© 2005 Cisco Systems, Inc. All rights reserved. IPS v Lesson 6 Working with Signatures and Alerts

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Cisco IPS Signatures, Engines, and Alerts

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Signature Types A Cisco IPS signature is a set of rules that your sensor uses to detect typical intrusive activity. The sensor supports three types of signatures: Built-in signatures: known attack signatures that are included in the sensor software Tuned signatures: built-in signatures that you modify Custom signatures: new signatures that you create

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Signature Features Response actions Alert summarization Threshold configuration Anti-evasive techniques Fidelity ratings Application firewall SNMP support IPv6 support A blend of detection technologies Regular expression string pattern matching

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Signature Actions Cisco IDS signatures can take one or all of the following actions when triggered: Drop malicious packets, including the trigger packet, before they reach their targets (for inline sensors only) Produce an alert or an alert that includes an encoded dump of the trigger packet Log IP packets that contain the attacker address, the victim address, or both Initiate the blocking of a connection or a specific host address Send a request to the notification application component of the sensor to perform SNMP notification Terminate the TCP session between the source of an attack and the target host

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Regular Expressions Syntax Features of regular expressions syntax: Enables you to configure your sensor to detect textual patterns in the traffic it analyzes Allows you to describe simple as well as complex textual patterns Consists of special characters such as the following: –() –| –[abc]

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Examples of Regex Patterns To MatchRegular Expression Hacker or hacker[Hh]acker Either hot or coldhot|cold

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Signature Engines A Signature Engine is a component of the sensor that supports a category of signatures. Each Cisco IPS signature is controlled by a Signature Engine designed to inspect a specific type of traffic. Each engine has a set of legal parameters that have allowable ranges or sets of values. Configurable engine parameters enable you to tune signatures to work optimally in your network and to create new signatures unique to your network environment.

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Alerts By default, the sensor generates an alert when an enabled signature is triggered. The default setting that generates an alert can be disabled. Alerts are stored in the sensors Event Store. External monitoring applications can pull alerts from the sensor via SDEE. Monitoring applications can collect alerts on an as-needed basis. Multiple hosts can collect alerts simultaneously. Alerts can have any one of the following security levels: –Informational –Low –Medium –High The severity level of the alert is derived from the severity level of the signature causing the alert.

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Alert Format sensor# show events evIdsAlert: eventId= severity=medium vendor=Cisco originator: hostId: sensor1 appName: sensorApp appInstanceId: 376 time: 2005/01/14 11:14: /01/14 11:14:38 UTC signature: description=ICMP Echo Req id=2004 version=1.0 subsigId: 0 sigDetails: empty interfaceGroup: vlan: 0 participants: attacker: addr: locality=OUT target: addr: locality=OUT

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Locating Signature Information

© 2005 Cisco Systems, Inc. All rights reserved. IPS v NSDB Link from the IDM NSDB Link Signature Definition Configuration Signature Configuration NSDB Information on Signature 3324

© 2005 Cisco Systems, Inc. All rights reserved. IPS v The Cisco Intrusion Prevention Alert Center Breaking News Signatures Listed by Release Signatures Listed by Signature ID Active Threats Latest Threats Cisco IPS Download Center

© 2005 Cisco Systems, Inc. All rights reserved. IPS v The Cisco Intrusion Prevention Alert Center (Cont.)

© 2005 Cisco Systems, Inc. All rights reserved. IPS v The NSDB Related Threats Recommended Filters Description Benign Triggers Release Date Release Version Default Alarm Severity Signature ID Signature Name

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Basic Signature Configuration

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Signature Configuration Tasks Basic signature configuration includes the following: Enabling or disabling the signature Assigning the signature action

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Accessing the Signature Configuration Page ConfigurationSelect By Signature Definition Signature Configuration Select Criteria

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Locating Signatures by Sig ID Find Enter Sig ID Select By

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Locating Signatures by Network Service Select Service Select By

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Activating and Retiring Signatures Activate Retire Activate Retire

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Enabling and Disabling Signatures Select All Disable Enable

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Configuring Signature Actions Restore Defaults Reset Actions

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Configuring Signature Actions (Cont.) Select All Select None Action List

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Special Considerations for Signature Actions

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Configuring IP Logging for a Specific IP Address Add IP Logging Monitoring

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Configuring IP Logging for a Specific IP Address (Cont.) IP Address Duration Packets Bytes Apply

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Viewing IP Logs Edit Download Refresh Stop

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Configuring General Settings for Signature Actions Maximum Denied Attackers Block Action Duration Deny Attacker Duration General Settings Event Action Rules Configuration

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Managing Denied Attackers Monitoring Denied Attackers Refresh Reset All Hit Counts Clear List

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Configuring SNMP

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Your Sensor and SNMP Sensor NMS SNMP Agent Unsolicited SNMP Message (Trap)

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Configuring SNMP Configuration Enable SNMP Gets/Sets SNMP SNMP General Configuration Apply Reset Read-Only Community String Read-Write Community String Sensor Contact Sensor Location Sensor Agent Port Sensor Agent Protocol

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Configuring SNMP Traps Configuration Add Enable SNMP Traps SNMP SNMP Traps Configuration Select the error events... Enable detailed traps... Default Trap Community String

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Adding an SNMP Trap Destination IP Address UDP Port Trap Community String

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Adding an SNMP Trap Destination (Cont.) Edit Delete Apply Reset

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Summary

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Summary A signature is a set of rules that your sensor uses to detect typical intrusive activity. The sensor compares network activity with its enabled signatures and can generate an alert when a match is found. A Signature Engine is a component of the sensor that supports a category of signatures. Each Signature Engine is designed for a specific type of traffic. Each engine has a set of parameters that helps define the behavior of the signatures controlled by the engine.

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Summary (Cont.) Parameters can be modified so that signatures meet the needs of your network environment. You can configure your sensor to take the following actions in response to an attack or a suspicious activity: –Deny Attacker Inline –Deny Connection Inline –Deny Packet Inline –Log Attacker Packets –Log Pair Packets –Log Victim Packets –Produce Alert –Produce Verbose Alert –Request Block Connection –Request Block Host –Request SNMP Trap –Reset TCP Connection

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Lab Exercise

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Lab Visual Objective Q Q Web FTP RBB Q P.0.4 sensorQ Student PC 10.0.Q.12 RTS sensorP Student PC 10.0.P.12 RTS P.0 routerProuterQ e0/0 e0/1 e0/0 e0/1 e0/0 e0/1 e0/ P.0 prQ prP