic for irregular traffic patterns and corrupted headers Trojan.UDPExamines UDP traffic for Trojan attacks
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Traffic.ICMP Parameters The following are Traffic.ICMP parameters: isLokiDefines whether the signature is looking for the original Loki isModLokiDefines whether the signature is looking for a modified Loki
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS OTHER Parameters The following are OTHER parameters: HijackMaxOldAckDefines a maximum number of old dateless client-to-server ACKs before a hijack is triggered SynFloodMaxEmbryonicDefines the maximum number of allowed simultaneous embryonic connections to any service TrafficFlowTimeoutDefines the number of seconds that must pass with no traffic to fire an alarm
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Summary
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Summary A signature is a set of rules that your Sensor uses to detect typical intrusive activity. The Sensor compares network activity with its enabled signatures and generates an alarm when a match is found. A signature engine is a component of the Sensor that supports a category of signatures. Each signature engine is designed for a specific type of traffic. Each engine has a set of parameters that help define the behavior of the signatures controlled by the engine.
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Summary (Cont.) Parameters can be modified so that signatures meet the needs of your network environment. You can configure your Sensor to take one or more of the following actions in response to an attack or suspicious activity: –Start IP logging –Issue a TCP reset –Initiate blocking Cisco IDS signatures can summarize alarms to reduce the number of single alarms generated.