Ips 8

Configuring Signatures
2005 Cisco Systems, Inc. All rights reserved.
IPS v5.08-1
Parameters Common to
All Signature Engines
IPS v5.08-2
Common Parameters
Signature ID
SubSignature ID
Alert Severity
Sig Fidelity
Rating
Sig
Description
Signature
Name
Alert Notes
Promiscuous Delta
Engine
Event Counter
Event Count
User
Comments
Alert
Traits
Release
Event
Count Key
Specify
Alert
Interval
IPS v5.08-3
Common Parameters (Cont.)
Alert
Frequency
Summary
Mode
Summary
Interval
Status
Enabled
Retired
Summary
Key
Specify Global
Summary
Threshold
IPS v5.08-4
Summary Modes
You can use the value of the common
Parameter Summary mode to control the
number of alarms generated by a specific
signature. The Summary Mode parameter can
have one of the following values:
Fire once
Fire all
Summarize
Global summarize
IPS v5.08-5
Threshold Parameters and Automatic Alarm

Summarization
Automatic alert summarization enables a signature to
change alert modes automatically based on the number of
alerts detected within the Summary Interval parameter.
Summary Interval
Summary Mode
Summary Threshold
FireAll
Summarize
Summarize
Global Summary Threshold
Global
Summarize
Global
Summarize
IPS v5.08-6
Signature Tuning
IPS v5.08-7
Signature Tuning
Configuration
Signature
Definition
Signature
Configuration
Edit
IPS v5.08-8
Signature Tuning Scenario 1

A company FTP server stores software that is
being beta tested by customers. The company
wants to detect unauthorized login attempts.
Using the signature search features in the IDM, the
network security administrator discovers signature
6250, the FTP Authorization Failure signature.
After examining the parameters for signature 6250,

the administrator decides to tune the signature as
follows:
Change the severity level from informational to high
Add the Deny Connection Inline action to the default

action of Produce Alert
IPS v5.08-9
Signature Tuning Scenario 1 (Cont.)
Alert Severity
Event
Action
IPS v5.08-10
Signature Tuning Scenario 2

You are replacing D-Link devices on your network with Linksys
wireless devices, but you still have some old D-Link systems that
have not yet been replaced. Until they are replaced, you want to
make sure that they are not being attacked. You would like to do
the following to protect the D-Link devices and other devices on
your network:
Alert on any attempt to access a D-Link configuration file from any system
other than your management system
Generate a single alert every 5 minutes when the signature is being triggered
by a single-source IP address
Use the Deny Packet Inline action to drop traffic from non-D-Link devices
You discover that Signature 4611 detects TFTP requests for DLink configuration files, but it does not meet your requirements to
do the following:
Generate a single alert for a single-source IP every 5 minutes
Drop the TFTP request before it reaches its target
IPS v5.08-11

Enter Sig
ID: 4611
Find
Configuration
Signature
Definition
Edit
Signature
Configuration
Select By:
Sig ID
IPS v5.08-12

Event
Action
Event
Counter
Event
Count
Key
Specify
Alert
Interval
Alert
Frequency
OK
Summary
Mode
Alert
Interval
IPS v5.08-13
Custom Signatures
IPS v5.08-14
Creating Custom Signatures

Creating a custom signature requires detailed
knowledge of the attack for which you create it.
Poorly written signatures can generate false positives

and false negatives.
You should test a custom signature carefully before
you deploy it.
The Signature Wizard in the IDM guides you through
the process of creating custom signatures and enables
you to create custom signatures in either of the
following ways:
Using a signature engine

Without using a signature engine
You can also create custom signatures without using
the Signature Wizard.
IPS v5.08-15
Custom Signature Scenario 1

A network security administrator wants to create
a custom signature that is triggered by SYN
packets destined for port 23. The administrator
decides to use the atomic IP engine for the
following reasons:
Atomic signatures can trigger on the contents of a
single packet.
The atomic IP engine allows you to select a Layer 4
protocol.
You can use the TCP Flags and TCP Mask parameters
to specify the flag of interest.
You can use the Destination Port Range parameter to
specify the destination port of interest.
IPS v5.08-16
Using the Custom Signature Wizard

Configuration
Signature
Definition
Custom
Signature
Wizard
Start the
Wizard
IPS v5.08-17
Specifying a Signature Engine
Select
Engine
Next
IPS v5.08-18
Configuring the Signature Identification

Parameters
Signature
ID
Signature
Name
Next
IPS v5.08-19
Configuring the Engine-Specific

Parameters
Specify
Layer 4
Protocol
Layer 4
Protocol
TCP
Flags
TCP Mask
Next
IPS v5.08-20

Parameters (Cont.)
Specify
Destination
Port Range
Destination
Port Range
Next
IPS v5.08-21
Configuring the Alert Response
Signature
Fidelity
Rating
Severity of
the Alert
Next
IPS v5.08-22
Configuring the Alert Behavior
Advanced
Finish
IPS v5.08-23

A network security administrator wants to
create a signature that can detect and drop
traffic containing the word confidential. The
administrator wants the signature to fire if the
traffic is directed to the following ports:
FTP: 20 and 21
Telnet: 23
SMTP: 25
HTTP: 80
POP3: 110
IPS v5.08-24
Custom Signature Scenario 2 (Cont.)

The administrator wants to configure the
signature to send alerts to the Event Store as
follows:
Send an alert to the Event Store every time the
signature fires.
If the alert rate exceeds 20 alerts in 30 seconds,
dynamically change its response as follows:
Send a summary alert for firings of the signature on

the same victim address during the interval.
If the alert rate exceeds 25 in the 30-second interval,
send a global summary alert, which counts the
number of times the signature fires for all attacker
and victim IP addresses and ports.
IPS v5.08-25
Using the Custom Signature Wizard

Without Specifying a Signature Engine
No
Next
IPS v5.08-26
Selecting the Protocol Type
TCP
Next
IPS v5.08-27
Configuring the TCP Traffic Type
Single TCP
Connection
Next
IPS v5.08-28
Configuring the Service Type
OTHER
Next
IPS v5.08-29
Configuring the Signature Identification
Signature ID
SubSignature ID
Signature Name
Alert Notes
User Comments
Next
IPS v5.08-30

Parameters
Event Action
Regex String
Service Ports
Direction
Next
IPS v5.08-31
Configuring the Alert Response
Signature
Fidelity Rating
Severity of
the Alert
Next
IPS v5.08-32
Configuring the Alert Behavior
Advanced
IPS v5.08-33
Configuring the Event Count and Interval
Event Count
Event Count
Key
Use Event Interval
Event
Interval
Next
IPS v5.08-34
Configuring Alert Summarization
Alert Every
Time the
Signature
Fires
Next
IPS v5.08-35
Configuring Alert Dynamic Response
Summary Key
Use Dynamic
Summarization
Specify
Global
Summary
Threshold
Summary
Threshold
Summary
Interval
(seconds)
Finish
Global
Summary
Threshold
IPS v5.08-36
Completing the Custom Signature Creation
Finish
IPS v5.08-37

A network security administrator wants to create a signature that
fires when a Nimda attack is occurring.
Nimda triggers the following built-in signatures, which are
components of a Nimda attack:
5081: cmd.exe Access
5124: IIS CGI Decode
5114: IIS Unicode Attack

3215: Dot Dot Execute
3216: Dot Dot Crash
The administrator wants the sensor to generate an alert for the
new signature if the component signatures are triggered by the
same attacker within a 60-second time frame.
To limit the number of alerts that are generated, the administrator
wants the sensor to generate alerts only for the new signature and
not for the component signatures.
IPS v5.08-38
Creating a Custom Signature Without the

Signature Wizard
Configuration
Signature
Definition
Select Engine
Select By
Add
Signature
Configuration
IPS v5.08-39
Creating a Meta Signature

Signature
ID
SubSignature
ID
Sig
Description
Alert
Severity
Sig Fidelity
Rating
Signature
Name
Engine
Event
Action
IPS v5.08-40
Creating a Meta Signature (Cont.)
Component
List
IPS v5.08-41
Listing the Component Signatures
Entry Key
Component
Sig ID
Add
Component
SubSig ID
OK
IPS v5.08-42
Listing the Component Signatures (Cont.)
Available
Entries
Selected
Entries
Select
OK
IPS v5.08-43
Configuring the Meta Reset Interval and

Meta Key
Meta
Reset
Interval
Meta
Key
OK
IPS v5.08-44
Removing Produce Alert from

Component Signatures
Enter
Sig ID
Configuration
Select
By
Actions
Signature
Definition
Signature
Configuration
Produce
Alert
IPS v5.08-45

Ips 8

Caricato da

Informazioni sul documento

Descrizione originale:

Titolo originale

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

Ips 8

Caricato da

Copyright:

Formati disponibili

Configuring Signatures

2005 Cisco Systems, Inc. All rights reserved.

2005 Cisco Systems, Inc. All rights reserved.

Common Parameters (Cont.)

2005 Cisco Systems, Inc. All rights reserved.

Threshold Parameters and Automatic Alarm

Global Summary Threshold

2005 Cisco Systems, Inc. All rights reserved.

2005 Cisco Systems, Inc. All rights reserved.

Signature Tuning Scenario 1

After examining the parameters for signature 6250,

Add the Deny Connection Inline action to the default

Signature Tuning Scenario 1 (Cont.)

2005 Cisco Systems, Inc. All rights reserved.

Signature Tuning Scenario 2

Signature Tuning Scenario 2 (Cont.)

2005 Cisco Systems, Inc. All rights reserved.

Signature Tuning Scenario 2 (Cont.)

2005 Cisco Systems, Inc. All rights reserved.

Creating Custom Signatures

Poorly written signatures can generate false positives

Using a signature engine

Custom Signature Scenario 1

Using the Custom Signature Wizard

2005 Cisco Systems, Inc. All rights reserved.

Specifying a Signature Engine

2005 Cisco Systems, Inc. All rights reserved.

Configuring the Signature Identification

2005 Cisco Systems, Inc. All rights reserved.

Configuring the Engine-Specific

2005 Cisco Systems, Inc. All rights reserved.

Configuring the Engine-Specific

2005 Cisco Systems, Inc. All rights reserved.

Configuring the Alert Response

2005 Cisco Systems, Inc. All rights reserved.

Configuring the Alert Behavior

Custom Signature Scenario 2

Custom Signature Scenario 2 (Cont.)

Send a summary alert for firings of the signature on

Using the Custom Signature Wizard

2005 Cisco Systems, Inc. All rights reserved.

Selecting the Protocol Type

2005 Cisco Systems, Inc. All rights reserved.

Configuring the TCP Traffic Type

2005 Cisco Systems, Inc. All rights reserved.

Configuring the Service Type

2005 Cisco Systems, Inc. All rights reserved.

Configuring the Signature Identification

2005 Cisco Systems, Inc. All rights reserved.

Configuring the Engine-Specific

2005 Cisco Systems, Inc. All rights reserved.

Configuring the Alert Response

2005 Cisco Systems, Inc. All rights reserved.

Configuring the Alert Behavior

2005 Cisco Systems, Inc. All rights reserved.

Configuring the Event Count and Interval

2005 Cisco Systems, Inc. All rights reserved.

Configuring Alert Summarization

2005 Cisco Systems, Inc. All rights reserved.

Configuring Alert Dynamic Response

2005 Cisco Systems, Inc. All rights reserved.

Completing the Custom Signature Creation