Example 128 Displaying Captured Packets Stored in packetfile

Reading from file usr cids idsRoot var packet-file, link-type EN10MB (Et 09 45 11.922176 00 01 c9 6d 64 fa > 01 00 0c cc cc cc snap ui C len 35 09 45 11.922180 00 01 c9 6d 64 fa > 01 00 0c 00 00 00 snap ui C 09 45 12.922078 00 01 c9 6d 64 fa > 01 00 0c cc cc cc snap ui C 09 45 12.922080 00 01 c9 6d 64 fa > 01 00 0c 00 00 00 snap ui C 09 45 13.975583 CDPv2, ttl 180s, Device-ID 'stat-6000', length 09 45 13.977456 CDPv2, ttl 180s, Device-ID 'stat-6000', length 09 45 13.979205 CDPv2, ttl...

Figure 53 Viewing Signatures by Operating System

1 * I IKU NJ*I 1U (iTey-TWHl-l'-OinJ tUA,ll9, r.nfirn n nmn Wat'jrtq Sil FOfhvMO F-lirlh 3 t+SuntiM stwg lHeMfdft j wflflHo la E-Q38H 13 CertiHile l Tun f uri S A bihHr *C< M turi filtfartoto ilrfleiiac Pa r- ( tT< rt< FtewHo G QAnalHi Engin lVirftral Sensor ficu taro Sin-iH flMisetunHv* E-eniAdjunHuifi f E*entVimM* lrarfle van M i EnentAibon O lE.MriVboji PH Jj'ienerdl Si iururt Vfifliii jrjtiiin Snlfcr& f IDuit jiKtsit+Hi After selecting OS, you can choose to view the signatures for...

Figure 811 Add Event Action Filter Popup Window

0 'iCil1llc L Yasr filnltA t El CL. jiif T- influ Virtual Stni i global Vi i-lo Q i luii D 'ilii JSia-jSiraVjiu l i C nll Siij siianeoue 1 ISvsrL clisnpMni iE-mCViiianir ffriigMVMtl* ZL- -IMIHIKK fJffckin& P t) Lh.ili LnoinPl E' ljno Desxi SrcMu f nn SstP un Han H fjg n fjt C i) & Tr* drftjii . S iiliLtdai _ .) JliMvff PH km 3 AJU- ki Vi b'n Pjrpffitfi .VKtiMf dfls .) JliMvff PH km 3 AJU- ki Vi b'n Pjrpffitfi .VKtiMf dfls Step 6. Enter PhoneConfigTFTP in the Name field.

Index

A B C D E F G H I K L M N O P R S T U V W Z searching patterns, Secure Shell (SSH), 2nd security bypasses, configuring, deploying, hardware, hybrid IPS IDS solutions, meta-event generators, monitoring, overview of, protocols, risk rating, terminology, triggers, NSDB Security Monitor configuring adding devices, event notification, Event Viewer, importing devices, monitoring devices, managing data, 2nd Event Viewer preferences, system configuration, reports selecting event types IP blocking...

Table 72 Regular Expression Syntax

Matches any one character except a new line character (0x0A) Matches any character listed in the range (inclusive) Limits the scope of other metacharacters Matches either expression that it separates Forces match to occur at the beginning of a line Matches the literal character (even for metacharacters) Matches the literal character (unless character is a metacharacter) Matches the new line character (0x0A) Matches the form feed character (0x0C) Matches character with the hexadecimal value...

Example 121 Displaying the Sensors System Information

Cisco Intrusion Prevention System, Version 5.0(0.21)S129.0 OS Version 2.4.2 6-IDS-smp-bigphys Platform IPS-4240-K9 Serial Number JAB0815R01X No license present Sensor up-time is 19 days. Using 354369536 out of 1984704512 bytes of available memory (17 usage) system is using 17.3M out of 29.0M bytes of available disk space (59 usa application-data is using 39.0M out of 166.8M bytes of available disk spa (25 usage) boot is using 35.5M out of 68.6M bytes of available disk space (55 usage...

Atomic Ip Icmp Parameters

Creating ICMP atomic signatures involves configuring the parameters identified in Table 6-13. Table 6-13. ICMP Fields for Atomic IP Signature Engine Table 6-13. ICMP Fields for Atomic IP Signature Engine The value to match for the Code field in the ICMP header The value to match for the Identifier field in the ICMP header The value to match for Sequence Number field in the ICMP header The value to match for Type field in the ICMP header The minimum length (of the ICMP header and payload) to...

About the Technical Reviewers

Jerry Lathem has been working with computers for 25 years and in the field of computer security for 15 years. He worked for ten years with the U.S. Department of Defense as a research engineer, working on both information security and computer security. He joined the WheelGroup Corporation (later acquired by Cisco) early in its start-up phase. He has a wide variety of experience, including performing security assessments, developing both defensive and offensive software, and prototyping the...

Intranet Boundaries

Sensor 4 in Figure 1-6 monitors traffic between the engineering network and the finance network. This is an example of a sensor monitoring traffic between separate network segments within a larger network. Many times organizations use intranets to divide their network into functional areas, such as engineering, research, finance, and human resources. At other times, organizations drive the boundary definitions. Sometimes both of these classifications define intranet boundaries. In this example,...

Inline Deep Packet Inspection

By definition, IDS and IPS solutions incorporate signatures that trigger based on information that is located throughout the packet. Inline deep-packet inspection refers to the ability to perform actual protocol analysis on network traffic. Many applications (including malicious programs) attempt to use open ports to pass information through access control lists on your network. Using inline deeppacket inspection enables you to enforce your security policy beyond basic port numbers. For...

Oihmt

V.> , Mi i r lim J*i4tlJ rri> W A4M4MM + AJ bhiAMIfk __J 1m Minn v.i 1 J iiim.CWmf* Step 10. Select any of the parameters shown in Table 10-5 that you want to use in the database rule by clicking on the radio button next to the parameter and adjusting the value for the parameter. Table 10-5. Database Rule Parameters Table 10-5. Database Rule Parameters Database used space greater than (megabytes) If selected, triggers the database rule when the database reaches a size greater than the value...

Sensor Tuning

This chapter covers the following subjects Attackers are continually trying to find ways to bypass the protection barriers in security mechanisms. Understanding these IDS evasion techniques is important to effectively protect your network using Cisco IPS. Tuning your sensor helps customize its operation to your unique network environment. Tuning your sensor, a key step to configuring your Cisco IPS, involves several phases. Understanding the global sensor configuration tasks that impact the...

Emonitor span

Which of the following is not a step in creating VACLs for IOS e. Apply the access map to VLANs 7. Which of the following is not a step in creating VACLs when you use IOS Firewall c. Apply ACL to an interface or VLAN d. Apply the access map to VLANs 8. Where do you need to create an artificial VLAN boundary to use inline mode a. Between devices with virtual switch ports b. Between a router and a firewall c. Between a switch and a router d. Between a switch and a firewall 9. Which switch traffic...

Trojan Horse Signature Engines

Attackers can place various backdoor Trojan horse programs on systems in a network to enable them to operate from systems within your network. Cisco IDS has three signature engines specifically designed to detect the presence of Trojan horse programs on your network (see Table 6-48). Table 6-48. Trojan Horse Signature Engines Table 6-48. Trojan Horse Signature Engines Detects the presence of B02K by using the TCP protocol Detects the presence of the TFN2K Trojan horse by examining UDP, TCP, and...

Flood Host ICMP Parameters

Using the Flood Host signature engine, you can create signatures that detect ICMP traffic coming from many source hosts to a single destination host. The ICMP-specific parameter is shown in Table 6-19. Table 6-19. Flood Host ICMP Engine Parameter Table 6-19. Flood Host ICMP Engine Parameter (Optional) The value to match for the ICMP header TYPE These signatures identify traffic floods based on either all ICMP traffic (if you do not specify the ICMP Type parameter) or specific ICMP traffic...

Intrusion Prevention Overview

Since intrusion prevention is a relatively new technology, it is helpful to review how it differs from a traditional IDS and to explain the terms commonly used in discussions on this subject. This review and explanation will be covered by the following topics Intrusion-Prevention Terminology IPS IDS Monitoring Locations . Cisco Hybrid IPS IDS Solution Inline Deep-Packet Inspection

Deny Connection Inline

In some situations, you need to deny all of the traffic for an entire connection (not just the initial attack traffic). Configuring a signature with the Deny Connection Inline action causes the sensor to drop all traffic for the connection that triggered the signature. A connection is defined as all traffic in which the following fields match the traffic that triggered the signature The traffic for the connection is denied for the length of time specified by the Deny Attacker Duration...

Extranet Boundaries

Sensor 3 in Figure 1-6 is another inline sensor. It is positioned so that it can monitor the traffic traversing the link between your network and your business partner's network. This extranet link is only as strong as the security applied to either of the networks that it connects. If either network has weak security, the other network becomes vulnerable as well. Therefore, extranet connections need to be monitored. Because the IPS sensor monitoring this boundary can detect attacks in either...

Hub Traffic Flow

A hub is a very simple link-layer device. Whenever a device connected to the hub generates network packets, the hub passes that traffic to all of the other ports on the hub. Figure 15-3 shows that when Host A sends traffic to Host C, all of the other devices connected to the hub also receive a copy of the traffic. The other devices connected to the hub simply ignore the traffic that does not match their Ethernet Media Access Control (MAC) address.

Configuring Sensor User Accounts

When accessing your sensor (via the web interface, the console port, Telnet, or SSH), you authenticate by using a username and password. The role of the user account that you use to access the sensor determines the operations that you are allowed to perform on the sensor. Each account is assigned one of the following roles (explained in detail in the User Roles section of Chapter 2, IPS Command-Line Interface)

Configuring VACLs for Traffic Capture With Cisco Catalyst 6500 IOS Firewall

When using the Cisco IOS Firewall on your Multilayer Switch Feature Card (MSFC), you may be unable to directly configure VACLs to capture network traffic for your sensor. If you apply the ip inspect IOS Firewall command on a specific VLAN interface, you cannot create a VACL for that same VLAN at the switch level. These two features are mutually incompatible. To overcome this limitation, you can use the mls ip ids MSFC router command to designate which packets will be captured by your security...

Intrusion Prevention Terminology

Table 1-2 describes the primary terms that are used to describe the functionality of the Cisco IPS solution. Examining network traffic while having the ability to stop intrusive traffic from reaching the target system Passively examining network traffic for intrusive behavior An engine that supports signatures that share common characteristics (such as same protocol) The capability to define meta signatures based on multiple existing signatures A signature that triggers based on the contents of...

Figure 52 Viewing Signatures by L2L3L4 Protocol

I * bru tth yn (mm hrji vc> - lii.ijm.i i'j.luh (mm min tton aiig fini F tkvmq kiiiiih & a SUntUI seup lHeMiffc flMmirtHintt B-13SH El rt CarW 5viT SlUifii < 4 HllHvijfif Cejlilijun llrlerfiiB & a SUntUI seup lHeMiffc flMmirtHintt B-13SH El rt CarW 5viT SlUifii < 4 HllHvijfif Cejlilijun llrlerfiiB i& TlS- i FlBWHOSl 0 ClAnalriis Engin lViiftrSl Sensor 5> iolLibLl vjn.ibie Q Signnlurj CpHn-'-si jcunsm siri-sn pMiitwinKnn fr flt AtflDn SuIOi ( EwintViittWmil lrarflp Uflll fti...

Example 131 Viewing the Status of the IDSM2 Module in Slot

Mod Slot Ports Module-Type Model Sub Status 8 8 8 Intrusion Detection Syste WS-SVC-IDSM2 8 00-e0-b0-ff-3b-80 to 00-e0-b0-ff-3b-87 0.102 7.2(0.67) 4.1(0.3)S42 8 IDS 2 accelerator board WS-SVC-IDSUPG You can also specify the show module CatOS command without any parameters to obtain some basic information about all the line cards in your switch, as displayed in Example 13-2 .

Restoring Default Configuration Using IDM

When using IDM to restore the default sensor configuration, you do not have the option of selectively clearing portions of the sensor's configuration. Instead, all of the default parameters for the sensor's configuration are restored. Restoring the default sensor configuration by using IDM involves the following steps Step 1. Access IDM by entering the following URL in your web browser https sensoripaddress. Step 2. Click on the Configuration icon to display the list of configuration tasks....

Note

Most of the TCP timeout parameters and other TCP stream reassembly settings are handled by the Normalizer engine in Cisco IPS version 5.0. So to change parameters such as the following, you need to change the corresponding signature that enforces the parameter using the Normalizer signature engine Furthermore, some of Normalizer-based signatures have default mandatory behaviors that will occur even if the signature is disabled, such as in TCP Drop - Segment out of window (SigID 1330, Sub SigID...

Figure 89 Add Event Action Override Popup Window

T.iH-rfiiJiii *l flirt HirtiriiJ FVmLk JUiire Q I'lii-ijiif CtniiijuiiT'di lrifiTiiB e C. Anal* Engin fJ-HiSl Ssnsoi < . SinnaHjieDifii1- klSi jiiMUie Vi'iiali iSiirmurtCtHifl m J'utlom Sigoabuie JMisci ifttoul _ 3 E- nlAitmnfiulp in It> i I Arilin (r.fnlrlf. Jnt1 Km JS jrt j t .-,kftjin j fit h j er* ttfcn typ Il anfwvl s o-'t Mhwl isnjf rci'j pu dir sdicn.ifial jilkKi ib Ucid le tr-E evsr Mi EYenl HIiga Oirtmit applies 1o j idn jhi ia Ii- Biin Ine oelinefl ranje mou mu t atlBflUt...

Foundation Summary

Beginning with Cisco IPS version 5.0, you can configure your sensor to perform one or more of the following responses when a specific signature triggers Configuring a signature with the Deny Packet Inline action causes your sensor to drop any packets that match the signature's parameters. The Deny Connection Inline action causes the sensor to drop all traffic for the connection (same source and destination IP address and source and destination ports) of the traffic that triggered the signature....

Service DNS Engine Parameters

The Service DNS signature engine performs advanced decoding of DNS traffic. This decoding enables detecting various anti-evasion techniques such as following multiple jumps in the DNS payload. The major engine-specific signature parameters for the Service DNS signature engine are shown in Table 6-24. Table 6-24. Service DNS Engine Parameters Table 6-24. Service DNS Engine Parameters Specifies the protocol to use for the signature Defines the DNS query class chaos string to match Defines the DNS...

Verifying IDSM2 Status

After installing the IDSM-2 on your Catalyst 6500 family switch, you can verify that the switch has recognized the IDSM-2 line card via the show module switch command (see Catalyst 6500 Commands later in this chapter). Executing this command provides detailed information about the line cards in your switch. You should see a line similar to the following for your IDSM-2 line card (if using CatOS) 8 8 8 Intrusion Detection Syste WS-SVC-IDSM2 yes ok The ok indicates that the card is working, and...

Service HTTP Engine Parameters

The Service HTTP signature engine provides regular expression-based pattern inspection specifically designed to analyze HTTP. The major parameters are shown in Table 6-28. Table 6-28. Service HTTP Engine Parameters Table 6-28. Service HTTP Engine Parameters (Optional) The regular expression used to search for a pattern in the uniform resource identifier (URI) section of the HTTP request the URI is after the valid HTTP method and before the first < CR> < LF> or argument delimiter ( or...

Figure 712 Idm Http Custom Signature Wizard Screen

LIMO M JO (FYencwHdmiw - U.iuj.l '.'i. Kill LIMO M JO (FYencwHdmiw - U.iuj.l '.'i. Kill eA nahi -i Erflln* Sv-ift,-aiSenE< fl'il b l Virl-Sblai 6 Signante Deinen fJSi.jri 'jii Volatile SlSiflnaljiT Lan l ji S Ci F sil flcUnn suits l& EtwriviiOUn iTar s Val a Silin E n tet n Owru Sf n AiHpn F11414 i eip al S f.n SBiocsana Propre De* tfrpln Pmfii , A CuSl rii 'M iImi i Lan iriL'Ll Ihti IH'IIOIIIIJIII.O ufll ri 'U ir. ihlhlfl 4 lmi-riw- 1 . .nliJtJL yuu MiniJd jniVrt ih uriji.-s...

Sensor Placement

When you place an IPS sensor in front of a firewall (on the Internet, or external, side of the firewall), you allow the IPS sensor to monitor all incoming and outgoing network traffic. However, when deployed in this manner, the IPS sensor does not detect internal network traffic (such as traffic between two internal hosts). An internal attacker taking advantage of vulnerabilities in internal network services would remain undetected by the external IPS sensor. Placing an IPS sensor (a monitoring...

Using Existing ACLs

In some situations, you may need to configure an IP block on an interface direction on which you already have an ACL. If you simply configure your sensor to generate blocks for an interface direction on the managed device, your existing ACL entries will be lost because the blocking sensor will take control of the interface and apply its own ACL. Therefore, to use blocking on an interface direction that has an existing ACL, you need to define the following extra ACLs When you configure a sensor...

Figure 87 Add Event Variable Popup Window

Ir nl v'ai ih > ' Ir-I voit ii lr s aino valu wrlhin mullipl 'Mf-.'o WWipn nu hanpe (Tip vi Cf a , 115 019, * filler-i If.al II P HiMvpruC jre tippled wlh ip rpw value IfyflUMie svjiiiole m 3 r.nar. lucilla In j1ni> uiiiLii' i. r l nr-- lr c .nr.rtl In .r.-hr Lie l . . li-ia fcj.WlAlB- rWi FIDt 3ItMi jUstrt e r-l 1111 - rj c f c e. n n g u i iTm i S Anil .- - Engmp itv-HiSl Sensoi tal balVlM4bl E S i. SiunaUji ifli-. T W5isnMJie Viiiiale Kuiloro SiriJtuie JMie - jnt- M _ S ' . E sii pi Don...

Configuring Inline Software Bypass

When operating in inline mode, your sensor bridges the traffic between two devices or VLANs. Similar to a switch in your network, the sensor transfers traffic from one inline sensor interface to the other (after the packet has been inspected). If the sensor software fails or you update the software on your sensor, you need to decide how the sensor will pass traffic (for the inline processing interfaces) while the sensor is not operating. You can configure the sensor to use one of the following...

Figure 48 SSH Known Hosts Configuration Screen

*. t ivro in1* L-41 IPinMlUdHHl - IdJiUI .ni.KHi Krlltwn Hi Ktyi 5iedMl p SSHJiffol putln w < 3f all < jffl CiPW WWW manjutl e cisantei s -ji> _i NsMmrt i3U .5waiiH< > sls BCISSH ft ftifinsw Km El iV Ccmfctalai ms ubh Inl-.'lnc Configure ii ir. lfa( Ei lr> rfiiu Pairs f& iVll J Sens (ilnbalVirtililr iiViniMi Ccnfi fdCi iam Cig-ij' iSlHisce-snifniis 1 E> i il Aclrnn Rules f& TfflJBiyBlU Ffj < *M4cDon On EvintJUhon Fin Jiierieral Seiiriu Krlltwn Hi Ktyi 5iedMl p SSHJiffol...

Informational Signature Fidelity

The signature fidelity weights the RR based on how well the signature might perform in the absence of specific knowledge of the target. This value is a numeric value between 0 and 100 (with 100 being the highest fidelity). Signatures that are based on very specific rules will have a higher signature fidelity value than signatures based on more generic rules. For instance, consider the two Cisco IPS 5.0 signatures shown in Table 1-3 Table 1-3. Sample Signature Fidelity Ratings Table 1-3. Sample...

Service Signature Definition

The signature-definition mode is a third-level service mode that enables you to perform various signature-related tasks, such as the following Define fragment reassembly parameters Define stream reassembly parameters Modify specific signature characteristics You can recognize this fourth-level mode because the prompt changes to the following When entering this mode, you must specify the name of the instance configuration. Currently, the only instance allowed is sig0. In the future, however, you...

Atomic ARP Engine Parameters

Atomic ARP provides the ability to support basic Layer 2 Address Resolution Protocol (ARP) signatures (see RFC 826, An Ethernet Address Resolution Protocol). Numerous tools enable an attacker to attack your network at the link layer, including dsniff (http www.monkey.org dugsong dsniff) and ettercap (http ettercap.sourceforge.net). The Atomic ARP signature engine enables Cisco IPS to detect the use of these tools on your network. To tune existing Atomic ARP signatures or create custom...

Configuring the Summertime Settings

During the summer months, many regions change time to what is commonly called daylight savings time. Configuring the summertime settings involves setting a start date and an end date as well as defining what day and time the change is to occur. When defining the dates, you can use one of the following formats With Recurring format, you specify a date based on the three parameters shown in Table 4-2. Using the Date format, you specify only the month and day (such as October 23).

String Signature Engines

The String signature engines support regex pattern matching and alarm functionality for the following three protocols ICMP, UDP, and TCP. Each of these engines shares the common engine-specific parameters shown in Table 6-40. Table 6-40. Common String Engine Parameters Table 6-40. Common String Engine Parameters Indicates whether to inspect traffic to the service or from the service The exact stream offset (in bytes) in which the regex string must report a match The minimum number of bytes the...

Acknowledgments

First, I want to say that many people helped me during the writing of this book (too many to list here). Everyone I have dealt with has been very supportive and cooperative. There are, however, several people who I think deserve special recognition. I want to thank Jeanne Jackson (the Cisco IPS course developer) and everyone else who contributed to the course's development. The course material provided me with the foundation on which to develop this book. The technical editors, Marcus Sitzman,...

Alarm Summarization

Besides the basic alarm firing options, signatures can also take advantage of the following alarm fixed summarization modes Like Fire Once, these alarm summary modes limit the number of alarms generated and make it difficult for an attacker to consume resources on your sensor. With the summarization modes, however, you will also receive information on the number of times that the activity that matches a signature's characteristics was observed during a user-specified period of time. When you...

Capturing Traffic for Promiscuous Mode

At the network level, your Cisco IPS sensors are the eyes of your intrusion prevention system. But to detect intrusive activity, sensors running in promiscuous mode must be able to view the traffic that is traversing your network. Via its monitoring interface, each promiscuous sensor examines the network traffic that it sees. Unless the monitoring interface is plugged into a hub, you must configure your infrastructure devices to pass specified network traffic to your sensor's monitoring...

Atomic IP Engine Parameters

The Atomic IP engine enables you to create specialized atomic signatures based on any IP protocol. Most of your Atomic IP signatures will fall into one of the following protocol categories ICMP (Internet Control Message Protocol) . TCP UDP (User Datagram Protocol) The Atomic IP signature engine comprises IP-specific fields and the specific fields for the IP protocol that the signature is based on. Table 6-12 identifies the basic IP fields for the Atomic IP signature engine. Table 6-12. IP...

Example 145 Verifying a Loopback Address Using the show interfaces Command

Router show interfaces ids-sensor 1 0 IDS-Sensor1 0 is up, line protocol is up Hardware is I82559FE, address is 000d.bc3a.d090 (bia 0 0 0d.bc3a.d090) Interface is unnumbered. Using address of Loopback0 (10.1.1.1) MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec, reliability 255 255, txload 1 255, rxload 1 255 Encapsulation ARPA, loopback not set Keepalive set (10 sec) ARP type ARPA, ARP Timeout 04 00 00 Last input 00 00 17, output 00 00 00, output hang never Last clearing of show interface counters...

Figure 121 IDM Statistics Screen

( mo Ei -i jn ptEVHwHfh'D j li-ilm Vc j i in - n TU f jIi (ici It* II- II- III- almrr. r.ir in-1 -i v.n. . 1. -. ur lu k Wl h lu updjlr nu secticn AnnJ-ysia In'jLne Statist tied PhifcCG e r- riil. . JlftiC SEWtf 1 4 5J19 Bciuuce ol dhe itwl -DC cue rent re50ucce utilization. HtUtt Of Ifci f httUhUh fiiOttee* UMliSfCiMl 0 T ie l ce- oC TtP cocoections nacictd pei ae-cc r ft The a et pwKtEt pii StCC Vl 0 T ie -acfl oC bycej pei second D ticuoa Pfeiiwf Stfltistica Ttiul maber of packet proc*s ed...

Atomic IP Payload Parameters

When creating atomic signatures, you can also cause the signature to examine the payload of the packet. The Atomic IP payload parameters are shared by the various types of atomic signatures (including ICMP, TCP, and UDP). Configuring payload inspection involves using the parameters identified in Table 6-16. Table 6-16. Payload Inspection Fields for Atomic Signatures Table 6-16. Payload Inspection Fields for Atomic Signatures (Optional) The exact offset at which the string must occur for a match...

Figure 59 Viewing Signatures with flood in the Name

im DM 5J0 (PHenrwF ltiw)- IU.IHJ I i I'll. im DM 5J0 (PHenrwF ltiw)- IU.IHJ I i I'll. S itn oi Si JC J jNflMroU, ffrw annul Htrelj IE) 9SH 13 QCeiWtal i S itn oi Si JC J jNflMroU, ffrw annul Htrelj IE) 9SH 13 QCeiWtal i J7 J5 FIOM Nm. R C iralys < - Fr .iii )v-iHiai Sens 53i . ijb lVin.Sblt-( Signage Oefinl si Ei Ufl -UunfiijlB Ey 'M Minnie irjrfleivanjp ftJ CM 0iwkin Pro i ititr.e LCjm Pr . 6 01 6S02 6901 4901 6B03 3 D O fl Tubs Flood He1Ciie-.il Keoueil if l TAB FiooatleiSEiViiflifii fa...

Atomic Ip Tcp Parameters

Creating TCP atomic signatures involves configuring the parameters identified in Table 6-14. These signatures identify traffic based on various TCP fields, such as source and destination ports, or the contents of the packet's data. Table 6-14. TCP Fields for Atomic IP Signature Engine Table 6-14. TCP Fields for Atomic IP Signature Engine The destination port range to match (each port can be 0-65535, and the two ports of the range are separated by a hyphen) The source port range to match (each...

Security Monitor Reports

Security Monitor enables you to generate reports based on the audit and alarm information collected by Security Monitor. These reports can be generated immediately, or you can schedule them to be generated later. Although you can create your own custom report templates, Security Monitor provides the following predefined report templates for IDS alarms IDS Summary Report Provides a summary of event information for an organization during a specified time period. It is filterable by Date Time,...

Defining the Report

When creating an IDS report using Security Monitor, you can either create a custom report template (from scratch or by modifying an existing report template) or use one of the predefined report templates. When modifying an existing report template, you can specify the following filtering parameters (see Figure 10-29) to customize the template to your IPS IDS reporting requirements Date and Time Characteristics

IDSM2 Traffic Flow

Unlike traffic flow to the network appliance, the traffic flow to the IDSM-2 line card requires a little more explanation (see Figure 13-1 ). Furthermore, understanding this traffic flow is an important aspect of effectively using your IDSM-2 to capture and analyze network traffic. Although the IDSM-2 receives traffic directly from your switch's backplane, your Catalyst 6500 family switch must be configured to enable traffic to flow to and from the various ports on the IDSM-2 line card. Traffic...

Example 124 Viewing the Sensors Host Statistics Information

Last Change To Host Config (UTC) 23 01 54 Sun Jan 02 2005 Command Control Port Device Management0 0 ma0_0 Link encap Ethernet HWaddr 00 0F F7 75 4A 94 inet addr 10.40.10.100 Bcast 10.40.10.255 Mask 255.255.255.C UP BROADCAST RUNNING MULTICAST MTU 1500 Metric 1 RX packets 47451 errors 0 dropped 0 overruns 0 frame 0 TX packets 75437 errors 0 dropped 0 overruns 0 carrier 0 collisions 0 txqueuelen 1000 RX bytes 3371163 (3.2 MiB) TX bytes 84409951 (80.4 MiB) Interrupt 16 Base address 0x9c00 Memory...

Monitoring

Besides helping you configure your sensor, IDM also provides the ability to monitor the status and operation of the sensor. The monitoring functionality is divided into the following options (see Figure 3-4) Support Information> Diagnostic Report Support Information> Statistics Support Information> System Information

Stream Reassembly

Normal TCP traffic begins with a three-way handshake and ends with a FIN or an RST packet (a packet with the FIN flag set or a packet with the RST flag set). Many attackers, however, will flood your network with traffic that appears to be valid TCP attack traffic, with the intent to cause your IPS to generate alarms. This attack traffic is not part of valid TCP sessions. By tuning your sensor's TCP stream reassembly options, you can control how your sensor responds to the TCP traffic that...

Service SSH Engine Parameters

The Service SSH signature engine supports signatures that examine SSH traffic. Since everything except the initial setup fields are encrypted in an SSH session, these signatures examine only the setup fields. The major parameters for this engine are listed in Table 6-35. Table 6-35. Service SSH Engine Parameters Table 6-35. Service SSH Engine Parameters Defines the RSA key length or user length the signature triggers when this length is exceeded Identifies whether the length being used is the...

Enabling Signatures

By default, not all signatures are enabled. Some are disabled because they are known to generate false positives unless you configure specific event filters for your network configuration. Occasionally, you may find that a signature that is enabled by default needs to be disabled because it generates false positives in your network configuration. It is a simple task to enable or disable Cisco IPS signatures through the IDM interface. The following are the steps to enable a Cisco IPS signature...

Figure 511 Viewing Signatures by Signature Engine

im DM iJB (PHenrwF ltiw)- lU.IHJ i i I'll. im DM iJB (PHenrwF ltiw)- lU.IHJ i i I'll. S Stn oi Si JC J NqtgvnrK Hnwod Hinte IE) taSH Iii QCeiWtalei 53i . ijb lVii .Sblt- Signalise iefinlisi A EieHA -Uonfiule ffevernwtabtee -arfl iVjIUP ff CM t. nC Aiaon . icjene jl Seftnj q Elatknup You can view signatures for the following signature engines Service MSRPC . Service MSSQL String ICMP . String TCP You select the specific signature engine by using the pull-down menu for the Select Engine field.

Figure 152 Basic Network Configuration

Initially, traffic goes from systems on VLAN 1020 directly to the VLAN 1020 interface, allowing the MSFC to route it to the Internet. You cannot connect the sensor's interface to the MSFC since it has only virtual ports, but you can create an artificial VLAN boundary by placing the MSFC on another VLAN (for instance, VLAN 1030) and then using the sensor to bridge traffic from VLAN 1020 to VLAN 1030. The following are the steps required to create this artificial VLAN boundary on your switch Step...

Transfer Encodings Parameters

When defining AIC HTTP signatures by using the Transfer Encodings signature type, you specify a transfer encoding or a list of transfer encodings to search for in the HTTP messages. The parameters for this AIC HTTP signature type are shown in Table 6-9. Table 6-9. Transfer Encodings Parameters Table 6-9. Transfer Encodings Parameters A specified HTTP transfer encoding method Type of transfer encoding processing the signature will use Identifies the extra information to be specified for the...

Configuring Deny Attacker Duration Parameter

When using inline actions, you need to define the length of time that the sensor continues to deny the traffic. This length of time measured in seconds is defined by the Deny Attacker Duration parameter. You can also configure the maximum number of attackers that the sensor will deny at one time by using the Maximum Denied Attackers field. To configure both of these parameters, perform the following steps Step 1. Access IPS Device Manager IDM by entering the following URL in your web browser...

TTL Manipulation

When traffic traverses your network, each hop routing device decreases a packet's Time to Live TTL value. If this value reaches 0 before the packet reaches its destination, the packet is discarded, and an Internet Control Message Protocol ICMP error message is sent to the originating host. An attacker can launch an attack that includes bogus packets with smaller TTL values than the packets that make up the real attack. If your network-based sensor sees all of the packets but the target host...

Service H225 Engine Parameters

To improve signature support for VoIP, Cisco IPS version 5.0 includes an H225 signature engine. Table 627 shows the parameters for the H225 signature engine. Table 6-27. Service H225 Engine Parameters Table 6-27. Service H225 Engine Parameters Optional Specifies the index of a specific check in a list of built-in checks that validate H225 messages Optional Minimum number of bytes the regex string must match The policy that the signature will apply to the specified message types Optional The...

CidWeb Server

The cidWebServer application is the sensor's web server interface that facilitates interaction between the sensor and other Cisco IPS components on your network. This web server is capable of both HTTP and HTTPS communication sessions. Instead of simply providing static web pages, however, the web server provides functionality via several servlets. These servlets perform most of the real work accomplished via the cidWebServer application. One of the main functions provided by the web server is...

Msg Body Pattern Parameters

When defining AIC HTTP signatures by using the Msg Body signature type, you specify a list of regex strings to search for in the HTTP messages. The parameters for this AIC HTTP signature type are shown in Table 6-7. Table 6-7. Msg Body Pattern Parameters Table 6-7. Msg Body Pattern Parameters Optional Specifies the regular expression that the signature will search for Optional Requires the string matched to be at least the specified minimum number of bytes Optional Indicates the maximum number...

Nmcids Login

Like the sensor appliances, the NM-CIDS is configured with a default Administrator account with a username and password of cisco. You can use this account to initially log in to the NM-CIDS. However, the default cisco password is temporary and expires upon initial login. When prompted, you must change the password for this default account to a string that is not a dictionary word and is at least eight alphanumeric characters long. Special characters are not supported. After logging in, you are...

Example 23 setup Command Output

At any point you may enter a question mark ' ' for help. User ctrl-c to abort configuration dialog at any prompt. Default settings are in square brackets ' '. standard-time-zone-name GMT-06 00 exit summertime-option disabled ntp-option disabled physical-interfaces GigabitEthernet0 3 physical-interfaces GigabitEthernet0 2 physical-interfaces GigabitEthernet0 1 no description admin-state disabled duplex auto physical-interfaces GigabitEthernet0 0 service analysis-engine virtual-sensor vs0 Current...

IDSM2 Configuration

Since the IDSM-2 has the same code base as the appliance sensor, the initialization steps performed on the appliance sensor also apply to the IDSM-2. The major difference between the appliance sensor and the IDSM-2 is that you need to configure the capture ports on the IDSM-2, and you need to initially access the command-line interface CLI through the switch. The IDSM-2 capture ports are internally connected to the switch's backplane this structure differs from that of the appliance sensor,...

ACLs Versus VACLs

In most situations, you are limited to using either ACLs or VACLs. But if you have an MSFC and a Catalyst 6000 running CatOS, you can choose to use either VACLs or ACLs. Therefore, it is helpful to understand the benefits of each of these access-control mechanisms. VACLs are directionless. You can't specify a direction as you can when defining ACLs. This means that if direction is important to you when blocking the traffic, using an ACL is the only choice. ACLs are applied to the MSFC on the...

Table 94 IDM Router Blocking Device Interface Fields

The IP address that the sensor will use to communicate with the blocking device. You select this entry from a pull-down menu that lists the addresses of the router-blocking devices that you have defined. The interface on the blocking device where the blocking sensor will apply the blocking ACL. Determines whether the blocking ACL will be applied on inbound or outbound traffic on the blocking interface. You select either In or Out from the pull-down menu. Optional Name of the ACL on the blocking...

Security Monitor Configuration

Before you can use Security Monitor to analyze the events from your IPS devices, you must add the IPS devices to Security Monitor. You can configure the rules that Security Monitor uses to access events from the devices being monitored. For Remote Data Exchange Protocol RDEP devices, you can also monitor connection and statistical information. This section will focus on the following Security Monitor configuration operations

Cisco Works 2000

CiscoWorks 2000 is the heart of the Cisco family of comprehensive network management tools that allow you to easily access and manage the advanced capabilities of the Cisco Architecture for Voice, Video, and Integrated Data AVVID . It provides the foundation that Intrusion Detection System Management Center IDS MC is built upon. IDS MC is a component of the CiscoWorks VMS bundle. Before you can access the IDS MC application, you must first log in to CiscoWorks 2000. CiscoWorks 2000 also manages...

Software Updates

Cisco is continually enhancing the capabilities of its IPS software. New signatures are being added to address new attacks as they are discovered. These improvements are deployed via the following two types of software releases The file format of new software releases indicates the type of software update along with its version information. In addition, you have several ways in which you can retrieve and install the updates on your sensors.

Toc

The TOC is a menu of choices that is displayed down the left side of the Security Monitor interface. It represents the list of suboptions that you can select based on the option chosen . In Figure 10-3, you can see that the Admin gt System Configuration option provides the following selections PostOffice Settings . SYSLOG Settings Automatic Signature Download

Zip

The rpm.pkg extension contains an executable file that contains either a signature update or a new service pack. The readme or readme.txt extension is a text file that provides you with relevant information about a specific service pack or signature update. Reading this information before you update your sensor is important to maintaining the correct operation of your Cisco IPS since it indicates any problems associated with the new software. The readme files also indicate any hardware...

Qa

You have two choices for review questions The questions that follow pose a greater challenge than the exam questions, because these use an open-ended format. By reviewing now with this more difficult question format, you can better exercise your memory and prove your conceptual understanding of this chapter. The answers to these questions are found in the appendix. For more practice with exam-like question formats, use the exam engine on the CD-ROM. 3. If your sensor has only two monitoring...