Signature Actions
-
Upload
irene-manning -
Category
Documents
-
view
10 -
download
0
description
Transcript of Signature Actions
Signature Actions
Non Aggressive ActionsProduce AlertProduce Verbose AlertLog Attacker PacketsLog Victim PacketsLog pair PacketsRequest SNMP trap
Aggressive ActionsDeny Packet Inline (Single)Deny Connection Inline (udp/tcp)Deny Attacker Inline (S/IP)Deny Attacker-Victim pair Inline
(S/IP & D/IP)Deny Attacker-service pair Inline
(S/IP to D/Port)Reset TCP Connection Request Block ConnectionRequest Block HostRequest rate LimitModify Packet Inline
Risk Rating
PotentialDamage
Target Asset value
SignatureAccuracy
AttackRelevancy
Clues fromOthers
ASRTVR
SFR/PD
ARR/OSWLR (CSA)
ASR = Attack Severity rating Info (25) Low (50) Med (75) High (100)TVR = Target Value rating Zero (50) Low (75) Med (100) High (150) Critical (200)SFR = Signature Fidelity rating (0-100)PD = Promiscuous delta (0-30) minus valueARR = Attack Relevancy Rating Relevant (10) unknown (0) Not relevant (-10)WLR = watch List rating (0-100)
RR= (ASR*TVR*SFR/10000) +ARR –PD +WLR
Signature Parameters
Event Action OveridesBased on RR categoryAdd actions
Event Action FiltersBased on RR category & othersDelete actions
Common Signature ParametersSignature IDSubSig IDAlert Severity (H,M,L,I)Sig Fidelity (0-100)Promis delta (0-30)Sig NameTO FIRE THE SIG Event Count Event count Key AaBb IntervalTO GENERATE ALERT Summary Mode Summary Key AaBb Summary Threshold Global Summary Threshold Summary Interval Enabled/Retired
Specific Signature ParametersAtomic IP Engine ParametersIP Addr OptionsIP Payload lengthTCP Mask urg,ack,psh,rst,syn,finTCP flags urg,ack,psh,rst,syn,fin
Summary Key
XXXXAaBb
Aa=AttackBb=Victim
Uppercase=IPLowercase=port
0 60 secsTRAFFIC 1
0 60 secsTRAFFIC 2
0 60 secsTRAFFIC 3
100 Matches = 100 alerts
160 Matches = 150 alerts
320 matches = 150 alerts
@60 secGenerateSummary
@60 secGenerateGlobalSummary
CriteriaSig ID = 60000Summary Mode: Fire AllSummary Threshold: 150Global Summary Threshold: 300Summary Interval: 60
TCP Header
U A S F
MASK = ASF
Flags = SF 1 1
False Positive = TOO SENSITIVE (Increase accuracy ../cmd.exe rather than ../)
False Negative = INSENSITIVE (Decrease accuracy ../ rather than ../fred.txt/home/)