Signatures and alarms for Cisco IPS systems

Signatures and alarms for Cisco IPS systems

Cisco IPS detection is based on signatures, and Cisco signatures is divided into three types: built-in signatures, modified signatures, and User-Defined signatures.

ÜBuilt-in signatures:The built-in signatures are Cisco's predefined signatures embedded in IPS, which have not been adjusted. Currently there are more than 1000 signatures, and the built-in signatures cannot be renamed or deleted. If you do not want to use a built-in signature, you can disable it by disable) or retire ). Disable disabled) the signature is still in the engine, but is not checked, and the retire is removed) indicates that the signature is no longer in the engine and a signature is removed from the engine. The built-in signature range is 1-50000. A large type of signature may also have a subsignaturesub-signature ).

ÜModified signatures:You have made adjustments based on the existing signatures of IPS.

ÜCustom signatures:User-Defined signatures.

Signatures features:

ÜResponse Behavior:Indicates the action taken when an attack or intrusion is detected, for example, alarm or discard.

ÜAlarm summary:Summarize similar alarms. Otherwise, many alarms will be generated. An alarm is reported for each packet of the same type of data traffic, which is obviously unscientific and inefficient.

ÜThreshold Configuration:This is an effective way to reduce false alarm rate. For example, many scanning software uses ICMP to determine whether hosts on the network are online or not, but the network administrator may also use ping to detect network connectivity, if an ICMP packet is reported as an illegal scan, a false alarm is triggered. You can configure the threshold value, for example, if 20 ICMP packets are detected after the connection, the system will not trigger an alarm if the number of packets is less than 20.

ÜEscape technical features:You can enable or disable the features of intrusion avoidance.

ÜLoyalty:When defining signatures, you can define a loyalty for it. The range of loyalty is 0-100. For example, if you define a loyalty value of 60%, the alarm 60% of this signature is reliable, 40% unreliable may be false alerts)

ÜApplication layer firewall:Traditional firewalls mainly filter commands in protocols or Protocols. Cisco IPS provides the application layer firewall function to filter attacks, malicious code, and scripts, it can also penetrate into the application layer protocol encapsulation, such as filtering Http content. Therefore, the application layer firewall on IPS is also called the Deep detection firewall, at the same time, the firewall on IPS is the second line of defense after the traditional firewall policy fails or is mistakenly configured. It is disabled by default.

ÜSNMPSupported:Cisco IPS 5.0 supports SNMP management.

ÜIPv6Supported:Instead of directly analyzing IPv6 packets, we analyze IPv4 packets encapsulated in IPv6.

Understand the signature action of the Cisco IPS system after detecting intrusion

When Cisco's intrusion detection system identifies security violations based on signature, attackers can directly discard malicious data packets, trigger alarms, capture data packets in alarms, capture subsequent data packets, initialize blocking, and log on to other devices for blocking) generate an SNMP alarm, send a TCP reset signal, and terminate the TCP connection.

UnderstandingCapture subsequent data packets:

In some cases, an attack or security violation behavior may be hidden in multiple packets. When IPS analyzes the first packet in this series of packets, maybe it cannot determine this is an attack or a security violation, so IPS is not eager to determine this is a violation of the packet or a valid packet, but will capture the subsequent packet, then, the protocol analyzer is used to decode to determine whether it is an attack or a security violation, and then execute relevant actions.

Understanding the signature engine of the Cisco IPS system

The signature engine is an important component of Cisco IPS. Based on signature, the signature engine can be divided into many types, as shown in Figure 5.4, you can find specific signature based on different types of engines. For example, to find the ICMP request and response signature, you can use the Atomic IP (Single IP) Class engine to determine the specific signature. Each signature is assigned to a specific engine to monitor specific traffic. The default behavior of each signatures is an alarm, and other actions can be configured. Alarms are stored in the local event of the sensor. External monitoring programs can collect alarm information through SDEE. Multiple hosts can collect alerts from the same sensor. Sensor alarms are classified into four levels: informational information), Low (Low), medium), and High (High). The alarm levels are the same as the severity levels that trigger signature.

650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131227/0519222056-0.png "title =" 2.png"/>

How to better understand eachSignatureMeaning:

You can move to the signature you need to understand, right-click it, and select NSDB Link to use cisco's security interpretation library to query it online, as shown in Figure 5.6:

650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131227/0519223949-1.png "title =" 3.png"/>

This article is from the "unknown Christ" blog. For more information, contact the author!