IPS-8.ppt
-
Upload
fshahzad79 -
Category
Documents
-
view
226 -
download
0
Transcript of IPS-8.ppt
-
8/10/2019 IPS-8.ppt
1/46
2005 Cisco Systems, Inc. All rights reserved. IPS v5.08-1
Configuring Signatures
-
8/10/2019 IPS-8.ppt
2/46
2005 Cisco Systems, Inc. All rights reserved. IPS v5.08-2
Parameters Common toAll Signature Engines
-
8/10/2019 IPS-8.ppt
3/46
2005 Cisco Systems, Inc. All rights reserved. IPS v5.08-3
Common Parameters
Signature ID
SignatureName
SubSignature ID
SpecifyAlert
Interval
Alert Severity
UserComments
Alert Notes
AlertTraits
ReleaseEvent Count
EventCount Key
Sig Fidelity
Rating
Promiscuous Delta
SigDescription
Event Counter
Engine
-
8/10/2019 IPS-8.ppt
4/46
2005 Cisco Systems, Inc. All rights reserved. IPS v5.08-4
Common Parameters (Cont.)
SummaryMode
SummaryInterval
SummaryKey
Specify GlobalSummaryThreshold
Enabled
Retired
AlertFrequency
Status
-
8/10/2019 IPS-8.ppt
5/46
2005 Cisco Systems, Inc. All rights reserved. IPS v5.08-5
Summary Modes
You can use the value of the commonParameter Summary mode to control thenumber of alarms generated by a specific
signature. The Summary Mode parameter canhave one of the following values:
Fire once
Fire all
Summarize
Global summarize
-
8/10/2019 IPS-8.ppt
6/46
2005 Cisco Systems, Inc. All rights reserved. IPS v5.08-6
FireAll
Summarize
Summary Threshold Global Summary Threshold
Summarize Global
Summarize
Global
Summarize
Summary Interval
Summary Mode
Threshold Parameters and Automatic AlarmSummarization
Automatic alert summarization enables a signature to
change alert modes automatically based on the number of
alerts detected within the Summary Interval parameter.
-
8/10/2019 IPS-8.ppt
7/46 2005 Cisco Systems, Inc. All rights reserved. IPS v5.08-7
Signature Tuning
-
8/10/2019 IPS-8.ppt
8/46 2005 Cisco Systems, Inc. All rights reserved. IPS v5.08-8
Signature Tuning
Configuration
SignatureDefinition
Signature
Configuration
Edit
-
8/10/2019 IPS-8.ppt
9/46 2005 Cisco Systems, Inc. All rights reserved. IPS v5.08-9
Signature Tuning Scenario 1
A company FTP server stores software that isbeing beta tested by customers. The companywants to detect unauthorized login attempts.
Using the signature search features in the IDM, thenetwork security administrator discovers signature6250, the FTP Authorization Failure signature.
After examining the parameters for signature 6250,the administrator decides to tune the signature as
follows:
Change the severity level from informational to high
Add the Deny Connection Inline action to the defaultaction of Produce Alert
-
8/10/2019 IPS-8.ppt
10/46 2005 Cisco Systems, Inc. All rights reserved. IPS v5.08-10
Signature Tuning Scenario 1 (Cont.)
Alert Severity
Event
Action
-
8/10/2019 IPS-8.ppt
11/46 2005 Cisco Systems, Inc. All rights reserved. IPS v5.08-11
Signature Tuning Scenario 2
You are replacing D-Link devices on your network with Linksyswireless devices, but you still have some old D-Link systems thathave not yet been replaced. Until they are replaced, you want tomake sure that they are not being attacked. You would like to dothe following to protect the D-Link devices and other devices on
your network: Alert on any attempt to access a D-Link configuration file from any system
other than your management system
Generate a single alert every 5 minutes when the signature is being triggeredby a single-source IP address
Use the Deny Packet Inline action to drop traffic from non-D-Link devices
You discover that Signature 4611 detects TFTP requests for D-Link configuration files, but it does not meet your requirements todo the following:
Generate a single alert for a single-source IP every 5 minutes
Drop the TFTP request before it reaches its target
-
8/10/2019 IPS-8.ppt
12/46 2005 Cisco Systems, Inc. All rights reserved. IPS v5.08-12
Signature Tuning Scenario 2 (Cont.)
Configuration
Signature
Definition
Signature
Configuration
Edit
Select By:
Sig ID
Enter Sig
ID: 4611
Find
-
8/10/2019 IPS-8.ppt
13/46 2005 Cisco Systems, Inc. All rights reserved. IPS v5.08-13
Signature Tuning Scenario 2 (Cont.)
OK
Event
Action
Event
Counter
Alert
Frequency
Summary
Mode
Event
Count
Key
Alert
Interval
SpecifyAlert
Interval
-
8/10/2019 IPS-8.ppt
14/46 2005 Cisco Systems, Inc. All rights reserved. IPS v5.08-14
Custom Signatures
-
8/10/2019 IPS-8.ppt
15/46 2005 Cisco Systems, Inc. All rights reserved. IPS v5.08-15
Creating Custom Signatures
Creating a custom signature requires detailedknowledge of the attack for which you create it.
Poorly written signatures can generate false positivesand false negatives.
You should test a custom signature carefully beforeyou deploy it.
The Signature Wizard in the IDM guides you throughthe process of creating custom signatures and enablesyou to create custom signatures in either of the
following ways:
Using a signature engine
Without using a signature engine
You can also create custom signatures without using
the Signature Wizard.
-
8/10/2019 IPS-8.ppt
16/46 2005 Cisco Systems, Inc. All rights reserved. IPS v5.08-16
Custom Signature Scenario 1
A network security administrator wants to createa custom signature that is triggered by SYNpackets destined for port 23. The administratordecides to use the atomic IP engine for thefollowing reasons:
Atomic signatures can trigger on the contents of asingle packet.
The atomic IP engine allows you to select a Layer 4
protocol.
You can use the TCP Flags and TCP Mask parametersto specify the flag of interest.
You can use the Destination Port Range parameter to
specify the destination port of interest.
-
8/10/2019 IPS-8.ppt
17/46 2005 Cisco Systems, Inc. All rights reserved. IPS v5.08-17
Using the Custom Signature Wizard
Start theWizard
SignatureDefinition
Configuration
CustomSignature
Wizard
-
8/10/2019 IPS-8.ppt
18/46 2005 Cisco Systems, Inc. All rights reserved. IPS v5.08-18
Specifying a Signature Engine
SelectEngine
Next
-
8/10/2019 IPS-8.ppt
19/46 2005 Cisco Systems, Inc. All rights reserved. IPS v5.08-19
Configuring the Signature IdentificationParameters
SignatureID
SignatureName
Next
-
8/10/2019 IPS-8.ppt
20/46 2005 Cisco Systems, Inc. All rights reserved. IPS v5.08-20
Configuring the Engine-SpecificParameters
Layer 4Protocol
SpecifyLayer 4
Protocol
Next
TCPFlags
TCP Mask
-
8/10/2019 IPS-8.ppt
21/46
2005 Cisco Systems, Inc. All rights reserved. IPS v5.08-21
Configuring the Engine-SpecificParameters (Cont.)
SpecifyDestinationPort Range
DestinationPort Range
Next
-
8/10/2019 IPS-8.ppt
22/46
2005 Cisco Systems, Inc. All rights reserved. IPS v5.08-22
Configuring the Alert Response
Severity ofthe Alert
SignatureFidelityRating
Next
-
8/10/2019 IPS-8.ppt
23/46
2005 Cisco Systems, Inc. All rights reserved. IPS v5.08-23
Configuring the Alert Behavior
Advanced
Finish
-
8/10/2019 IPS-8.ppt
24/46
2005 Cisco Systems, Inc. All rights reserved. IPS v5.08-24
Custom Signature Scenario 2
A network security administrator wants tocreate a signature that can detect and droptraffic containing the word confidential. The
administrator wants the signature to fire if thetraffic is directed to the following ports:
FTP: 20 and 21
Telnet: 23
SMTP: 25
HTTP: 80
POP3: 110
-
8/10/2019 IPS-8.ppt
25/46
2005 Cisco Systems, Inc. All rights reserved. IPS v5.08-25
Custom Signature Scenario 2 (Cont.)
The administrator wants to configure thesignature to send alerts to the Event Store asfollows:
Send an alert to the Event Store every time thesignature fires.
If the alert rate exceeds 20 alerts in 30 seconds,
dynamically change its response as follows:
Send a summary alert for firings of the signature on
the same victim address during the interval.
If the alert rate exceeds 25 in the 30-second interval,send a global summary alert, which counts thenumber of times the signature fires for all attackerand victim IP addresses and ports.
-
8/10/2019 IPS-8.ppt
26/46
2005 Cisco Systems, Inc. All rights reserved. IPS v5.08-26
Using the Custom Signature WizardWithout Specifying a Signature Engine
No
Next
-
8/10/2019 IPS-8.ppt
27/46
2005 Cisco Systems, Inc. All rights reserved. IPS v5.08-27
Selecting the Protocol Type
Next
TCP
-
8/10/2019 IPS-8.ppt
28/46
2005 Cisco Systems, Inc. All rights reserved. IPS v5.08-28
Single TCP
Connection
Next
Configuring the TCP Traffic Type
-
8/10/2019 IPS-8.ppt
29/46
2005 Cisco Systems, Inc. All rights reserved. IPS v5.08-29
Configuring the Service Type
OTHER
Next
-
8/10/2019 IPS-8.ppt
30/46
2005 Cisco Systems, Inc. All rights reserved. IPS v5.08-30
Configuring the Signature Identification
Signature ID
SubSignature ID Signature Name
Alert Notes
User Comments
Next
-
8/10/2019 IPS-8.ppt
31/46
2005 Cisco Systems, Inc. All rights reserved. IPS v5.08-31
Configuring the Engine-SpecificParameters
Event Action
Regex String
Next
Service Ports
Direction
-
8/10/2019 IPS-8.ppt
32/46
2005 Cisco Systems, Inc. All rights reserved. IPS v5.08-32
Configuring the Alert Response
SignatureFidelity Rating
Severity ofthe Alert
Next
-
8/10/2019 IPS-8.ppt
33/46
2005 Cisco Systems, Inc. All rights reserved. IPS v5.08-33
Configuring the Alert Behavior
Advanced
-
8/10/2019 IPS-8.ppt
34/46
2005 Cisco Systems, Inc. All rights reserved. IPS v5.08-34
Configuring the Event Count and Interval
Event CountKey
Event Count
Use Event Interval
EventInterval
Next
-
8/10/2019 IPS-8.ppt
35/46
2005 Cisco Systems, Inc. All rights reserved. IPS v5.08-35
Configuring Alert Summarization
Alert Every
Time theSignature
Fires
Next
-
8/10/2019 IPS-8.ppt
36/46
2005 Cisco Systems, Inc. All rights reserved. IPS v5.08-36
Configuring Alert Dynamic Response
Use DynamicSummarization
Summary Key
SummaryThreshold
SummaryInterval
(seconds)
Specify
GlobalSummaryThreshold
GlobalSummaryThreshold
Finish
-
8/10/2019 IPS-8.ppt
37/46
2005 Cisco Systems, Inc. All rights reserved. IPS v5.08-37
Finish
Completing the Custom Signature Creation
-
8/10/2019 IPS-8.ppt
38/46
2005 Cisco Systems, Inc. All rights reserved. IPS v5.08-38
Custom Signature Scenario 3
A network security administrator wants to create a signature thatfires when a Nimda attack is occurring.
Nimda triggers the following built-in signatures, which arecomponents of a Nimda attack:
5081: cmd.exe Access
5124: IIS CGI Decode
5114: IIS Unicode Attack
3215: Dot Dot Execute
3216: Dot Dot Crash
The administrator wants the sensor to generate an alert for thenew signature if the component signatures are triggered by thesame attacker within a 60-second time frame.
To limit the number of alerts that are generated, the administratorwants the sensor to generate alerts only for the new signature andnot for the component signatures.
C ti C t Si t With t th
-
8/10/2019 IPS-8.ppt
39/46
2005 Cisco Systems, Inc. All rights reserved. IPS v5.08-39
Creating a Custom Signature Without theSignature Wizard
Configuration
SignatureConfiguration
SignatureDefinition
Add
Select By
Select Engine
-
8/10/2019 IPS-8.ppt
40/46
2005 Cisco Systems, Inc. All rights reserved. IPS v5.08-40
Creating a Meta Signature
SignatureID
AlertSeverity
Sig FidelityRating
SignatureName
Engine
EventAction
SubSignatureID
Sig
Description
-
8/10/2019 IPS-8.ppt
41/46
2005 Cisco Systems, Inc. All rights reserved. IPS v5.08-41
Creating a Meta Signature (Cont.)
ComponentList
-
8/10/2019 IPS-8.ppt
42/46
2005 Cisco Systems, Inc. All rights reserved. IPS v5.08-42
Listing the Component Signatures
OK
ComponentSubSig ID
ComponentSig ID
Entry Key
Add
-
8/10/2019 IPS-8.ppt
43/46
2005 Cisco Systems, Inc. All rights reserved. IPS v5.08-43
Listing the Component Signatures (Cont.)
Select
AvailableEntries
SelectedEntries
OK
Configuring the Meta Reset Interval and
-
8/10/2019 IPS-8.ppt
44/46
2005 Cisco Systems, Inc. All rights reserved. IPS v5.08-44
MetaReset
Interval
OK
Configuring the Meta Reset Interval andMeta Key
MetaKey
Removing Produce Alert from
-
8/10/2019 IPS-8.ppt
45/46
2005 Cisco Systems, Inc. All rights reserved. IPS v5.08-45
Removing Produce Alert fromComponent Signatures
EnterSig ID
Actions
SignatureConfiguration
SignatureDefinition
Configuration
SelectBy
ProduceAlert
-
8/10/2019 IPS-8.ppt
46/46