IPS-8.ppt

8/10/2019 IPS-8.ppt

1/46

2005 Cisco Systems, Inc. All rights reserved. IPS v5.08-1

Configuring Signatures

8/10/2019 IPS-8.ppt

2/46


Parameters Common toAll Signature Engines

8/10/2019 IPS-8.ppt

3/46


Common Parameters

Signature ID

SignatureName

SubSignature ID

SpecifyAlert

Interval

Alert Severity

UserComments

Alert Notes

AlertTraits

ReleaseEvent Count

EventCount Key

Sig Fidelity

Rating

Promiscuous Delta

SigDescription

Event Counter

Engine

8/10/2019 IPS-8.ppt

4/46


Common Parameters (Cont.)

SummaryMode

SummaryInterval

SummaryKey

Specify GlobalSummaryThreshold

Enabled

Retired

AlertFrequency

Status

8/10/2019 IPS-8.ppt

5/46


Summary Modes

You can use the value of the commonParameter Summary mode to control thenumber of alarms generated by a specific

signature. The Summary Mode parameter canhave one of the following values:

Fire once

Fire all

Summarize

Global summarize

8/10/2019 IPS-8.ppt

6/46


FireAll

Summarize

Summary Threshold Global Summary Threshold

Summarize Global

Summarize

Global

Summarize

Summary Interval

Summary Mode

Threshold Parameters and Automatic AlarmSummarization

Automatic alert summarization enables a signature to

change alert modes automatically based on the number of

alerts detected within the Summary Interval parameter.

8/10/2019 IPS-8.ppt

7/46 2005 Cisco Systems, Inc. All rights reserved. IPS v5.08-7

Signature Tuning

8/10/2019 IPS-8.ppt


Signature Tuning

Configuration

SignatureDefinition

Signature

Configuration

Edit

8/10/2019 IPS-8.ppt


Signature Tuning Scenario 1

A company FTP server stores software that isbeing beta tested by customers. The companywants to detect unauthorized login attempts.

Using the signature search features in the IDM, thenetwork security administrator discovers signature6250, the FTP Authorization Failure signature.

After examining the parameters for signature 6250,the administrator decides to tune the signature as

follows:

Change the severity level from informational to high

Add the Deny Connection Inline action to the defaultaction of Produce Alert

8/10/2019 IPS-8.ppt


Signature Tuning Scenario 1 (Cont.)

Alert Severity

Event

Action

8/10/2019 IPS-8.ppt


Signature Tuning Scenario 2

You are replacing D-Link devices on your network with Linksyswireless devices, but you still have some old D-Link systems thathave not yet been replaced. Until they are replaced, you want tomake sure that they are not being attacked. You would like to dothe following to protect the D-Link devices and other devices on

your network: Alert on any attempt to access a D-Link configuration file from any system

other than your management system

Generate a single alert every 5 minutes when the signature is being triggeredby a single-source IP address

Use the Deny Packet Inline action to drop traffic from non-D-Link devices

You discover that Signature 4611 detects TFTP requests for D-Link configuration files, but it does not meet your requirements todo the following:

Generate a single alert for a single-source IP every 5 minutes

Drop the TFTP request before it reaches its target

8/10/2019 IPS-8.ppt



Configuration

Signature

Definition

Signature

Configuration

Edit

Select By:

Sig ID

Enter Sig

ID: 4611

Find

8/10/2019 IPS-8.ppt



OK

Event

Action

Event

Counter

Alert

Frequency

Summary

Mode

Event

Count

Key

Alert

Interval

SpecifyAlert

Interval

8/10/2019 IPS-8.ppt


Custom Signatures

8/10/2019 IPS-8.ppt


Creating Custom Signatures

Creating a custom signature requires detailedknowledge of the attack for which you create it.

Poorly written signatures can generate false positivesand false negatives.

You should test a custom signature carefully beforeyou deploy it.

The Signature Wizard in the IDM guides you throughthe process of creating custom signatures and enablesyou to create custom signatures in either of the

following ways:

Using a signature engine

Without using a signature engine

You can also create custom signatures without using

the Signature Wizard.

8/10/2019 IPS-8.ppt


Custom Signature Scenario 1

A network security administrator wants to createa custom signature that is triggered by SYNpackets destined for port 23. The administratordecides to use the atomic IP engine for thefollowing reasons:

Atomic signatures can trigger on the contents of asingle packet.

The atomic IP engine allows you to select a Layer 4

protocol.

You can use the TCP Flags and TCP Mask parametersto specify the flag of interest.

You can use the Destination Port Range parameter to

specify the destination port of interest.

8/10/2019 IPS-8.ppt


Using the Custom Signature Wizard

Start theWizard

SignatureDefinition

Configuration

CustomSignature

Wizard

8/10/2019 IPS-8.ppt


Specifying a Signature Engine

SelectEngine

Next

8/10/2019 IPS-8.ppt


Configuring the Signature IdentificationParameters

SignatureID

SignatureName

Next

8/10/2019 IPS-8.ppt


Configuring the Engine-SpecificParameters

Layer 4Protocol

SpecifyLayer 4

Protocol

Next

TCPFlags

TCP Mask

8/10/2019 IPS-8.ppt

21/46


Configuring the Engine-SpecificParameters (Cont.)

SpecifyDestinationPort Range

DestinationPort Range

Next

8/10/2019 IPS-8.ppt

22/46


Configuring the Alert Response

Severity ofthe Alert

SignatureFidelityRating

Next

8/10/2019 IPS-8.ppt

23/46


Configuring the Alert Behavior

Advanced

Finish

8/10/2019 IPS-8.ppt

24/46



A network security administrator wants tocreate a signature that can detect and droptraffic containing the word confidential. The

administrator wants the signature to fire if thetraffic is directed to the following ports:

FTP: 20 and 21

Telnet: 23

SMTP: 25

HTTP: 80

POP3: 110

8/10/2019 IPS-8.ppt

25/46


Custom Signature Scenario 2 (Cont.)

The administrator wants to configure thesignature to send alerts to the Event Store asfollows:

Send an alert to the Event Store every time thesignature fires.

If the alert rate exceeds 20 alerts in 30 seconds,

dynamically change its response as follows:

Send a summary alert for firings of the signature on

the same victim address during the interval.

If the alert rate exceeds 25 in the 30-second interval,send a global summary alert, which counts thenumber of times the signature fires for all attackerand victim IP addresses and ports.

8/10/2019 IPS-8.ppt

26/46


Using the Custom Signature WizardWithout Specifying a Signature Engine

No

Next

8/10/2019 IPS-8.ppt

27/46


Selecting the Protocol Type

Next

TCP

8/10/2019 IPS-8.ppt

28/46


Single TCP

Connection

Next

Configuring the TCP Traffic Type

8/10/2019 IPS-8.ppt

29/46


Configuring the Service Type

OTHER

Next

8/10/2019 IPS-8.ppt

30/46


Configuring the Signature Identification

Signature ID

SubSignature ID Signature Name

Alert Notes

User Comments

Next

8/10/2019 IPS-8.ppt

31/46


Configuring the Engine-SpecificParameters

Event Action

Regex String

Next

Service Ports

Direction

8/10/2019 IPS-8.ppt

32/46


Configuring the Alert Response

SignatureFidelity Rating

Severity ofthe Alert

Next

8/10/2019 IPS-8.ppt

33/46


Configuring the Alert Behavior

Advanced

8/10/2019 IPS-8.ppt

34/46


Configuring the Event Count and Interval

Event CountKey

Event Count

Use Event Interval

EventInterval

Next

8/10/2019 IPS-8.ppt

35/46


Configuring Alert Summarization

Alert Every

Time theSignature

Fires

Next

8/10/2019 IPS-8.ppt

36/46


Configuring Alert Dynamic Response

Use DynamicSummarization

Summary Key

SummaryThreshold

SummaryInterval

(seconds)

Specify

GlobalSummaryThreshold

GlobalSummaryThreshold

Finish

8/10/2019 IPS-8.ppt

37/46


Finish

Completing the Custom Signature Creation

8/10/2019 IPS-8.ppt

38/46



A network security administrator wants to create a signature thatfires when a Nimda attack is occurring.

Nimda triggers the following built-in signatures, which arecomponents of a Nimda attack:

5081: cmd.exe Access

5124: IIS CGI Decode

5114: IIS Unicode Attack

3215: Dot Dot Execute

3216: Dot Dot Crash

The administrator wants the sensor to generate an alert for thenew signature if the component signatures are triggered by thesame attacker within a 60-second time frame.

To limit the number of alerts that are generated, the administratorwants the sensor to generate alerts only for the new signature andnot for the component signatures.

C ti C t Si t With t th

8/10/2019 IPS-8.ppt

39/46


Creating a Custom Signature Without theSignature Wizard

Configuration

SignatureConfiguration

SignatureDefinition

Add

Select By

Select Engine

8/10/2019 IPS-8.ppt

40/46


Creating a Meta Signature

SignatureID

AlertSeverity

Sig FidelityRating

SignatureName

Engine

EventAction

SubSignatureID

Sig

Description

8/10/2019 IPS-8.ppt

41/46


Creating a Meta Signature (Cont.)

ComponentList

8/10/2019 IPS-8.ppt

42/46


Listing the Component Signatures

OK

ComponentSubSig ID

ComponentSig ID

Entry Key

Add

8/10/2019 IPS-8.ppt

43/46


Listing the Component Signatures (Cont.)

Select

AvailableEntries

SelectedEntries

OK

Configuring the Meta Reset Interval and

8/10/2019 IPS-8.ppt

44/46


MetaReset

Interval

OK

Configuring the Meta Reset Interval andMeta Key

MetaKey

Removing Produce Alert from

8/10/2019 IPS-8.ppt

45/46


Removing Produce Alert fromComponent Signatures

EnterSig ID

Actions

SignatureConfiguration

SignatureDefinition

Configuration

SelectBy

ProduceAlert

8/10/2019 IPS-8.ppt

46/46

IPS-8.ppt

Documents

Transcript of IPS-8.ppt