Signature Actions

Signature Actions Non Aggressive Actions Produce Alert Produce Verbose Alert Log Attacker Packets Log Victim Packets Log pair Packets Request SNMP trap Aggressive Actions Deny Packet Inline (Single) Deny Connection Inline (udp/t Deny Attacker Inline (S/IP) Deny Attacker-Victim pair Inl (S/IP & D/IP) Deny Attacker-service pair In (S/IP to D/Port) Reset TCP Connection Request Block Connection Request Block Host Request rate Limit Modify Packet Inline Risk Rating Potent ial Damage Target Asset value Signatu re Accurac y Attack Relevan cy Clues from Others ASR TVR SFR/PD ARR/OS WLR (CSA) ASR = Attack Severity rating Info (25) Low (50) Med (75) High (100) TVR = Target Value rating Zero (50) Low (75) Med (100) High (150) Critical (200) SFR = Signature Fidelity rating (0- 100) PD = Promiscuous delta (0-30) minus value ARR = Attack Relevancy Rating Relevant (10) unknown (0) Not relevant (-10) WLR = watch List rating (0-100) RR= (ASR*TVR*SFR/10000) +ARR –PD +WLR ignature Parameters Event Action Overides Based on RR category Add actions Event Action Filters Based on RR category & others Delete actions Common Signature Parameters Signature ID SubSig ID Alert Severity (H,M,L,I) Sig Fidelity (0-100) Promis delta (0-30) Sig Name TO FIRE THE SIG Event Count Event count Key AaBb Interval TO GENERATE ALERT Summary Mode Summary Key AaBb Summary Threshold Global Summary Threshold Summary Interval Enabled/Retired Specific Signature Parameters Atomic IP Engine Parameters IP Addr Options IP Payload length TCP Mask urg,ack,psh,rst,syn,fi n TCP flags urg,ack,psh,rst,syn,fi n

Upload
irene-manning
Category

Documents
view
10
download
0

Embed Size (px):

description

Signature Parameters. Signature Actions. TVR. Non Aggressive Actions Produce Alert Produce Verbose Alert Log Attacker Packets Log Victim Packets Log pair Packets Request SNMP trap. Common Signature Parameters Signature ID SubSig ID Alert Severity (H,M,L,I) Sig Fidelity (0-100) - PowerPoint PPT Presentation

Transcript of Signature Actions

Signature Actions

Non Aggressive ActionsProduce AlertProduce Verbose AlertLog Attacker PacketsLog Victim PacketsLog pair PacketsRequest SNMP trap

Aggressive ActionsDeny Packet Inline (Single)Deny Connection Inline (udp/tcp)Deny Attacker Inline (S/IP)Deny Attacker-Victim pair Inline

(S/IP & D/IP)Deny Attacker-service pair Inline

(S/IP to D/Port)Reset TCP Connection Request Block ConnectionRequest Block HostRequest rate LimitModify Packet Inline

Risk Rating

PotentialDamage

Target Asset value

SignatureAccuracy

AttackRelevancy

Clues fromOthers

ASRTVR

SFR/PD

ARR/OSWLR (CSA)

ASR = Attack Severity rating Info (25) Low (50) Med (75) High (100)TVR = Target Value rating Zero (50) Low (75) Med (100) High (150) Critical (200)SFR = Signature Fidelity rating (0-100)PD = Promiscuous delta (0-30) minus valueARR = Attack Relevancy Rating Relevant (10) unknown (0) Not relevant (-10)WLR = watch List rating (0-100)

RR= (ASR*TVR*SFR/10000) +ARR –PD +WLR

Signature Parameters

Event Action OveridesBased on RR categoryAdd actions

Event Action FiltersBased on RR category & othersDelete actions

Common Signature ParametersSignature IDSubSig IDAlert Severity (H,M,L,I)Sig Fidelity (0-100)Promis delta (0-30)Sig NameTO FIRE THE SIG Event Count Event count Key AaBb IntervalTO GENERATE ALERT Summary Mode Summary Key AaBb Summary Threshold Global Summary Threshold Summary Interval Enabled/Retired

Specific Signature ParametersAtomic IP Engine ParametersIP Addr OptionsIP Payload lengthTCP Mask urg,ack,psh,rst,syn,finTCP flags urg,ack,psh,rst,syn,fin