© 2005 Cisco Systems, Inc. All rights reserved. IPS v Lesson 8 Configuring Signatures

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Parameters Common to All Signature Engines

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Common Parameters Signature ID Signature Name SubSignature ID Specify Alert Interval Alert Severity User Comments Alert Notes Alert Traits Release Event Count Event Count Key Sig Fidelity Rating Promiscuous Delta Sig Description Event Counter Engine

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Common Parameters (Cont.) Summary Mode Summary Interval Summary Key Specify Global Summary Threshold Enabled Retired Alert Frequency Status

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Key Terminology A = source address a = source port B = destination address b = destination port x = does not matter AxBx = The source and destination addresses matter, but the source and destination ports do not.

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Summary Modes You can use the value of the common Parameter Summary mode to control the number of alarms generated by a specific signature. The Summary Mode parameter can have one of the following values: Fire once Fire all Summarize Global summarize

© 2005 Cisco Systems, Inc. All rights reserved. IPS v FireAll Summarize Summary Threshold Global Summary Threshold Summarize Global Summarize Global Summarize Summary Interval Summary Mode Threshold Parameters and Automatic Alarm Summarization Automatic alert summarization enables a signature to change alert modes automatically based on the number of alerts detected within the Summary Interval parameter.

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Signature Tuning

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Signature Tuning Configuration Signature Definition Signature Configuration Edit

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Signature Tuning Scenario 1 A company FTP server stores software that is being beta tested by customers. The company wants to detect unauthorized login attempts. Using the signature search features in the IDM, the network security administrator discovers signature 6250, the FTP Authorization Failure signature. After examining the parameters for signature 6250, the administrator decides to tune the signature as follows: –Change the severity level from informational to high –Add the Deny Connection Inline action to the default action of Produce Alert

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Signature Tuning Scenario 1 (Cont.) Alert Severity Event Action

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Signature Tuning Scenario 2 You are replacing D-Link devices on your network with Linksys wireless devices, but you still have some old D-Link systems that have not yet been replaced. Until they are replaced, you want to make sure that they are not being attacked. You would like to do the following to protect the D-Link devices and other devices on your network: –Alert on any attempt to access a D-Link configuration file from any system other than your management system –Generate a single alert every 5 minutes when the signature is being triggered by a single-source IP address –Use the Deny Packet Inline action to drop traffic from non-D-Link devices You discover that Signature 4611 detects TFTP requests for D- Link configuration files, but it does not meet your requirements to do the following: –Generate a single alert for a single-source IP every 5 minutes –Drop the TFTP request before it reaches its target

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Signature Tuning Scenario 2 (Cont.) Configuration Signature Definition Signature Configuration Edit Select By: Sig ID Enter Sig ID: 4611 Find

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Signature Tuning Scenario 2 (Cont.) OK Event Action Event Counter Alert Frequency Summary Mode Event Count Key Alert Interval Specify Alert Interval

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Custom Signatures

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Creating Custom Signatures Creating a custom signature requires detailed knowledge of the attack for which you create it. Poorly written signatures can generate false positives and false negatives. You should test a custom signature carefully before you deploy it. The Signature Wizard in the IDM guides you through the process of creating custom signatures and enables you to create custom signatures in either of the following ways: –Using a signature engine –Without using a signature engine You can also create custom signatures without using the Signature Wizard.

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Custom Signature Scenario 1 A network security administrator wants to create a custom signature that is triggered by SYN packets destined for port 23. The administrator decides to use the atomic IP engine for the following reasons: Atomic signatures can trigger on the contents of a single packet. The atomic IP engine allows you to select a Layer 4 protocol. You can use the TCP Flags and TCP Mask parameters to specify the flag of interest. You can use the Destination Port Range parameter to specify the destination port of interest.

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Using the Custom Signature Wizard Start the Wizard Signature Definition Configuration Custom Signature Wizard

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Specifying a Signature Engine Select Engine Next

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Configuring the Signature Identification Parameters Signature ID Signature Name Next

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Configuring the Engine-Specific Parameters Layer 4 Protocol Specify Layer 4 Protocol Next TCP Flags TCP Mask

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Configuring the Engine-Specific Parameters (Cont.) Specify Destination Port Range Destination Port Range Next

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Configuring the Alert Response Severity of the Alert Signature Fidelity Rating Next

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Configuring the Alert Behavior Advanced Finish

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Custom Signature Scenario 2 A network security administrator wants to create a signature that can detect and drop traffic containing the word confidential. The administrator wants the signature to fire if the traffic is directed to the following ports: FTP: 20 and 21 Telnet: 23 SMTP: 25 HTTP: 80 POP3: 110

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Custom Signature Scenario 2 (Cont.) The administrator wants to configure the signature to send alerts to the Event Store as follows: Send an alert to the Event Store every time the signature fires. If the alert rate exceeds 20 alerts in 30 seconds, d ynamically change its response as follows: –Send a summary alert for firings of the signature on the same victim address during the interval. –If the alert rate exceeds 25 in the 30-second interval, send a global summary alert, which counts the number of times the signature fires for all attacker and victim IP addresses and ports.

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Using the Custom Signature Wizard Without Specifying a Signature Engine No Next

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Selecting the Protocol Type Next TCP

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Single TCP Connection Next Configuring the TCP Traffic Type

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Configuring the Service Type OTHER Next

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Configuring the Signature Identification Signature ID SubSignature ID Signature Name Alert Notes User Comments Next

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Configuring the Engine-Specific Parameters Event Action Regex String Next Service Ports Direction

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Configuring the Alert Response Signature Fidelity Rating Severity of the Alert Next

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Configuring the Alert Behavior Advanced

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Configuring the Event Count and Interval Event Count Key Event Count Use Event Interval Event Interval Next

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Configuring Alert Summarization Alert Every Time the Signature Fires Next

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Configuring Alert Dynamic Response Use Dynamic Summarization Summary Key Summary Threshold Summary Interval (seconds) Specify Global Summary Threshold Global Summary Threshold Finish

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Finish Completing the Custom Signature Creation

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Custom Signature Scenario 3 A network security administrator wants to create a signature that fires when a Nimda attack is occurring. Nimda triggers the following built-in signatures, which are components of a Nimda attack: –5081: cmd.exe Access –5124: IIS CGI Decode –5114: IIS Unicode Attack –3215: Dot Dot Execute –3216: Dot Dot Crash The administrator wants the sensor to generate an alert for the new signature if the component signatures are triggered by the same attacker within a 60-second time frame. To limit the number of alerts that are generated, the administrator wants the sensor to generate alerts only for the new signature and not for the component signatures.

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Creating a Custom Signature Without the Signature Wizard Configuration Signature Configuration Signature Definition Add Select By Select Engine

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Creating a Meta Signature Signature ID Alert Severity Sig Fidelity Rating Signature Name Engine Event Action SubSignature ID Sig Description

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Creating a Meta Signature (Cont.) Component List

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Listing the Component Signatures OK Component SubSig ID Component Sig ID Entry Key Add

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Listing the Component Signatures (Cont.) Select Available Entries Selected Entries OK

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Meta Reset Interval OK Configuring the Meta Reset Interval and Meta Key Meta Key

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Removing Produce Alert from Component Signatures Enter Sig ID Actions Signature Configuration Signature Definition Configuration Select By Produce Alert

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Summary

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Summary Cisco IPS signatures can be tuned to company network security policy or network traffic pattern. Custom signatures can be created to meet a unique security requirement. Custom signatures can be created via the IDM Custom Signature Wizard. The Custom Signature Wizard enables you to create custom signatures with or without using a signature engine.

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Summary (Cont.) Consider the following before creating a signature with the Signature Wizard: –The network protocol –The target address –The target port –The type of attack –Whether payload inspection is required –Whether the signature can be triggered by the contents of a single packet Be sure to carefully test custom signatures before deploying them.

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Lab Exercise

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Q.0 Lab Visual Objective Q Web FTP RBB Q P.0.4 sensorQ Student PC 10.0.Q.12 RTS sensorP Student PC 10.0.Q.12 RTS P.0 rP rQ prQ prP 10.0.P.0