You are on page 1of 382

IPS

Implementing Cisco
Intrusion Prevention
Systems
Volume 1
Version 6.0

Student Guide

EPWS: 06.08.07

The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
DISCLAIMER WARRANTY: THIS CONTENT IS BEING PROVIDED “AS IS.” CISCO MAKES AND YOU RECEIVE NO WARRANTIES IN
CONNECTION WITH THE CONTENT PROVIDED HEREUNDER, EXPRESS, IMPLIED, STATUTORY OR IN ANY OTHER PROVISION OF
THIS CONTENT OR COMMUNICATION BETWEEN CISCO AND YOU. CISCO SPECIFICALLY DISCLAIMS ALL IMPLIED
WARRANTIES, INCLUDING WARRANTIES OF MERCHANTABILITY, NON-INFRINGEMENT AND FITNESS FOR A PARTICULAR
PURPOSE, OR ARISING FROM A COURSE OF DEALING, USAGE OR TRADE PRACTICE. This learning product may contain early release
content, and while Cisco believes it to be accurate, it falls subject to the disclaimer above.

The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Students, this letter describes important
course evaluation access information!

Welcome to Cisco Systems Learning. Through the Cisco Learning Partner Program,
Cisco Systems is committed to bringing you the highest-quality training in the industry.
Cisco learning products are designed to advance your professional goals and give you
the expertise you need to build and maintain strategic networks.

Cisco relies on customer feedback to guide business decisions; therefore, your valuable
input will help shape future Cisco course curricula, products, and training offerings.
We would appreciate a few minutes of your time to complete a brief Cisco online
course evaluation of your instructor and the course materials in this student kit. On the
final day of class, your instructor will provide you with a URL directing you to a short
post-course evaluation. If there is no Internet access in the classroom, please complete
the evaluation within the next 48 hours or as soon as you can access the web.

On behalf of Cisco, thank you for choosing Cisco Learning Partners for your
Internet technology training.

Sincerely,

Cisco Systems Learning

The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Table of Contents
Volume 1
Course Introduction 1
Overview 1
Learner Skills and Knowledge 1
Course Goal and Objectives 2
Course Flow 3
Additional References 4
Cisco Glossary of Terms 4
Your Training Curriculum 5
Intrusion Prevention Overview 1-1
Overview 1-1
Module Objectives 1-1
Explaining Intrusion Prevention 1-3
Overview 1-3
Objectives 1-3
Intrusion Detection vs. Intrusion Prevention 1-4
Intrusion Prevention Technologies 1-7
Signature-Based IPS 1-7
Anomaly-Based IPS 1-10
Policy-Based IPS 1-12
Protocol Analysis-Based IPS 1-14
Intrusion Prevention Terminology 1-15
Promiscuous and Inline Modes 1-18
Features of Cisco IPS Sensor Software Version 6.0 1-22
Summary 1-25
Examining Cisco IPS Products 1-27
Overview 1-27
Objectives 1-27
Cisco Network Sensors 1-28
Network IPS 1-44
Host-Based IPS 1-48
Sensor Deployment 1-54
Cisco Self-Defending Network 1-63
Integration Standard 1-63
Collaborative Standard 1-64
Adaptive Standard 1-64
Summary 1-69
Examining Cisco IPS Sensor Software Solutions 1-71
Overview 1-71
Objectives 1-71
Cisco IPS Sensor Software Architecture 1-72
Cisco IPS Element Management Products 1-77
Benefits 1-77
Drawbacks 1-77
Cisco IPS Enterprise Management Products 1-80
Summary 1-84
Examining Evasive Techniques 1-85
Overview 1-85
Objectives 1-85
Evasive Techniques 1-86
String Match Attacks 1-87
Fragmentation Attacks 1-92
Session Attacks 1-97
Insertion Attacks 1-98

The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Evasion Attacks 1-100
TTL-Based Attacks 1-102
Encryption-Based Attacks 1-103
Resource Exhaustion Attacks 1-104
Summary 1-106
Module Summary 1-107
References 1-107
Installation of a Cisco IPS 4200 Series Sensor 2-1
Overview 2-1
Module Objectives 2-1
Installing a Cisco IPS Sensor Using the CLI 2-3
Overview 2-3
Objectives 2-3
Introducing the CLI 2-4
Initializing the Sensor 2-19
Performing Administrative Tasks 2-25
Additional Administrative Commands 2-29
Summary 2-44
Using the Cisco IDM 2-45
Overview 2-45
Objectives 2-45
Introducing the Cisco IDM 2-46
Getting Started with the Cisco IDM 2-53
How to Configure SSH 2-60
How to Reboot and Shut Down the Sensor 2-63
Summary 2-65
Configuring Basic Sensor Settings 2-67
Overview 2-67
Objectives 2-67
How to Configure Allowed Hosts 2-68
How to Set the Time 2-70
How to Configure Certificates 2-76
How to Configure User Accounts 2-78
Defining Interface Roles 2-83
Command and Control Interface 2-84
Monitoring Interfaces 2-86
TCP Reset Interfaces 2-95
How to Configure the Interfaces 2-96
How to Configure Software and Hardware Bypass Mode 2-106
Viewing Events in the Cisco IDM 2-110
Summary 2-111
Module Summary 2-112
References 2-112
Cisco IPS Signatures 3-1
Overview 3-1
Module Objectives 3-1
Configuring Cisco IPS Signatures and Alerts 3-3
Overview 3-3
Objectives 3-3
Cisco IPS Signatures 3-4
How to Locate Signature Information 3-18
How to Configure Basic Signatures 3-21
Special Considerations for Signature Actions 3-33
Summary 3-35

ii Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Examining the Signature Engines 3-37
Overview 3-37
Objectives 3-37
Introducing Cisco IPS Signature Engines 3-38
Common Signature Engine Parameters 3-41
ATOMIC Signature Engines 3-53
FLOOD Signature Engines 3-54
SERVICE Signature Engines 3-55
STRING Signature Engines 3-60
SWEEP Signature Engines 3-61
TROJAN Signature Engines 3-64
TRAFFIC Signature Engines 3-65
AIC Signature Engines 3-67
STATE Signature Engine 3-76
META Signature Engine 3-79
NORMALIZER Engine 3-81
Summary 3-84
Customizing Signatures 3-85
Overview 3-85
Objectives 3-85
Tuning Signatures 3-86
Noise Reduction 3-88
False Positive Reduction 3-91
False Negative Reduction 3-95
Focusing Cisco IPS Sensors 3-100
Customizing Built-in Signatures 3-113
How to Create Custom Signatures 3-119
Custom Signature Scenarios 3-120
Summary 3-147
Module Summary 3-148

© 2007 Cisco Systems, Inc. Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 iii
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
iv Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
IPS

Course Introduction
Overview
This course delivers the knowledge and skills needed to design, install, configure, and maintain
a Cisco Intrusion Prevention System (IPS) sensor for small, medium, and enterprise networks,
and also procedures for managing IPS alarms.

Learner Skills and Knowledge


This subtopic lists the skills and knowledge that learners must possess to benefit fully from the
course. The subtopic also includes recommended Cisco learning offerings that learners should
first complete to benefit fully from this course.

Learner Skills and Knowledge

ƒ Familiarity with networking and security terms and concepts


(Securing Cisco Network Devices [SND]) course
ƒ Strong user-level experience with Microsoft Windows operating
systems

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—3

The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Course Goal and Objectives
This topic describes the course goal and objectives.

Course Goal

“To deploy, configure, and administer Cisco IPS


sensors to protect network devices and hosts as well
as efficiently manage IPS alarms.”

Implementing Cisco Intrusion Prevention Systems

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—4

Upon completing this course, you will be able to meet these objectives:
„ Explain how Cisco IPS protects network devices from attacks
„ Install and configure the basic settings on a Cisco IPS 4200 Series Sensor
„ Use the Cisco IDM to configure built-in signatures to meet the requirements of a given
security policy
„ Configure some of the more advanced features of the Cisco IPS product line
„ Initialize and install into your environment the rest of the Cisco IPS family of products
„ Use the CLI and Cisco IDM to obtain system information, and configure the Cisco IPS
sensor to allow an SNMP NMS to monitor the Cisco IPS sensor

2 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Course Flow
This topic presents the suggested flow of the course materials.

Course Flow
Day 1 Day 2 Day 3 Day 4

Course
Introduction Module 3: Module 4: Module 5:
A Cisco IPS Advanced Additional
M Module 1: Signatures Cisco IPS Cisco IPS
Intrusion Configuration Devices
Prevention
Overview

Lunch

Module 2: Module 3: Module 4: Module 6:


P Installation of Cisco IPS Advanced Cisco IPS
M a Cisco IPS Signatures Cisco IPS Sensor
4200 Series (Cont.) Configuration Maintenance
Sensor (Cont.)

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—5

The schedule reflects the recommended structure for this course. This structure allows enough
time for the instructor to present the course information and for you to work through the lab
activities. The exact timing of the subject materials and labs depends on the pace of your
specific class.

© 2007 Cisco Systems, Inc. Course Introduction 3


The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Additional References
This topic presents the Cisco icons and symbols that are used in this course, as well as
information on where to find additional technical references.

Cisco Icons and Symbols

Multilayer
Cisco IPS Cisco Catalyst Cisco Adaptive
Switch
Sensor 6500 Series Security Appliance
IDSM-2 5500 Series

Cisco PIX Network


Cisco IOS Router Firewall Workgroup Secure Endpoint
Switch Cloud

Ethernet
Laptop Server Link
Hub
Web, FTP, etc. Security
Management

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—6

Cisco Glossary of Terms


For additional information on Cisco terminology, refer to the Cisco Internetworking Terms and
Acronyms glossary of terms at http://www.cisco.com/univercd/cc/td/doc/cisintwk/ita/index.htm.

4 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Your Training Curriculum
This topic presents the training curriculum for this course.

Cisco Career Certifications


Cisco Certifications

www.cisco.com/go/certifications

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—7

You are encouraged to join the Cisco Certification Community, a discussion forum open to
anyone holding a valid Cisco Career Certification (such as Cisco CCIE®, CCNA®, CCDA®,
CCNP®, CCDP®, CCIP®, CCVP™, or CCSP®). It provides a gathering place for Cisco certified
professionals to share questions, suggestions, and information about Cisco Career Certification
programs and other certification-related topics. For more information, visit
www.cisco.com/go/certifications.

© 2007 Cisco Systems, Inc. Course Introduction 5


The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Cisco Career Certifications: CCSP
Expand Your Professional Options
and Advance Your Career
Professional-level recognition in network security

CCIE Expert

CCSP Professional

CCNA
Associate

Network Security

www.cisco.com/go/certifications

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—8

6 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Module 1

Intrusion Prevention Overview

Overview
This module provides the fundamental knowledge required to understand an intrusion
prevention system (IPS). This module will introduce basic vocabulary and concepts to help lay
a foundation to better understand IPS technologies and the solutions that they provide in the
enterprise.

Module Objectives
Upon completing this module, you will be able to explain how the Cisco Intrusion Prevention
System (IPS) protects network devices from attacks. This ability includes being able to meet
these objectives:
„ Define intrusion detection and intrusion prevention along with related terms and concepts
„ Describe the Cisco IPS solutions and explain how Cisco IPS protects network devices from
attacks
„ Describe the Cisco monitoring solutions and suggest how to utilize them
„ Define major evasion techniques in order to justify several IPS features

The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
1-2 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Lesson 1

Explaining Intrusion Prevention

Overview
In networking today, it is becoming increasingly more important to protect company resources.
Not only must company resources be defended passively, but also the protection must be
constantly monitored and enhanced with systems that actively inspect the data that is passed
over allowed and open connections.

Objectives
Upon completing this lesson, you will be able define intrusion detection and intrusion
prevention along with related terms and concepts. This ability includes being able to meet these
objectives:
„ Explain the difference between intrusion detection and intrusion prevention
„ Describe the similarities and differences among the various intrusion detection technologies
„ Explain the terminology used in intrusion prevention and detection
„ Explain the difference between promiscuous and inline intrusion protection
„ Describe the new features included in the Cisco IPS Sensor Software Version 6.0

The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Intrusion Detection vs. Intrusion Prevention
This topic describes intrusion detection systems (IDSs) and intrusion prevention systems
(IPSs).

Intrusion Detection Systems

An IDS has the capability to detect misuse and abuse of,


and unauthorized access to, network resources.

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—1-2

An IDS has the capability to detect misuse and abuse of, and unauthorized access to, networked
resources. The Cisco intrusion protection product portfolio consists of a variety of devices
called sensors, all of which can monitor traffic from a particular network segment, analyze it,
detect malicious activity, and take a response action if the traffic is deemed malicious.

An IDS is usually a dedicated device that monitors network traffic and detects anomalies based
on certain criteria. These criteria can be a database of signatures, a statistical knowledge of
what represents normal network traffic, or an administrator-specified security policy.

The following attacks are the most commonly detected attacks by a network IDS:
„ Network sweeps and scans, which can indicate network reconnaissance, can be detected by
a network IDS.
„ Common network anomalies on most Open Systems Interconnection (OSI) layers, which
include the following, can be detected by a network IDS:
— Malformed Address Resolution Protocol (ARP) requests or replies
— Invalid IP datagrams (for example, a “Christmas tree” packet)
— Invalid TCP packets (For example, a source or destination port is 0.)
— Malformed application-layer protocol units (for example, an HTTP request that does
not begin with GET, POST, HEAD, or other valid HTTP command)
„ Flooding denial of service (DoS) attacks can come in the form of a very large amount of
Internet Control Message Protocol (ICMP) packets, or TCP SYN packets. These attacks
can impact the resources of a system and severely degrade performance. It is even possible

1-4 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
that the attack could force the system to consume all of its memory, as in the case with a
TCP SYN flood, because the system must reserve a certain amount of memory for each
connection set up.
„ Application layer content attacks can come in the form of buffer overflow attempts in
URLs or Multipurpose Internet Mail Extensions (MIME)-type headers.

© 2007 Cisco Systems, Inc. Intrusion Prevention Overview 1-5


The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Intrusion Prevention Systems

An IPS has the capability to detect and prevent misuse


and abuse of, and unauthorized access to, network
resources.

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—1-3

An IPS has the capability to detect and prevent misuse and abuse of, and unauthorized access
to, networked resources. All Cisco sensors can perform intrusion prevention.

The Cisco Intrusion Prevention System (IPS) is an online, network-based solution, designed to
accurately identify, classify, and stop malicious traffic—including worms, spyware and adware,
network viruses, and application abuse—before they affect business continuity.

Utilizing Cisco IPS Sensor Software Version 6.0, the Cisco IPS solution combines online
prevention services with innovative technologies to improve accuracy. The result is total
confidence in the provided protection of your Cisco IPS solution, without the fear of legitimate
traffic being dropped.

The Cisco IPS solution also offers comprehensive protection of your network through its
unique ability to collaborate with other network security resources, providing a proactive
(Adaptive Threat Defense [ATD]) approach to protecting your network.

1-6 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Intrusion Prevention Technologies
This topic describes the various technologies used to detect malicious network activity. Cisco
sensors use a blend of the technologies discussed in this topic.

Signature-Based IPS
STRING MATCH!
/cgi-bin/phf followed by
/etc/shadow
Attacker

Target

HTTP
GET /cgi-bin/phf?Qname=x%0acat+/etc/shadow

Observe a system, and send an alarm if a known malicious event


is detected:
ƒ Requires a database of known malicious patterns
ƒ The database must be continuously updated

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—1-4

Signature-Based IPS
A signature is a set of rules that pertain to typical intrusion activity. Highly skilled network
engineers research known attacks and vulnerabilities and develop signatures to detect these
attacks and vulnerabilities.

A signature-based IPS monitors the network traffic and compares the data in the flow against a
database of known attack signatures.

To determine an attack signature, which is usually a well-known pattern of attacks, a signature-


based IPS looks at the packet headers or data payloads. For example, a signature might be a
sequence or a string of bytes in a certain context. Here are some examples:
„ Attacks against a web server are usually in the form of specially crafted URLs. Therefore,
the IPS looks for the signature at the start of the data flow, which begins with an HTTP
request from the client.
„ An attack against a Simple Mail Transfer Protocol (SMTP) server can be in the form of a
buffer overflow in the mail from command of the SMTP session. The IPS looks for an
attack signature in the SMTP session that starts with the mail from command and includes
the signature before the end of the line.
„ An attack on the mail client can be in the form of a buffer overflow in the MIME header of
the message itself. The IPS looks for the sequence of bytes that identifies the start of a new
MIME part in the message and a sequence of bytes that compose a buffer overflow
following it.

© 2007 Cisco Systems, Inc. Intrusion Prevention Overview 1-7


The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
These examples illustrate the fact that a signature-based IPS detects only attacks that a vendor
or IPS administrator has entered into a database. Usually a signature-based IPS is unable to
detect undiscovered or unreported attacks. Therefore, all signature-based IPSs place a certain
amount of burden on the administrator, because they will have to regularly update the signature
database. Usually, the manufacturers publish database updates; however, the administrator must
still monitor the updates, be continually aware of the new types of attacks, and confirm that the
latest database can detect these attacks. If not, the administrator must create custom signatures
that will cover these attacks.

The patterns in a network IPS can be based on the following:


„ Data matching and stateful (session-aware) data matching, for example, string matching
„ Full protocol decodes, where a pattern in the protocol itself is being examined
„ Heuristic analysis, where a rough description of the attack is the signature

1-8 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Signature-Based IPS (Cont.)

Features:
ƒ Is also known as misuse detection or pattern matching; matches pattern
of malicious activity
ƒ Has relatively low false positive rate (tuned, good signature design)
ƒ Is simple to customize and extend
Limitations:
ƒ Cannot detect unknown attacks (not always true with good generic
signatures)
ƒ Requires constant update to stay current
ƒ Is susceptible to evasion
ƒ Has high false positive rate with bad signatures
ƒ Requires creation of signatures
ƒ Is always reactive

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—1-5

Features
The features of signature-based IPS are as follows:
„ After the IPS has been tuned to filter out all events that represent a low threat, and all
events that do not apply to the network topology (for example signatures for attacks against
web servers that are not used in the monitored network), the IPS notifies the analyst of the
attacks that are relevant to the monitored network. Therefore, a signature-based IPS, when
tuned, should have a low false positive rate.
„ A signature-based IPS usually has a simple way of adding new signatures, which allows the
administrator to keep the database up to date with signatures for the newest attacks without
waiting for the next manufacturer update. Also, the signatures are usually easy enough to
understand that they can be translated from another source and put into the database (for
example some other IPS, a Computer Emergency Response Team [CERT] advisory, and so
on).

Limitations
The limitations of the signature-based IPS are as follows:

„ The IPS cannot detect a new attack for which there is no signature in the database. This
behavior can sometimes be avoided, if the signature is generic. For example, most directory
traversal attacks can be detected by checking for the presence of the string “..” in the URL.
However, this signature would also be triggered by legitimate requests that contain “..” in
the URL. Therefore, this signature is also too generic and would trigger many false
positives.
„ The administrator must constantly update the signature database so that the IPS can detect
the most recent attacks.
„ If the signature is not well-written, evasion is possible. For example, the string “..” can be
URL encoded “%2E%2E”, or Unicode Transformation Format (UTF) codes can be used
instead of ASCII.

© 2007 Cisco Systems, Inc. Intrusion Prevention Overview 1-9


The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
„ Bad (vendor or custom) signature design can cause many false positives to fire; therefore,
good signature design, which is not simple, is required.

Anomaly-Based IPS
Alarm! Alarm!
There is too much UDP The SNMP message does not
traffic in the mix! conform to the protocol!
Attacker Attacker

Target Target

Malformed SNMP GET


UDP Flood
Alarm!
The web server is writing
to the \WINNT folder!
Attacker
Target

HTTP
www file
access

Observe a system and send an alarm if an event outside the known


normal behavior is detected:
ƒ Two types: statistical and nonstatistical anomaly detection
ƒ Requires a definition of “normal”
© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—1-6

Anomaly-Based IPS
An anomaly-based IPS monitors the network for events and content that represents an anomaly
(that is, a departure from normal behavior). This anomaly can be an unusual increase in a
certain type of traffic, an occurrence of some type of traffic not usually present on a monitored
network, or a malformed message of a known protocol.

Here are the two types of anomaly-based IPS:


„ Statistical anomaly detection: This approach learns about the profile of the monitored
network (traffic patterns) from the network itself over a period of time. After that period,
this approach can detect if statistical properties of the network traffic deviate enough from
the usual pattern and triggers an alarm.
„ Nonstatistical approach: This approach has a predefined definition of a known good
behavior, usually coded in by the vendor, and triggers when an event outside such a profile
occurs. The quality of such an IPS depends on the expertise of the vendor and may not suit
the specific network setup of the customer. The following are examples of nonstatistical
anomalies:
— A communication between two devices using the Internetwork Packet Exchange
(IPX) protocol in a network where TCP/IP is the only protocol used
— An occurrence of a routing protocol originating from a user device
— An anomalous packet, such as a Christmas tree packet, or a TCP packet where the
source and destination addresses and ports are equal

1-10 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Anomaly-Based IPS (Cont.)
Features:
ƒ Is also known as profile-based detection because activity detected
deviates from the profile of normal activity
ƒ There are two types of anomaly-based intrusion prevention:
– Statistical anomaly
– Nonstatistical anomaly
ƒ Can detect unknown attacks
Limitations:
ƒ Output is more vague than other methods
(does not pinpoint the exact nature of attack)
ƒ Statistical anomaly requires the creation of statistical user and network
profiles
ƒ Is prone to a high number of false positives because of the difficulty in
defining “normal” activity

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—1-7

Features
A significant feature of anomaly-based IPS is that it can detect attacks that have not been
discovered or reported anywhere. Anomaly-based IPS is best suited for an environment where
the pattern of traffic is very well-defined (for example, monitoring a single application on a
host or over the network).

Limitations
The biggest challenge with anomaly-based detection is that statistical approaches work best in
larger environments. Historically that has limited the development of anomaly-based solutions.
With the Cisco IPS Sensor Software Version 6.0 anomaly detection feature, no attempt is made
to be a pure anomaly-based system. Instead, it focuses on worm-based attacks. No matter what
the size of the environment, this form of anomaly detection is highly reliable.

Note When an anomaly-based IPS has a larger knowledge base, there are less false positives.

© 2007 Cisco Systems, Inc. Intrusion Prevention Overview 1-11


The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Policy-Based IPS
Alarm! Alarm!
Only DECnet traffic Someone has connected via
FTP to the web server!
Attacker is allowed here!
Attacker
Target
Target
FTP

IP IP IP

Observe a system and send an alarm if an event outside


the configured policy is detected:
ƒ Requires a policy database

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—1-8

Policy-Based IPS
A policy-based IPS will trigger if a violation of a configured policy occurs. Therefore, a policy-
based IPS provides a very popular method of detection, especially if unknown attacks must be
detected.

A policy-based IPS has to have a clear representation of what the security policy is. For
example, an administrator can write a network access policy in terms of permissions (which
networks can communicate with which networks, using which protocols).

Some security policies are hard to incorporate into the IPS. If, for example, browsing of
pornographic, hacker, or “warez” sites is not allowed, the IPS must be able to communicate
with some type of blacklist database to check if a policy violation has occurred. Whether this
communication is possible depends on the implementation of the IPS.

1-12 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Policy-Based IPS (Cont.)

Features:
ƒ Reliable detection
ƒ Very focused
ƒ Simple and viable creation of custom signatures
ƒ Extremely low amount of false positives
Limitations:
ƒ Requires the operator to design the policy ruleset from scratch

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—1-9

Features
One of the important features of the policy-based IPS is that it is reliable and triggers very few
false positives. These benefits are possible because the administrator enters a security policy
into the IPS that precisely defines what is and what is not allowed, which results in very few
false positive alarms

In most current policy-based IPSs, you define the policy exclusively with a list of custom
signatures that describe what is and what is not allowed in the network. These rules usually
describe all that is forbidden, and the exceptions to the allowed events (for example, trigger an
alarm for any type of traffic destined to host X, except HTTP). The IPS is very focused to the
environment, because you have told it exactly what to allow and what not to allow. It does not
rely on vendor or generic settings.

Limitations
The deployment of the policy-based IPS can take quite some time, because it requires the
administrator to design the policy ruleset from scratch. With other types of IPS, notably
signature-based IPS, the deployment time may be shorter because the administrator can
immediately connect the device to the network, and the default settings can then be tuned to
match the specifics of the network.

Even though it is usually easy to define in a security policy exactly what to allow, it may not be
easy or even possible to define all potential violations of the security policy and the level of
threat they represent. Because of this, many events may fall into a gray area, where it is
difficult for the IPS to decide what alarm level to trigger when a violation occurs.

© 2007 Cisco Systems, Inc. Intrusion Prevention Overview 1-13


The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Protocol Analysis

Intrusion detection analysis is performed on the protocol


specified in the data stream:
ƒ Examines the protocol to determine the validity of the packet
ƒ Checks the content of the payload (pattern matching)
ƒ Performs nonstatistical anomaly detection

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—1-10

Protocol Analysis-Based IPS


Protocol analysis-based intrusion detection is similar to signature-based intrusion detection, but
it performs a more in-depth analysis of the protocols specified in the packets. For example, an
attack is launched against a server. The attacker sends an IP packet with a protocol type that,
according to an RFC, should not contain any data in the payload. A protocol analysis-based IPS
is able to detect this type of attack based on the knowledge of the protocol.

1-14 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Intrusion Prevention Terminology
This topic provides definitions and explanations for commonly used terms associated with
intrusion detection.

Vulnerabilities and Exploits

ƒ A vulnerability is a weakness that compromises either the security


or the functionality of a system, for example:
– Poor passwords
– Improper input handling
– Insecure communications
ƒ An exploit is the mechanism used to leverage a vulnerability, for
example:
– Password guessing tools
– Shell scripts
– Executable code

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—1-11

A vulnerability is a weakness that compromises either the security or the functionality of a


system. Some examples of vulnerabilities are as follows:
„ Poor passwords: Passwords are the first line of defense. Weak or easily guessed
passwords are considered vulnerabilities.
„ Improper input handling: Software that does not properly handle all possible input can
have unexpected results. Often, this leads to either a DoS or access to restricted system
resources.
„ Insecure communication: Data that is transferred in plaintext is susceptible to
interception. System passwords, employee records, and confidential company documents
are some examples of data that is vulnerable to interception.

An exploit is the mechanism used to leverage a vulnerability to compromise the security or


functionality of a system. Some examples of exploits are as follows:
„ Password guessing tools: These tools attempt to “crack” passwords by using knowledge of
the algorithm used to generate the actual password or by attempting to access a system
using permutations and combinations of different character sets. Some popular password
cracking tools are L0phtCrack and John the Ripper.
„ Shell or batch scripts: These scripts are created to automate attacks or perform simple
procedures known to expose the vulnerability.
„ Executable code: Exploits written as executable code require programming knowledge and
access to software tools such as a compiler. Consequently, executable code exploits are
considered to be more advanced forms of exploitation.

© 2007 Cisco Systems, Inc. Intrusion Prevention Overview 1-15


The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
False Alarms

ƒ False positive: Normal traffic or a benign action causes the


signature to fire.
ƒ False negative: A signature is not fired when offending traffic is
detected. An actual attack is not detected.

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—1-12

The ability of an intrusion detection product to accurately detect an attack or a policy violation
and generate an alarm is critical to its functionality. The two forms of false alarms are false
positives and false negatives.

A false positive is a situation in which normal traffic or a benign action causes the signature to
fire. Consider this scenario: a signature exists that generates alarms if the enable password of
any network device is entered incorrectly. A network administrator attempts to log into a Cisco
router but enters the wrong password. The IPS cannot distinguish between a rogue user and the
network administrator, and it generates an alarm.

A false negative is a situation in which a signature is not fired when offending traffic is
detected. Offending traffic can be as simple as someone sending confidential documents
outside of the corporate network or as complex as an attack against corporate web servers.
False negatives should be considered software bugs and reported in accordance with the
software license agreement.

Note You should only consider a false negative to be a software bug if, in fact, the IPS has a
signature that has been designed to detect the offending traffic.

1-16 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
True Alarms

ƒ True positive: A signature is fired properly when the offending


traffic is detected. An attack is detected as expected.
ƒ True negative: A signature is not fired when nonoffending traffic is
detected. Normal traffic or a benign action does not cause an
alarm.

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—1-13

Like false alarms, there are two forms of true alarms. A true positive is a situation in which a
signature is fired properly when offending traffic is detected and an alarm is generated. For
example, Cisco IPS sensors have signatures that detect Unicode attacks against Microsoft
Internet Information Server (IIS) web servers. If a Unicode attack is launched against Microsoft
IIS web servers, the sensors detect the attack and generate an alarm.

A true negative is a situation in which a signature is not fired when nonoffending traffic is
captured and analyzed. In other words, the sensor does not fire an alarm when it captures and
analyzes “normal” network traffic.

© 2007 Cisco Systems, Inc. Intrusion Prevention Overview 1-17


The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Promiscuous and Inline Modes
This topic explains the differences between promiscuous mode and inline mode.

Promiscuous Mode Protection: IDS


1
A network device sends copies
of packets to the sensor for analysis.

2
If the traffic matches a signature,
the signature fires.

Switch

3
The sensor can send an alarm
to a management console and
take a response action such as Sensor
resetting the connection.

Management Target
System

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—1-14

By default, the monitoring interface of a Cisco sensor works in promiscuous mode, which
means that it monitors all traffic on the local network via a network device that captures traffic
for the sensor. The network device sends copies of packets to the sensor for analysis. If the
traffic matches a signature, the signature fires. The sensor can send an alarm to the management
console and take a response action such as initiating a block or resetting the connection.
Sensors running in promiscuous mode are IDS sensors.

1-18 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Inline Mode Protection: IPS

The sensor resides in the


data forwarding path.

Sensor

An alert can be If a packet triggers a


sent to the signature, it can be
management console. dropped before it
reaches its target.

Management Target
System

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—1-15

In contrast to a sensor in promiscuous mode, an inline sensor processes packets as they flow
through the data forwarding path of the network, and can make the decision to forward or drop
packets based on what it detects. An inline sensor is, therefore, an IPS. An inline IPS provides
an added level of protection from Internet worms and from atomic attacks, in which malicious
content is contained in a single packet. With the sensor monitoring all traffic as it moves
through the data forwarding path, a packet that triggers a signature can be dropped before it
reaches its target. The sensor can also send an alert to the management console and take other
response actions.

The Cisco IPS Sensor Software Version 6.0 is a standard image that includes both promiscuous
IDS and inline IPS functionality. You can switch a sensor between inline and promiscuous
mode without causing a reboot or reimage of the sensor. If your sensor has sufficient
monitoring interfaces, you can use inline and promiscuous mode simultaneously.

One method to run the sensor in inline mode is to install it between two network devices as
shown in the figure. The network devices could include routers, switches, or firewalls.

You must configure two monitoring interfaces of the sensor as an inline pair. These inline port
pairs operate in a transparent Layer 2 repeater mode in which packets that enter one interface of
the port pair are transmitted out the other interface of the port pair unless a defined signature
response action drops the packets.

© 2007 Cisco Systems, Inc. Intrusion Prevention Overview 1-19


The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Confidence in IPS

Cisco IPS Sensor Software Version 6.0 contains several


features that enable you to use inline deny actions with
confidence. Among these features are:
ƒ Risk rating
ƒ High availability
ƒ Application firewall
ƒ Meta event generator
ƒ Anomaly detection

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—1-16

Cisco IPS Sensor Software Version 6.0 contains several features dedicated to preventing your
inline sensor from denying mission-critical packets or in any way disrupting your network. A
brief overview of these features is as follows:
„ Risk rating: The risk rating feature enables you to make intelligent decisions when
configuring inline drop actions and thereby reduce false alarms. You can use the risk rating
system to control what causes an alarm. The risk rating is made up of several factors:
— Event severity: This is the severity level that you assign to a signature.
— Signature fidelity: This is a rating of confidence in the accuracy of the signature.
The default rating is calculated by the author of the signature.
— Asset value: This is a designation of the criticality of the target system. You can
assign a criticality of no value, low, medium, high, or mission-critical to devices on
your network.
— Attack relevancy: The severity of the attack can be escalated or de-escalated based
on the relevance of the attack.
— Other: Other variables, such as the Promiscuous Delta (PD) or the Watch List
Rating (WLR), are calculated into the risk rating under special circumstances.
„ High availability: High availability can be achieved through numerous mechanisms.
Network collaboration, for example, can provide resiliency and redundancy. Host Standby
Router Protocol (HSRP) configuration and Cisco EtherChannel load balancing on Cisco
Catalyst switches can divert traffic to a secondary sensor upon the failure of a primary
sensor. Sensor appliances allow network redundancy using Spanning Tree Protocol (STP).
Because inline sensors act as Layer 2 bridges, connecting two or more inline sensors
between the same set of switches allows the switch to determine the correct path for
packets. Cisco IPS Sensor Software Version 6.0 has both a hardware and software bypass
mechanism that enables the sensor to pass packets despite sensor software failure. In
bypass mode, all the IPS processing subsystems are bypassed, and traffic is allowed to flow
between the inline port pairs directly. This feature is useful for troubleshooting and other

1-20 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
maintenance activities and allows the IPS processes and subsystems to be shut down
without impacting network traffic.
„ Application firewall: This feature enhances intrusion protection by detecting and
preventing HTTP and FTP misuse as follows:
— Detects the use of port 80 as a covert channel
— Ensures that HTTP methods are RFC compliant
— Controls permitted traffic via user-defined policies
— Filters traffic based on select MIME types
„ Meta event generator: This feature provides accurate worm mitigation through event
correlation.
„ Anomaly detection: The anomaly detection component of the sensor detects worm-
infected hosts. Cisco IPS Sensor Software Version 6.0 is less dependent on signature
updates for protection again worms such as Code Red and SQL Slammer. The anomaly
detection component lets the sensor learn normal activity and send alerts or take dynamic
response actions for behavior that deviates from what it has learned as normal behavior.

Note Anomaly detection alone cannot stop a single exploit from happening—nor will it stop the
very first infection in the network.

The following is an example of the life cycle of threat mitigation:

1. A new worm is unleashed, using an unpublished vulnerability. It infects one of the hosts on
the monitored network, because a signature for this worm does not exist yet.
2. The anomaly detection engine detects that the infected host is misbehaving and blocks it,
preventing it from further infecting other hosts on the network

3. A day later, a signature for this worm is released and deployed.


4. A new computer infected with the worm enters the network. It is now immediately blocked
after having sent the first malicious packet, because this packet matches the signature. No
further infections are possible on that network.
Cisco IPS Sensor Software Version 6.0 detects most potential threats with a broad array of
detection methods including stateful pattern recognition, protocol analysis, traffic anomaly
detection, and protocol anomaly detection. This comprehensive attack identification, combined
with the enhanced signature accuracy and high availability provided by new Cisco IPS Sensor
Software Version 6.0 features, makes the inline mode of Cisco IPS a reliable choice. Using an
array of detection algorithms together allows the user to gain the benefits of each method.

© 2007 Cisco Systems, Inc. Intrusion Prevention Overview 1-21


The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Features of Cisco IPS Sensor Software Version
6.0
This topic describes features that have been added since Cisco IPS Sensor Software Version
5.0.

New Features in Cisco IPS Sensor


Software Version 5.1

Cisco IPS Sensor Software Version 5.1 added these


features:
ƒ Rate-limiting collaboration
ƒ Multiple VLANs on a single interface
ƒ Dedicated antivirus engine
ƒ GRE inspection
ƒ IP-in-IP inspection
ƒ IPv6 inspection
ƒ Enhancements to EtherChannel load balancing
ƒ Multi STRING signature engine

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—1-17

The main new features of Cisco IPS Sensor Software Version 5.1 are as follows:
„ Enhanced collaboration for rate-limiting functionality: Provides bandwidth
preservation capability through collaboration with routers and switches
„ Multi-VLAN single interface online prevention: Allows services on up to 255 VLANs
across the network using a single interface
„ Dedicated antivirus engine: Provides a dedicated antivirus engine that analyzes traffic to
accurately identify the unique behavior of viruses and stop them from propagating across
the network
„ Generic Routing Encapsulation (GRE) inspection: Allows the sensor to detect and stop
attacks contained in GRE-encapsulated traffic
„ IP-in-IP inspection: Provides inspection capability to Mobile IP traffic, which typically
uses IP-in-IP tunneling to maintain data integrity between endpoints
„ IP version 6 (IPv6) inspection: Provides unparalleled protection from a wide array of
IPv6 attacks through the delivery of a new IPv6 attack mitigation engine
„ Enhancements to EtherChannel load balancing: Provides these enhancements:
— Multigigabit-per-second performance
— Deployment options for redundancy

1-22 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
„ Multi STRING signature engine: Provides inspection of Layer 4 transport protocol, such
as ICMP, TCP, and User Datagram Protocol (UDP), payloads using multiple string
matches for one signature

© 2007 Cisco Systems, Inc. Intrusion Prevention Overview 1-23


The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
New Features in Cisco IPS Sensore
Software Version 6.0

Cisco IPS Sensor Software Version 6.0 contains several


new features:
ƒ Support for virtualization
ƒ New signature engines (SMB, TNS)
ƒ Passive operating system fingerprinting
ƒ Improved risk and threat rating system
ƒ External product interface
ƒ Enhanced password recovery
ƒ Improved Cisco IDM
ƒ Anomaly detection

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—1-18

Cisco IPS Sensor Software Version 6.0 adds many new features, which include the following:
„ Virtualization in Cisco IPS Sensor Software Version 6.0 is not supported for virtual
machines. It is a policy that is virtualized on different virtual sensors.
„ The SERVICE Server Message Block (SMB) engine has been enhanced and is now called
the SERVICE SMB Advanced engine. There is a new engine added to examine
Transparent Network Substrate (TNS), an industry standard database network protocol.
„ Passive operating system fingerprinting is a set of features that enables the Cisco IPS to
identify the operating system of the victim of an attack.
„ The risk rating system is associated with alerts, not signatures. It is calculated from several
components, some of which are configured, others calculated, and some are derived from
other risk rating components.
„ The External Product Interface (EPI) allows sensors to subscribe for events from other
devices. Although designed to be generic, at this time, the EPI can process only events
from the CiscoWorks Management Center for Cisco Security Agent.
„ Password recovery no longer requires you to reimage the sensor. It is now possible to
recover the “admin” account without reimaging. The password is reset to “cisco.”
„ The Cisco IPS Device Manager (IDM) now has a new and improved home page with
several new icons for configuring and monitoring sensors.
„ The anomaly detection feature is designed to detect worm-infected hosts. This component
learns normal activity and sends alerts or takes configured actions for behavior that is
significantly different from what it has learned to be normal.

1-24 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Summary
This topic summarizes the key points that were discussed in this lesson.

Summary

ƒ An IDS has the ability to detect misuse and abuse of, and unauthorized
access to, networked resources. An IPS has the ability to detect and
prevent misuse and abuse of, and unauthorized access to, networked
resources.
ƒ Anomaly-based intrusion prevention notes activity that is considered
outside of “normal” activity. Policy-based intrusion prevention defines
intrusions as violations of policy and as malicious behavior. Signature-
based intrusion prevention matches patterns of malicious activity.
ƒ A vulnerability is a weakness that compromises either the security or
functionality of a system, and an exploit is something that is used to take
advantage of a vulnerability.
ƒ If your sensor has sufficient monitoring interfaces, you can use inline and
promiscuous mode simultaneously.
ƒ Both Cisco IPS Sensor Software Version 5.1 and Version 6.0 added
features to increase the effectiveness of the Cisco IPS Sensor Software.

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—1-19

© 2007 Cisco Systems, Inc. Intrusion Prevention Overview 1-25


The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
1-26 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Lesson 2

Examining Cisco IPS Products

Overview
Cisco offers a complete line of intrusion prevention system (IPS) products. This lesson
provides an overview of these products. As well as understanding the capabilities of a Cisco
IPS sensor, it is also important to understand how to best place the sensors to most effectively
protect a network. This lesson discusses sensor placement and what role Cisco IPS sensors play
in the Cisco Self-Defending Network.

Objectives
Upon completing this lesson, you will be able to describe the Cisco Intrusion Prevention
System (IPS) solutions and explain how Cisco IPS protects network devices from attacks. This
ability includes being able to meet these objectives:
„ Explain the various models available in the Cisco family of IPS sensors
„ Describe network IPS and list its features and limitations
„ Describe host IPS and list its features and limitations
„ Explain the considerations necessary for selection, placement, and deployment of a
network IPS
„ Describe the Cisco Self-Defending Network and how the Cisco IPS products fit in to that
structure

The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Cisco Network Sensors
This topic introduces Cisco network sensors and provides an overview of their features.

Cisco Sensor Family


Cisco IPS
4260 Sensor

1000 Cisco Catalyst


6500 Series
Cisco IPS IDSM-2
4255 Sensor
600

Cisco ASA
AIP-SSM
450
Cisco IDS
250 4240 Sensor

200
Cisco IDS
4215 Sensor

Cisco IDS
80 Network
Module

45
Mbps

10/100/1000
10/100/1000 TX
10/100/1000 TX 10/100 TX 10/100/1000 TX 10/100/1000 TX Switched/1000 TX
1000 SX 1000 SX 1000 SX

Network Media
© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—1-2

The figure and table provide information about current Cisco sensors that can run Cisco IPS
Sensor Software Version 6.0 or higher. These legacy sensors can also run Cisco IPS Sensor
Software Version 6.0:
„ Cisco Intrusion Detection System (IDS) 4235 Sensor
„ Cisco IDS 4250 XL Sensor

The performance values are approximate and can vary depending on packet size. Refer to the
product release notes and cisco.com for the most current information.

1-28 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Cisco Sensor Features

Cisco
Adaptive
Security
Appliance Cisco
Advanced Catalyst
Inspection 6500
and Series
Prevention Intrusion
Security Detectio
Services n
Cisco IDS Cisco IDS Module Cisco IPS System Cisco
Network 4215 (Cisco ASA 4240 Cisco IPS Module 2 IPS 4260
Module Sensor AIP-SSM) Sensor 4255 Sensor (IDSM-2) Sensor

Performance 45 80 225 (Cisco 250 600 600 1000


(Mbps) ASA AIP-SSM-
10)

450 (Cisco
ASA AIP-SSM-
20)

Network 10/100/1000 10/100 10/100/1000 10/100/100 10/100/1000 Switched 10/100/1


media BASE-TX BASE-TX BASE-TX 0 BASE-TX 1000 000
BASE-TX BASE-TX
1000BASE-S
1000 SX X 1000BAS
E-
SX

Note For the Cisco ASA AIP-SSM, performance values vary considerably depending on which
model of the Cisco ASA 5500 Series Adaptive Security Appliance the Cisco ASA AIP-SSM
is installed.

© 2007 Cisco Systems, Inc. Intrusion Prevention Overview 1-29


The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Cisco IPS 4200 Series Sensors

ƒ Appliance solution focused on


protecting network devices,
services, and applications
ƒ Provides sophisticated attack
detection:
– Network attacks
– Application attacks
– DoS attacks
– Fragmented attacks
– Whisker attacks
ƒ Intrusion prevention capability

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—1-3

The Cisco IPS 4200 Series Sensors are market-leading dedicated appliances for intrusion
detection and prevention, with the highest performance and lowest false alarm rates of the
industry. The Cisco IPS 4200 Series Sensors are focused on protecting network devices,
services, and applications. They are capable of detecting sophisticated attacks such as the
following:
„ Network attacks
„ Application attacks
„ Denial of service (DoS) attacks
„ Fragmented attacks
„ Whisker attacks using IDS evasive techniques

1-30 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Cisco ASA AIP-SSM

ƒ High-performance module
designed to provide additional
security services to the Cisco ASA
5500 Series Adaptive Security
Appliance
ƒ Diskless design for improved
reliability
ƒ External 10/100/1000 Ethernet
interface for management and
software downloads
ƒ Intrusion prevention capability
ƒ Runs the same software image as
the sensor appliances

© 2007 Cisco Systems, Inc. All rights reserved. 4


IPS v6.0—1-4

The Cisco ASA AIP-SSM provides the intrusion detection and prevention security feature set
for the Cisco ASA 5500 Series Adaptive Security Appliances . It runs the same Cisco IPS
Sensor Software Version 6.0 or higher software image as the sensor appliances and, therefore,
provides the same security features as the sensor appliance.

The Cisco ASA AIP-SSM is available in two models, the Cisco ASA AIP-SSM-10 and the
Cisco ASA AIP-SSM-20. The Cisco ASA AIP-SSM-20 has a faster processor and more
memory than the Cisco ASA AIP-SSM-10.

© 2007 Cisco Systems, Inc. Intrusion Prevention Overview 1-31


The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Cisco Catalyst 6500 Series IDSM-2

ƒ Switch-integrated intrusion protection


module delivering a high-value security
service in the core network fabric
device
ƒ Supports unlimited number of VLANs
ƒ Intrusion prevention capability
ƒ Runs same software image as sensor
appliances

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—1-5

The Cisco Catalyst 6500 Series IDSM-2 provides full-featured intrusion protection in the core
network fabric device. The Cisco Catalyst 6500 Series IDSM-2 is specifically designed to
address switched environments by integrating the IDS functionality directly into the switch.
The Cisco Catalyst 6500 Series IDSM-2 runs the same software image as the sensor appliances
and can be configured to perform intrusion prevention.

1-32 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Cisco IDS Network Module

ƒ Integrates IDS into Cisco 2600XM Series


Router, Cisco 2691, 3660, 3725, and
3745 Multiservice Access Routers and the
Cisco 2811, 2821, 2851, 3825, and 3845
Integrated Services Routers
ƒ Provides full-featured intrusion protection
ƒ Is able to monitor traffic from all router
interfaces
ƒ Is able to inspect GRE and IPsec traffic
that has been decrypted at the router
ƒ Delivers comprehensive intrusion
protection at branch offices, isolating
threats from corporate network
ƒ Runs same software image as sensor
appliances

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—1-6

The Cisco IDS Network Module can be installed on the following Cisco routers to provide 45
Mbps of full-featured intrusion protection services within the router:
„ Cisco 2600XM Series Router
„ Cisco 2691 Multiservice Access Router
„ Cisco 3660 Multiservice Access Router
„ Cisco 3725 Multiservice Access Router
„ Cisco 3745 Multiservice Access Router
„ Cisco 2811 Integrated Services Router
„ Cisco 2821 Integrated Services Router
„ Cisco 2851 Integrated Services Router
„ Cisco 3825 Integrated Services Router
„ Cisco 3845 Integrated Services Router

The Cisco IDS Network Module provides the capability to inspect all traffic traversing the
router and then identify and terminate unauthorized or malicious activity. The Cisco IDS
Network Module leverages the current Cisco IDS sensor technology to expand IDS support into
the branch office router. It requires an encryption feature set of Cisco IOS Release 12.2(15)ZJ
or later for the routers. Through collaboration with IP Security (IPsec), virtual private network
(VPN), and Generic Routing Encapsulation (GRE) traffic, the module allows decryption, tunnel
termination, and traffic inspection at the first point of entry into the network. Only one Cisco
IDS Network Module is supported in a single router; however, it is not restricted to a specific
network module slot within the router.

Note Cisco IDS Network Module does not support inline interface pairs or VLAN pairs, and it does
not support virtualization.

© 2007 Cisco Systems, Inc. Intrusion Prevention Overview 1-33


The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Sensor Appliance Interfaces
Untrusted
Network

Monitoring Interface

Router

Switch

Sensor Router

Out-of-Band
Network

Command and Switch


Control Interface

Management System
© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—1-7

Each sensor appliance has at least two interfaces. One of these interfaces is the designated
command and control interface. This interface has an assigned IP address, which allows it to
communicate with a management workstation and other network devices. The other interface
monitors the desired network segment. The monitoring interface has no IP address and is not
visible on the network.

Some sensors have more than one monitoring interface. These sensors can work in either of
these modes:
„ Promiscuous mode: Promiscuous mode is illustrated in the figure and is available in all
sensors. Sensors running in promiscuous mode are able to detect malicious activity and
take a response action.
„ Inline mode: Inline mode is available only in sensors running Cisco IPS Sensor Software
Version 6.0 or higher that have at least two monitoring interfaces or to which additional
interfaces can be added. This includes the Cisco IDS 4215 Sensor, Cisco IPS 4235, Cisco
IPS 4240 Sensor, Cisco IDS 4250 XL Sensor, Cisco IPS 4255 Sensor, and Cisco IPS 4260
Sensor, and the Cisco Catalyst 6500 Series IDSM-2 Module. Sensors running in inline
mode are able to prevent malicious activity and take a response action.

Note Cisco IPS Sensor Software Version 6.0 is also supported on the Cisco IDS Network Module;
however, this sensor does not support inline functionality.

1-34 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
In Cisco IPS Sensor Software Version 6.0, the physical interfaces of the sensor are named using
the convention <type><slot>/<port>. The type, slot, and port are defined as follows:
„ <Type>: This is the name of the interface type. Names are defined as follows:
— For sensing interfaces, <type> is GigabitEthernet or FastEthernet.
— For management interfaces, <type> is Management on the Cisco IPS 4240 Sensor
and Cisco IPS 4255 Sensor. It is GigabitEthernet or FastEthernet for all other sensor
platforms.
„ <slot>: This is the physical expansion slot number in which the interface card is installed.
The slot is 0 for all built-in interfaces and 1 or greater for expansion slots. Slots are
numbered from right to left or from bottom to top.
„ <port>: This is the interface index on the interface card. Port numbers must be unique for
all interfaces on a given slot and a given interface type. For example, FastEthernet3/2 and
GigabitEthernet3/2 can coexist. The port numbers for a given interface type are numbered
in increasing order from right to left, starting with zero.

© 2007 Cisco Systems, Inc. Intrusion Prevention Overview 1-35


The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Cisco IDS 4215 Sensor Front Panel

Monitoring
Interface LED

Power Command and


LED Control Interface
LED

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—1-8

The technical specifications for the Cisco IDS 4215 Sensor are as follows:
„ Performance: 65 Mbps
„ Monitoring interface: One 10/100BASE-TX
„ Command and control interface: One 10/100BASE-TX
„ Optional interface: Four 10/100BASE-TX Fast Ethernet monitoring interfaces, which
allows a total of five monitoring interfaces
„ Form factor: 1 rack unit (RU)

The physical dimensions of the Cisco IDS 4215 Sensor are as follows:
„ Height: 1.7 in. (4.32 cm)
„ Width: 16.8 in. (42.54 cm)
„ Depth: 11.8 in. (29.97 cm)
„ Weight: 11.5 lb. (4.11 kg)

1-36 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Cisco IDS 4215 Sensor Back Panel

Optional
Monitoring Console
Interfaces Port

Monitoring Command and


Interface Control
Interface

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—1-9

The back of the Cisco IDS 4215 Sensor can have up to six Ethernet interfaces, one command
and control interface, and five monitoring interfaces. Reading from right to left, the interfaces
are as reflected in the table.

Interfaces

Position on Sensor Label on Sensor Function Name

0 Ethernet 1 Command and control FastEthernet0/0

1 Ethernet 0 Sensing FastEthernet0/1

2 None Sensing FastEthernet1/0

3 None Sensing FastEthernet1/1

4 None Sensing FastEthernet1/2

5 None Sensing FastEthernet1/3

© 2007 Cisco Systems, Inc. Intrusion Prevention Overview 1-37


The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Cisco IPS 4240 Sensor Front Panel

Power Status Flash


Indicator Indicator Indicator

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—1-10

The technical specifications for the Cisco IPS 4240 Sensor are as follows:
„ Performance: 250 Mbps
„ Monitoring interfaces: Four 10/100/1000BASE-TX
„ Command and control interface: One 10/100BASE-TX
„ Diskless architecture: CompactFlash storage
„ Form factor: 1 RU

The physical dimensions of the Cisco IPS 4240 Sensor are as follows:
„ Height: 1.72 in. (4.3688 cm)
„ Width: 17.25 in. (43.815 cm)
„ Depth: 14.5 in. (36.83 cm)
„ Weight: 20.0 lb (9.07 kg)

Note There is also a Cisco IPS 4240 Sensor which is based on the Cisco IPS 4240 Sensors but
has unique features including support for DC power and Network Equipment Building
System (NEBS) level 3 compliance.

1-38 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Cisco IPS 4240 Sensor Back Panel
Console
Monitoring Port
Compact
Interfaces
Command and Flash
Control Interface

Auxiliary
USB Port
Ports

USB = Universal Serial Bus

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—1-11

The back panel of the Cisco IPS 4240 Sensor is made up of the following:
„ There is one 10/100BASE-TX command and control interface.
„ There are four 10/100/1000BASE-TX monitoring interfaces. Reading from right to left, the
interfaces are as reflected in the table.

Interfaces

Position on Sensor Label on Sensor Function Name

0 0 Sensing GigabitEthernet0/0

1 1 Sensing GigabitEthernet0/1

2 2 Sensing GigabitEthernet0/2

3 3 Sensing GigabitEthernet0/3

4 MGMT Command and control Management0/0

© 2007 Cisco Systems, Inc. Intrusion Prevention Overview 1-39


The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Cisco IPS 4255 Sensor Front Panel

Power Status Flash


Indicator Indicator Indicator

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—1-12

The technical specifications for the Cisco IPS 4255 Sensor are as follows:
„ Performance: 500 Mbps
„ Monitoring interfaces: Four 10/100/1000BASE-TX
„ Command and control interface: One 10/100BASE-TX
„ Diskless architecture: CompactFlash storage
„ Form factor: 1 RU

The physical dimensions of the Cisco IPS 4255 Sensor are as follows:
„ Height: 1.72 in. (4.3688 cm)
„ Width: 17.25 in. (43.815 cm)
„ Depth: 14.5 in. (36.83 cm)
„ Weight: 20.0 lb (9.07 kg)

1-40 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Cisco IPS 4255 Sensor Back Panel
Console
Monitoring Port
Compact
Interfaces
Command and Flash
Control Interface

Auxiliary
USB Port
Ports

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—1-13

The back panel of the Cisco IPS 4255 Sensor is made up of the following:
„ There is one 10/100BASE-TX command and control interface.
„ There are four 10/100/1000BASE-TX monitoring interfaces. Reading from right to left, the
interfaces are as reflected in the table.

Interfaces

Position on Sensor Label on Sensor Function Name

0 0 Sensing GigabitEthernet0/0

1 1 Sensing GigabitEthernet0/1

2 2 Sensing GigabitEthernet0/2

3 3 Sensing GigabitEthernet0/3

4 MGMT Command and control Management0/0

© 2007 Cisco Systems, Inc. Intrusion Prevention Overview 1-41


The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Cisco IPS 4260 Sensor Front Panel

Power Flash Status


Indicator Indicator Indicator

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—1-14

The technical specifications for the Cisco IPS 4260 Sensor are as follows:
„ Performance: 1 Gbps
„ Monitoring interfaces: One 10/100/1000BASE-TX
„ Command and control interface: One 10/100/1000BASE-TX
„ Optional interface: There are two expansion slots, which each can contain either four
10/100/1000BASE-TX monitoring interfaces or two 1000BASE-SX fiber interfaces. The
2SX Fiber card and the 4GE bypass interface card also contains hardware-bypass feature.
„ Diskless architecture: CompactFlash storage
„ Form factor: 2 RU

The physical dimensions of the Cisco IPS 4260 Sensor are as follows:
„ Height: 3.45 in. (8.76 cm)
„ Width: 17.14 in. (43.53 cm)
„ Depth: 20.0 in. (50.8 cm)
„ Weight: 40.0 lb (when loaded)

1-42 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Cisco IPS 4260 Sensor Back Panel
Console
Port Command and
Control Interface

Monitoring
Monitoring Expansion Slots Interfaces
Interface

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—1-15

The back panel of the Cisco IPS 4260 Sensor is made up of the following:
„ Two expansion slots, each of which can hold either four 10/100/1000BASE-TX monitoring
interfaces or two 1000BASE-SX fiber, allowing nine monitoring interfaces
„ One 10/100/1000BASE-TX (Mgmt 0/0) command and control interface
„ One 10/100/1000BASE-TX (Gig0/1) monitoring interface

© 2007 Cisco Systems, Inc. Intrusion Prevention Overview 1-43


The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Network IPS
This topic describes network IPS and its benefits and limitations.

Network IPS

ƒ Sensors are connected to network segments. A single sensor can


monitor many hosts.
ƒ The growth of a network is easily protected. New hosts and
devices can be added to the network without additional sensors.
ƒ The sensors are network appliances tuned for intrusion
prevention analysis.
– The operating system is “hardened.”
– The hardware is dedicated to intrusion prevention analysis.

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—1-16

A network IPS involves the deployment of monitoring devices, or sensors, throughout the
network to capture and analyze the traffic as it traverses the network. The sensors detect
malicious and unauthorized activity in real time and can take action when required.

Sensors can be deployed at designated points that enable security managers to monitor network
activity while it is occurring, regardless of the location of the target of the attack.

Network IPS gives security managers real-time insight into their networks regardless of
network growth caused by adding either more hosts or new networks. Additional hosts added to
protected networks would be covered without any new sensors. Additional sensors can easily
be deployed to protect the new networks. The following are some of the factors that influence
the addition of sensors:
„ Exceeded traffic capacity: For example, the addition of a new gigabit network segment
requires a high-capacity sensor.
„ Performance capabilities of the sensor: The current sensor may not be able to perform,
given the new traffic capacity.
„ Network implementation: The security policy or network design may require additional
sensors to help enforce security boundaries.

Network IPS sensors are typically tuned for intrusion prevention analysis. The underlying
operating system is “stripped” of unnecessary network services, and essential services are
secured.

1-44 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
The hardware chosen provides the maximum intrusion prevention analysis possible for various
networks. The hardware includes the following three things:
„ Network interface card (NIC): Network IPSs must be able to connect into any network.
Common network IPS NICs include Ethernet, Fast Ethernet, and Gigabit Ethernet.
„ Processor: Intrusion prevention requires CPU power to perform intrusion prevention
protocol analysis and pattern matching.
„ Memory: Intrusion prevention analysis is memory intensive. Memory directly affects the
ability of a network IPS to efficiently and accurately detect an attack.

© 2007 Cisco Systems, Inc. Intrusion Prevention Overview 1-45


The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Network IPS Features and Limitations

Network IPS features:


ƒ Cost-effective (A single sensor covers a lot.)
ƒ Attacks should not compromise it
ƒ Provides insight into attacks at lower OSI layers
ƒ Is operating system independent (has a wide variety of detection
capabilities)
ƒ Can be invisible
Network IPS limitations:
ƒ Overloaded by network traffic
ƒ Differences between traffic seen by the network IPS and traffic
received by the target
ƒ Defied by network encryption

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—1-17

The following are the main features of network IPS:


„ A single device can monitor many of the hosts on the network, which decreases the cost of
maintenance and deployment.
„ A network IPS can detect low-level attacks, as it captures raw data from the network.
„ A network IPS can detect attacks on many different types of operating systems, depending
on the extent of its database.
„ A network IPS can have a special, dedicated interface that monitors only network traffic
and is otherwise completely unresponsive to stimuli. Such a device is invisible to the
attacker—which is not true for a host IPS device by definition, which resides on the server
and is visible by default.

The following are the most apparent limitations of network IPS:


„ There may be too much traffic on the network for the IPS to process it all in real time and
respond to it in a timely manner.
„ The network IPS may not interpret the data that it monitors in the same way as the end
system. An example of this behavior is the reassembly of overlapping fragmented
datagrams. The network IPS may reassemble the datagrams so that later datagrams
overwrite the data that is already in the reassembly buffer, while the end system may leave
the data that is already in the reassembly buffer unchanged. If the data comes from an
attacker, the results may not be the same.
„ Network encryption breaks the application layer capability of network IPS, because
payloads become hidden (Secure Sockets Layer [SSL], IPsec).

1-46 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Network IPS Deployment

Corporate
Network

Firewall
Switch Switch Router
Untrusted
Network
Sensor

Management
Server

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—1-18

The figure illustrates a typical network IPS deployment. The sensor is deployed at a network
entry point and reports to a management and monitoring server located inside the corporate
firewall.

© 2007 Cisco Systems, Inc. Intrusion Prevention Overview 1-47


The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Host-Based IPS
This topic describes host IPS and its benefits and limitations.

Host IPS

ƒ Consists of agent software installed on each host


ƒ Provides individual host detection and protection
ƒ Does not require special hardware

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—1-19

A host IPS audits host log files, host file systems, and resources. An advantage of a host IPS is
that it can monitor operating system processes and protect critical system resources, including
files that may exist only on that specific host.

A simple form of host IPS is enabling system logging on the host. However, it can become
manpower-intensive to recover and analyze these logs. The host IPS software of today requires
agent software to be installed on each host to monitor activity performed on and against the
host. The agent software performs the intrusion detection analysis and protects the host.

The Cisco host IPS, Cisco Security Agent, complements the Cisco network IPS by protecting
the integrity of applications and operating systems. The Cisco Security Agent blocks malicious
activity before damage is done. By using behavior-based technology that focuses on the
behavior of applications, the Cisco Security Agent protects not only against known attacks but
also against new attacks for which there is no known signature.

Cisco Security Agent resides between the applications and the kernel, enabling maximum
application visibility with minimal impact to the stability and performance of the underlying
operating system. The unique architecture of the software intercepts all operating system calls
to file, network, and registry sources, and to dynamic run-time resources such as memory
pages, shared library modules, and Component Object Model (COM) objects. The agent applies
unique intelligence to correlate the behaviors of these system calls, based on rules that define
inappropriate or unacceptable behavior for a specific application or for all applications. This
correlation and subsequent understanding of the behavior of an application is what allows the
software, as directed by the security staff, to prevent new intrusions.

Note Additional training on Cisco Security Agent is available in the Securing Hosts Using Cisco
Security Agent (HIPS) course.

1-48 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Host IPS Features and Limitations

Host IPS features:


ƒ More focused on a specific system, more scalable
ƒ Knows about the success of an attack
ƒ User identity is known
ƒ Not defied by network encryption
Host IPS limitations:
ƒ No correlation ability if a single agent is deployed
ƒ Every host requires a license
ƒ Platform-dependent (host IPS might not exist for some operating
systems).

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—1-20

The following are the main features of host IPSs:


„ Host IPS software is written specifically for the host that it resides on, so it can focus only
on attacks that affect that system.
„ A host IPS can detect a successful attack, and can even take action after that if the system is
still stable. For example, in the event of a DoS attack, where the goal of the attacker is to
stop a specific service, the host IPS can attempt to restart the service.
„ As it sees the consequences of an attack on the end system, the host IPS can sometimes
catch unknown attacks by comparing their behavior to known attacks. This behavior results
in the same consequences as for known attacks, if the trigger is set to alarm on the
consequences. Therefore, it is more likely that the host IPS may react to an unknown
attack, which is usually not the case with network IPS.
„ If the attack requires the user to be logged in, such as an exploit to cause a local buffer
overflow that results in gaining root privileges on UNIX systems, the host IPS can log the
users that are currently logged in.
„ Host IPSs can observe the data or the consequences that it has on the system, after the data
has been decrypted (SSL, IPsec), which is impossible with network IPS.

The following are the major limitations of host IPS:


„ If the attack is damaging enough, it can crash the entire system before the host IPS is able
to react. This is especially true with new attacks that exploit errors in the system that have
not yet been fixed.
„ The host IPS usually does not see the low-level network events because they are filtered
out by the device drivers and TCP/IP stack. These events include Address Resolution
Protocol (ARP)-based attacks, such as ARP spoofing, or invalid IP packets that are rejected
by the TCP/IP stack.
„ For a single agent, no correlation is possible because there is only one source of
information (agent) and a single target (the host). With network IPS, correlation between

© 2007 Cisco Systems, Inc. Intrusion Prevention Overview 1-49


The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
attacks is available immediately, because a network IPS sensor usually monitors whole
networks.
„ If a large number of devices must be monitored, the cost of host IPS agents becomes quite
large, and the cost of deployment and maintenance increases. With a large number of hosts,
it may become impossible for one person to administer them all.
„ Host IPS agents may not be available for all operating systems deployed in the company, or
the applications in use on these systems may not allow an upgrade to a version of the
operating system required by the host IPS agent.

1-50 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Host IPS Deployment

Corporate
Network

Agent Application
Server
Agent
Firewall
Untrusted
Network

Agent
Agent Agent Agent
Agent
SMTP Agent Agent
Server Console
Web DNS
Server Server

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—1-21

The figure illustrates a typical host IPS deployment. Agents are installed not only on publicly
accessible servers, corporate mail servers, and application servers, but also on user desktops.
The agents report events to a central console server located inside the corporate firewall.

The Cisco host IPS, Cisco Security Agent, can correlate these events, such as scan activity from
distributed agents, and is, therefore, able to discern that a distributed port scan is taking place.

© 2007 Cisco Systems, Inc. Intrusion Prevention Overview 1-51


The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
IPS = Host IPS + Network IPS

IPS is a probabilistic technology:


ƒ The more technologies and different methods of watching that you
deploy, the higher the probability of detection.
ƒ IPS requires correlation
Network IPS and host IPS are more than complimentary:
ƒ One can cancel out the limitations of the other.
ƒ With correlation, they can provide more trustworthy data
(i.e., MARS).

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—1-22

Intrusion prevention can be more reliable if you use many different approaches; one type of IPS
may find intrusion attempts that another type of IPS would overlook. However, the amount of
data gathered by many different IPSs may soon outgrow the ability of the administrator to
analyze it all. The tools for such analysis, and the time or resources to create custom tools for
such a task may not be available.

It can be argued that network IPS and host IPS used together are more than a sum of their parts;
the features of one will cancel out the limitations of the other. Also, with proper correlation,
you can obtain more trustworthy data from this combination than by using multiple network
IPS sensors and host IPS agents alone.

1-52 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Defense in Depth: A Layered Solution

ƒ Hardened network devices Network-Focused


Technology

ƒ Strict firewall rules

ƒ Network IPS
ƒ Secured and patched operating
system

ƒ Hardened applications

ƒ Host-based IPS agent Host-Focused


Technology

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—1-23

No single device or security technology can provide a complete security solution. A defense-in-
depth security solution attempts to protect network resources by providing layers of security.
You can implement intrusion detection at both the host level and the network level.
Implementing both technologies provides a defense-in-depth intrusion detection solution.

Host-focused intrusion technology includes the following:


„ Protects applications on the specific host
„ Controls access to host resources
„ Protects the operating system
„ Protects against buffer overflow attacks

Network-focused intrusion technology includes the following:


„ Detects and prevents attacks against many applications
„ Detects and prevents buffer overflow attacks
„ Detects and prevents network reconnaissance and access attacks
„ Detects and prevents DoS attacks

Notice the overlap and the differences between the host-focused and network-focused intrusion
prevention technologies. The differences provide protection where the other technology is
lacking, and the overlap provides an additional layer of protection.

© 2007 Cisco Systems, Inc. Intrusion Prevention Overview 1-53


The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Sensor Deployment
This topic discusses the factors to consider when deploying a Cisco IPS solution.

Sensor Deployment: Sensor Selection


Factors

ƒ Network media
ƒ Sensor performance
ƒ Network layout and design
ƒ IPS design
ƒ Virtualization

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—1-24

You should consider several factors when selecting sensors for a Cisco IPS solution:
organizational, financial, and technical. For the purposes of this discussion, the focus is on the
technical factors, which are as follows:
„ Network media: Sensor selection is affected by the network media and environment.
Cisco IPS sensor NICs range from Ethernet to Gigabit Ethernet.
„ Sensor performance: The performance for the sensors is rated by the number of bits per
second (bps) that can be captured and accurately analyzed. Cisco IPS sensor performance
ranges from 65 Mbps to 1000 Mbps.
„ Network design: Cisco IPS sensors are suited for networks that have speeds ranging from
10/100BASE-T Ethernet to Gigabit Ethernet. The network design can affect the choice of
sensor.
„ IPS design: Sensors used for broad-based analysis usually need more capacity. Sensors
that are to focus on monitoring individual servers, or applications, do not need as much
capacity.
„ Virtualization: If the sensor is going to be using multiple virtual sensors, more capacity
will be required.

1-54 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
IDS or IPS

ƒ Deploy an IDS sensor in areas where you cannot deploy an


inline device or where you do not plan to use deny actions.
ƒ Deploy an IPS sensor in areas where you need and plan to use
deny actions.

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—1-25

You should consider several factors when deciding whether to deploy a sensor as an IPS or as
an IDS. Although the use of IPS deny actions require a well-defined security policy and a good
understanding of your overall IPS deployment, IPS is the recommended solution.

There are many benefits and risks of IPS:


„ IPS deny actions can stop the trigger packet, packets in a connection, or packets from an
attacker.
„ The sensor can use stream normalization techniques to reduce or eliminate many network
evasion techniques.
„ IPS actions are effective in stopping worms.
„ Sensor errors or failures can affect network traffic.
„ Overrunning the capabilities of an inline sensor can affect the network adversely.
„ The sensor can affect time-sensitive applications such as VoIP.

There are many benefits and risks of IDS:


„ The sensor has no impact on the network.
„ Sensor failure cannot affect network functionality.
„ Overrunning the sensor with data does not affect network traffic, although it can affect IDS
analysis.
„ IDS response actions cannot stop the trigger packet and are not guaranteed to stop a
connection. IDS response actions are typically better at stopping an attacker than a specific
attack.
„ IDS sensors are more vulnerable to evasion techniques than IPS sensors are.

© 2007 Cisco Systems, Inc. Intrusion Prevention Overview 1-55


The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Sensor Deployment Considerations

ƒ Number of sensors needed


ƒ Sensor placement
ƒ Management and monitoring options

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—1-26

Deploying a Cisco IDS or IPS solution requires a well-thought-out design. Here are the
important design issues to take into consideration:
„ Your network topology: Knowledge of your network topology will help you determine
how many sensors are required, the hardware configuration for each sensor (such as the
size and type of NICs), and how many management workstations are needed. An inline
sensor monitors all traffic between the two devices where it is placed. A promiscuous mode
sensor monitors all traffic across a given network segment. With that in mind, you should
consider all the connections to the network that you want to protect. Before you deploy and
configure your sensors, you should understand the following about your network:
— The size and complexity of your network
— Connections between your network and other networks, including the Internet
— The amount and type of traffic on your network
„ Sensor placement: It is recommended that sensors be placed at those network entry and
exit points that provide sufficient intrusion prevention coverage. Determine the type of
location that you have to determine which parts of the network you want to protect. Keep in
mind that each appliance maintains a security policy configured for the network or
networks that it is monitoring. The security policies can be standard across the organization
or unique for each appliance. You may consider changing your network topology to force
traffic across a given protected network segment. There are always operational trade-offs
when going through this process. The result should be an estimate of the number of
appliances required to protect the desired network. You can place an appliance in front of
or behind a firewall. Each position has its benefits and drawbacks.
„ Management and monitoring options: Review the management and monitoring options
to select those most appropriate for your network. Keep in mind that the number of sensors
that you deploy is directly correlated to the type of management console that you select.

1-56 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Deploying IDS and IPS
Branch
Corporate
Network
Sensor
Cisco Catalyst
6500 Series
IDSM2
Firewall
Untrusted
Network

Sensor

Management
Server Cisco Security Agent Cisco Security Agent

Web DNS
Server Server
© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—1-27

As you examine your network topology to determine how many sensors are required, consider
all connections to the network that you want to protect. Locations that need to be protected
generally fall into these five basic categories:
„ Internet protection: A sensor between your perimeter gateway and the Internet
complements the firewall and VPN by monitoring traffic for malicious activity.
„ Extranet protection: A sensor between your network and extranet connections, such as
connections with a business partner, monitors traffic where trust is implied but not assured.
„ Intranet and internal protection: Sensors on your intranet protect data centers and critical
systems from internal threats.
„ Remote-access protection: A sensor on your remote-access network hardens perimeter
control by monitoring remote-access users.
„ Server farm protection: Companies are deploying Internet servers on their demilitarized
zone (DMZ) networks. These servers offer Internet services such as web access, Domain
Name System (DNS), FTP, and Simple Mail Transfer Protocol (SMTP). Cisco Security
Agent software is installed on these servers. The CiscoWorks Management Center for
Cisco Security Agent is installed on an internal network.

A complete Cisco IPS solution includes the installation of both a network IPS and a host IPS.
Network IPS sensors are installed at network entry points to provide broader coverage, and host
IPS agents are installed on critical network servers.
„ Sensors are deployed at network entry points to protect critical network segments. The
network segments have both internal and external corporate resources. The sensors report
to a central management and monitoring server located inside the corporate firewall.

© 2007 Cisco Systems, Inc. Intrusion Prevention Overview 1-57


The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Network IPS Sensor Placement
Considerations

Place network IPS sensors to monitor segments where


you need to prevent attacks the most:
ƒ Monitor most sensitive servers
ƒ Monitor most sensitive internal segments
(management network)
ƒ Monitor network entry points:
– Internet firewall, business partner entry, dialup entry
– Switched network edge (biggest performance issue)
ƒ Monitor exposed hosts most likely to be compromised:
– Host that are likely to be used as a jump-off point
– Hosts that your reputation depends on

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—1-28

Network IPS sensors should monitor segments where the organization must prevent attacks the
most. These monitoring points usually include the following:
„ The most sensitive internal servers: This is where the sensitive data is kept, and many
inside users often have access to these servers. Performance requirements are usually
highest on these segments.
„ The most sensitive internal segments: These are the segments used for network
management or security management. Usually, the amount of traffic on these segments is
manageable; therefore, they can usually be monitored with a single sensor per segment,
with host IPS agents on the network management workstations.
„ Network entry points: These are the locations in a network where untrusted users could
potentially enter the network. Examples of these entry points include the Internet firewall,
VPN connections, or dialup connections. The switched network edge is also a potential
entry point for local network users who might be untrusted. The switched network should
be one of the main performance considerations for network IPS deployments, because the
amount of traffic at a busy LAN edge is often too high for a single network IPS to handle.
„ Exposed hosts most likely to be compromised: For example, exposed servers in the
firewall are likely to be targeted by an attacker because they can be used as a jump-off
point to the rest of the network.

1-58 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Monitor Sensitive Servers

Performance considerations:
ƒ Use a dedicated sensor per server (if justified)
ƒ Focus monitoring – tailor the sensor to the server
(fragmentation, applications running on the server)
ƒ Use Host IPS (not a performance issue)
Example:
ƒ Monitor only HTTP, HTTPS (the only present services)
ƒ Other attacks might be missed, but are not likely to cause damage

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—1-29

When a network IPS is monitoring sensitive internal servers, the performance of the network
IPS is likely to be an issue. The following are guidelines that you should follow when
implementing a network IPS to monitor sensitive internal servers:
„ Use a dedicated sensor to monitor an important server. Depending on the requirements of
the organization, the IPS designer may need to load-balance traffic across multiple sensors,
or, use a single sensor for a couple of internal servers.
„ Tailor the sensor to the target that it is watching. Disable nonrelevant signatures to help
improve performance.
„ Use host IPS in addition to a network IPS.

For example, if the only available services on a destination server are HTTP and HTTPS, a
network IPS might watch only for those protocols going to that server. Other attacks or
attempts might be missed, but are not likely to cause damage.

© 2007 Cisco Systems, Inc. Intrusion Prevention Overview 1-59


The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Monitor Network Entry Points: Outside

Trusted
Untrusted

Outside (untrusted side) network monitoring:


ƒ Broad monitoring for any type of attack
ƒ Detects attacks that the firewall will block (early warning, trends, new
risks)
ƒ Sees all traffic destined for your network
ƒ Has higher probability of false positives
ƒ Does not detect internal attacks

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—1-30

Network entry points should be monitored to detect attacks in the flow of traffic from the
untrusted to the trusted side of the network. An example of this kind of protection is on the
Internet firewall. The Internet firewall typically monitors traffic coming from the outside (or
untrusted) interfaces going to the inside (or trusted) interfaces.

You generally use network IPS monitoring on the untrusted (outside) segment to monitor traffic
“in the wild”—that is, catch any attacks and attempts before they hit the firewall. This type of
monitoring is useful to detect new forms of attacks, new trends in attacking, and to provide raw
data, which can be correlated with other sensors. This is probably the only sensor that is not
focused, because it attempts to gather as much information as possible about anything—this is
called broad monitoring. You typically tune this type of sensor to reduce only noise and basic
false positives.

Because the sensor is located in front of the firewall, no attacks are denied, except if there is
heavy filtering on the edge router.

1-60 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Monitor Network Entry Points: Inside

Untrusted Trusted

Inside (trusted side) network monitoring:


ƒ Use broad monitoring to detect any attacks
ƒ Most other signatures still enabled
ƒ Detects attacks that penetrate the firewall
ƒ Detects outgoing attacks, even if blocked by the firewall
ƒ Useful for correlation with outside sensors
ƒ Sees only inbound traffic permitted by firewall
ƒ Has lower probability of false positives
ƒ Requires immediate response to alarms

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—1-31

You generally use network IPS monitoring on the trusted (inside) segment to detect attacks that
might pass from the untrusted to the trusted side. Basic correlation techniques might discover
this automatically, when seeing the same alarm reported by those two sensors.

Usually, this type of sensor is set to perform broad monitoring, because any type of attack must
be detected when leaking through the firewall.

You usually tune this type of sensor to reduce only the basic false positives. The firewall filters
the majority of the noise from the outside. Outbound traffic, which the IPS also usually
watches, might cause false positives, and would be the main reason for you to tune this sensor.

© 2007 Cisco Systems, Inc. Intrusion Prevention Overview 1-61


The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
IPS Management Design Guidelines
Cisco Security netForensics Solsoft NP
Manager
Cisco Security CiscoWorks
MARS HP
OpenView Other Network
Management
System Servers

IPS OOB Network OOB


Connection Connection

ƒ Consider placing IPS management in a separate protected network:


– Private VLANs recommended
ƒ Network management should be separate.
ƒ Security management should be isolated from both the IPS and
network management networks.

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—1-32

It is a good idea to consider a completely separate management network for IPS, separated even
from the classic management LAN or VLAN, and the security servers. The rationale is that the
IPS subnet should be the most isolated subnet, perhaps even physically separate, because it is
the only monitoring mechanism available to detect unauthorized activity in real time.
Therefore, it should be the most trusted subnet in the network, having extremely restricted
connectivity to it and from it.

Note Using private VLANs (PVLANs) to put all sensors on isolated ports in an out-of-band (OOB)
network is recommended, because the sensors do not need to talk to each other. This
prevents the compromise of a single sensor, which helps to prevent other sensors from
being compromised.

1-62 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Cisco Self-Defending Network
This topic explains the Cisco Self-Defending Network and how the Cisco IPS products fit into
that structure.

Cisco Self-Defending Network

The Cisco Self-Defending Network is a strategic systems


approach to security that uses the network to identify,
prevent, and adapt to threats from internal and external
sources.
ƒ Integration standard: This involves integration of security
throughout the existing infrastructure—built-in, not added on.
Every element in the network acts as a point of defense.
ƒ Collaboration standard: This involves collaboration between
network and security components throughout the network.
Security becomes a system involving cooperation between
security-aware endpoints, network elements, and policy
enforcement.
ƒ Adaptability standard: This involves adaptability of the network to
intelligently evolve and adapt to emerging threats.

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—1-33

The Cisco Self-Defending Network protects an organization by identifying, preventing, and


adapting to threats from both internal and external sources. With this protection, companies are
better able to take advantage of the intelligence in their network resources, thus improving
business processes and cutting costs. The Cisco Self-Defending Network identifies, prevents,
and adapts to threats from both internal and external sources.

There are three standard characteristics of the Cisco Self-Defending Network:


„ Integration standard
„ Collaborative standard
„ Adaptive standard

Integration Standard
Every element in the network acts as a point of defense, and all of the elements work together
to provide a secure and adaptive system. Routers, switches, appliances, and endpoints
incorporate security functions, including firewall protection, VPN capabilities, trust and
identity capabilities, and IPSs. In addition, this standard incorporates technologies inherent in
the secure operation of network devices, such as policing the control plane and providing
thresholds for CPU and memory.

© 2007 Cisco Systems, Inc. Intrusion Prevention Overview 1-63


The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Collaborative Standard
Various components of the network work together to provide new means of protection, and
security becomes a system involving cooperation between endpoints, network elements, and
policy enforcement. Network Admission Control (NAC) is an example of this principle,
whereby endpoints are admitted to the network based on their adherence to security policy that
is enforced by network devices such as routers and switches.

Adaptive Standard
Adaptive security allows for automatic deployment of innovative behavioral methods to
recognize new types of threats as they arise. Mutual awareness can exist between security
services and network intelligence, thus increasing security effectiveness and providing a more
proactive response to new types of threats. This mutual awareness effectively mitigates security
risks by broadening threat recognition capabilities and addressing threats at multiple layers of
the network.

1-64 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Benefits of the Cisco Self-Defending
Network

ƒ Improves flexibility and simplicity in network protection


ƒ Improves IT management and efficiency
ƒ Provides the ability to recognize suspicious activity, identify threats,
and respond to attacks in a coordinated way
ƒ Protects against users with insecure or infected devices
ƒ Improves network uptime by responding to known and unknown
threats in real time
ƒ Protects corporate assets and reputation
ƒ Effectively enforces security polices company-wide

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—1-34

The threat control and containment solutions that Cisco offers consist of innovative, advanced
technologies that go beyond simply defending against threats—they proactively and
collaboratively control and contain threats. The following are the benefits of the threat control
and containment solution offered by Cisco:
„ Proactive protection against known and unknown threats
„ Proactive containment and distributed mitigation of infections and outbreaks
„ Manageable patching and updating due to enforced endpoint compliance
„ Reduced operational costs

The Cisco confidential communications solution enables your organization to take advantage of
and enjoy the positive business benefits of data, voice, video, and wireless communications,
while ensuring the privacy and integrity of critical business communications over these media.
There are many benefits of the Cisco confidential communications solution:
„ Gains in productivity
„ Increased flexibility for remote users
„ Privacy and confidentiality of critical business communications
„ Cost-effective extension of the reach of the network

Agile organizations of today rely on application-to-application transactions for business and


customer-facing transactions. In many cases, the transactional information resides on highly
vulnerable custom or homegrown applications. Benefits of the Cisco secure transactions
solution include the following:
„ Legitimacy of application transactions
„ Secure transactions between applications

© 2007 Cisco Systems, Inc. Intrusion Prevention Overview 1-65


The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
„ Application availability
„ Customer privacy
„ Protection of business assets from exposure
„ Reduced litigation risk

The Cisco operational management and policy control solution is a framework of integrated,
collaborative, and adaptive security management tools. Benefits of the Cisco operational
management and policy control solution include the following:
„ Increased speed and accuracy of security deployment
„ End-to-end visibility of security monitoring
„ Rapid response to threats
„ Proper workflow management
„ Assistance with compliance reporting

1-66 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Products Associated with the Cisco
Self-Defending Network

ƒ Cisco IPS
ƒ IPsec VPNs
ƒ Antivirus software
ƒ Cisco Security Agent
ƒ Cisco NAC Appliance
ƒ Cisco Security MARS
ƒ CiscoWorks management solution
ƒ Cisco ASA adaptive security appliances (firewalls)

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—1-35

The Cisco Self-Defending Network provides comprehensive network protection using unique
and advanced technologies. The Cisco Self-Defending Network includes the NAC framework
to systematically enforce endpoint policy compliance. The NAC framework encompasses Cisco
switches, routers, access points, VPN appliances, and NAC appliances, which enables
flexibility and consistency throughout the network. Cisco switches and wireless access points,
which are typical network entry points for campus employees, become enforcement points by
enforcing rights based on the state of the attaching device.

The Cisco NAC Appliance (formerly Cisco Clean Access) is a turnkey solution to implement
NAC. The Cisco NAC Appliance is an easily deployed NAC product that allows network
administrators to authenticate, authorize, evaluate, and remediate wired, wireless, and remote
users and their machines prior to allowing users onto the network. It identifies whether
networked devices such as laptops, desktops, and other corporate assets are compliant with the
security policies of a network, and it repairs any vulnerabilities before permitting access to the
network.

Note To learn more about NAC, visit http://www.cisco.com/go/nac.

Once both the device and the user are admitted onto the network, they must be protected
against outbreaks and theft. For individual protection, Cisco Security Agent deployed on each
desktop and server provides device-specific protection against numerous thefts. Cisco Security
Agent protects the device against worm and virus attacks, day-zero attacks, unauthorized
access, information theft, and some spyware and buffer overflow attacks.

To enable networkwide protection against outbreaks and theft, firewalls, IPSs, Cisco Catalyst
integrated security features within the switch, and router-based security all provide for a
consistent security level in the campus network, allowing an organization to follow a best-
practice security implementation.

© 2007 Cisco Systems, Inc. Intrusion Prevention Overview 1-67


The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Firewalls help to segment the campus, so that if an outbreak does occur, the entire campus is
not affected. The Cisco ASA 5500 Series Adaptive Security Appliances integrate superior
firewall, VPN, IPS, and antivirus capabilities for advanced protection. You can augment this by
using the firewall feature set that integrates into Cisco IOS routers for additional controls in a
highly segmented environment.

IPSs provide more thorough threat detection through deep packet inspection, a process that
looks into the packet itself. For example, if an attack was hidden in a web request, the firewall
might not catch it, but the IPS would recognize it and prevent it from going any further in the
network. IPSs typically reside behind the firewall, so that the firewall stops all of the well-
known attacks, and the IPS inspects the traffic that makes it through the firewall. Intrusion
prevention services are integrated into the Cisco ASA 5500 Series Adaptive Security
Appliances, Cisco Catalyst 6500 Series Switches, and Cisco routers.

To increase the level of security throughout the network infrastructure, several measures can be
taken at the switches and the routers. Through Cisco Catalyst integrated security features,
switches can provide a strong defense against man-in-the-middle attacks, which commonly lead
to theft of information. Security features integrated into the access switch can quickly thwart
malicious activity.

On the router, to protect against outbreaks and theft, the Cisco NetFlow tool feeds into
aggregation and analysis tools, such as the Cisco Security Monitoring, Analysis, and Response
System (MARS). The Cisco AutoSecure feature of routers provides easy lockdown of features
and services that would provide vulnerabilities if left open. Other features protect the router
itself, such as Control Plane Policing (CoPP) and memory rate limiting. These features protect
the router availability when under attack. For more information on these integrated Cisco
Network Foundation Protection (NFP) technologies, visit http://www.cisco.com/go/nfp.

You can implement these services on all Cisco switches and routers throughout the network.
Combined with firewall, intrusion prevention, and host protection, the network provides a
comprehensive defense-in-depth security implementation. A standardized approach with Cisco
products allows for minimal complexity for security management and embedded security
within the network itself, allowing greater transparency for the protection afforded.

Cisco Security MARS is an appliance-based, all-inclusive solution that allows network and
security administrators to monitor, identify, isolate, and counter security threats.

Cisco Security Manager is a powerful but easy-to-use solution for configuring firewall, VPN,
and IPS policies on Cisco security appliances, firewalls, routers, and switch modules.

Note For more information on the Cisco Self-Defending Network, visit


http://www.cisco.com/go/selfdefend.

1-68 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Summary
This topic summarizes the key points that were discussed in this lesson.

Summary

ƒ Cisco offers a wide variety of IPS appliances and modules.


ƒ Network IPSs provide a broad base of protection for all hosts on
selected segments.
ƒ Host IPSs provide individual host protection.
ƒ You should consider these factors when planning an IPS
deployment: network media, sensor performance, network design,
IPS design, and virtualization.
ƒ The Cisco Self-Defending Network provides the ability to
recognize suspicious activity, identify threats, and respond to
attacks in a coordinated way.

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—1-36

© 2007 Cisco Systems, Inc. Intrusion Prevention Overview 1-69


The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
1-70 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Lesson 3

Examining Cisco IPS Sensor


Software Solutions

Overview
Cisco offers a great variety of software options for intrusion prevention. Choosing the best
option saves time and money, and minimizes the risk of misconfiguration. This lesson
introduces the different software possibilities for Cisco Intrusion Prevention Systems (IPSs)
and discusses the advantages and disadvantages of these various software choices.

Objectives
Upon completing this lesson, you will be able describe the Cisco monitoring solutions and
suggest how to utilize them. This ability includes being able to meet these objectives:
„ Describe the Cisco IPS Sensor Software architecture
„ List the Cisco IPS management products for single device management
„ List the Cisco IPS management products that you can use for the enterprise

The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Cisco IPS Sensor Software Architecture
This topic discusses the Cisco IPS Sensor Software architecture.

Software Architecture Overview

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—1-2

Cisco IPS Sensor Software Version 6.0 runs on the Linux operating system. The following are
the primary components of the sensor architecture:
„ Event Store: Provides storage for all events
„ Secure Shell (SSH) and Telnet: Services SSH and Telnet requirements for the command-
line interface (CLI) application (By default, SSH is enabled and Telnet is disabled.)
„ Intrusion Detection Application Programming Interface (IDAPI): Provides the
communication channel between applications

Note Each application has its own configuration file in Extensible Markup Language (XML) format.

„ MainApp: Initializes the system, starts and stops the other applications, configures the
operating system, and performs upgrades. It contains the following components:
— ctlTransSource (Control Transaction Server): This component allows sensors to
send control transactions. This is used to enable the master blocking sensor
capability of the Attack Response Controller ([ARC] formerly known as Network
Access Controller [NAC]).
— Event Store: This is an indexed store used to store IPS events (error, status, and
alert system messages) that is accessible through the CLI, Cisco IPS Device
Manager (IDM), Cisco Adaptive Security Device Manager (ASDM), or Remote
Data Exchange Protocol version 2 (RDEP2).
— InterfaceApp: This component handles bypass and physical settings and defines
paired interfaces. Physical settings are speed, duplex, and administrative state.

1-72 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
— LogApp: This component writes all of the application log messages to the log file
and the application error messages to the Event Store.
— ARC: The ARC was formerly known as NAC. The ARC manages remote network
devices (firewalls, routers, and switches) to provide blocking capabilities when an
alert event has occurred. ARC creates and applies access control lists (ACLs) on the
controlled network device or uses the shun command (firewalls).
— NotificationApp: This component sends Simple Network Management Protocol
(SNMP) traps when triggered by alert, status, and error events. NotificationApp uses
the public domain SNMP agent. SNMP GETs provide information about the general
health of the sensor.
— Web Server (HTTP RDEP2 server): This component provides a web interface and
communication with other IPS devices through RDEP2 using several servlets to
provide IPS services.
— AuthenticationApp: This component verifies that users are authorized to perform
CLI, Cisco IDM, Cisco ASDM, or RDEP2 actions.
„ SensorApp: SensorApp performs packet capture and analysis. Policy violations are
detected through signatures in the SensorApp, and the information about the violations is
forwarded to the Event Store in the form of an alert. Packets flow through a pipeline of
processors fed by a producer designed to collect packets from the network interfaces on the
sensor. SensorApp supports the following processors:
— Time Processor (TP)
— Deny Filters Processor (DFP)
— Signature Event Action Processor (SEAP)
— Statistics Processor (SP)
— Layer 2 Processor (L2P)
— Database Processor (DBP)
— Fragment Reassembly Processor (FRP)
— Stream Reassembly Processor (SRP)
— Signature Analysis Processor (SAP)
— Slave Dispatch Processor (SDP)

SensorApp also supports the following units:


— Analysis Engine
— Alarm Channel
„ Sensor interfaces: Sensor interfaces serve as the traffic inspection points. Sensor
interfaces are also used for TCP resets and IP logging.

© 2007 Cisco Systems, Inc. Intrusion Prevention Overview 1-73


The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
TLS and SSL Communications

Cisco IDM
HTTPS
(TLS and SSL)

HTTPS Client HTTPS Server

ƒ TLS and SSL use a process called handshaking, which involves a number of
coordinated exchanges between a client and a server.
ƒ A trusted-host certificate is used by the server to verify the identity of a
connecting client.
ƒ A server certificate is used by the server to prove its identity to the client.

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—1-3

The process of negotiating an encrypted session in Transport Layer Security (TLS) is called
handshaking because it involves a number of coordinated exchanges between client and server.
After a client initiates a HTTPS session, the server sends its server certificate to the client. The
client performs a three-part test on this certificate, and asks these questions:

Step 1 Is the issuer identified in the certificate trusted? Every web browser is shipped with
a list of trusted third-party certificate authorities (CAs). If the issuer identified in the
certificate is in the list of CAs trusted by your browser, the first test is passed.

Step 2 Is the date on the certificate within the range of dates during which the certificate is
considered valid? Each certificate contains a validity field, which is a pair of dates.
If the date falls within this range, the second test is passed.

Step 3 Does the common name of the subject identified in the certificate match the URL
hostname? The URL hostname is compared with the subject common name. If they
match, the third test is passed.

Note HTTPS is HTTP over SSL or TLS.

You can use the Cisco IDM to configure the sensor to use certificates for secure
communications as follows:

„ Generate a server certificate on the sensor for the sensor. The sensor uses its server
certificate to prove its identity to a client. This is the certificate the sensor returns when you
direct your web browser to connect with Cisco IDM.
„ Configure a list of trusted hosts. The sensor can use trusted-host certificates to verify the
identity of a connecting client. Creating a list of trusted hosts configures the sensor to
accept the certificates of remote hosts. The trusted hosts list is useful in master blocking
sensor scenarios.

1-74 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
SDEE and RDEP2 over HTTPS

Event
XML

SDEE
HTTPS

Configuration
XML Sensor
RDEP2
Cisco IDM HTTPS

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—1-4

In Cisco IPS Sensor Software Version 6.0, management and monitoring applications use
RDEP2 to interact with the sensor, to send and receive IPS data via HTTPS. Both IPS events
and control transactions are considered IPS data. Control transactions can be diagnostic data
from an application or from session logs, or configuration data sent to or from an application.

Note WebApp provides RDEP2 support, which enables the sensor to report security events,
receive Intrusion Detection Interchange and Operations Messages (IDIOM) transactions,
and serve IP logs.

Cisco IPS Sensor Software Version 5.x and 6.0 communicate events using the Security Device
Event Exchange (SDEE) protocol; however, Cisco IPS Sensor Software Version 5.0 still uses
Remote Data Exchange Protocol (RDEP) for communicating configuration and IP log
information.

Note For retrieving events, the sensor is backward-compatible with RDEP even though the new
standard for retrieval is RDEP2. Cisco recommends that you use RDEP2 to retrieve events
and send configuration changes for Cisco IPS Sensor Software Version 6.0.

SDEE is a standardized IPS communication protocol developed by Cisco for the IDS
Consortium at the International Computer Security Association (ICSA). Cisco IPS Sensor
Software Version 6.0 uses SDEE to deliver a flexible, standardized application programming
interface (API) to the IPS sensor, which facilitates the integration of third-party management
and monitoring solutions with the Cisco IPS solution. This feature gives users a choice of third-
party solutions to monitor events generated by Cisco IPS sensors.

IPS data is represented in XML format as XML documents. The sensor stores user-
configurable parameters in several XML files. RDEP2 can use either HTTP or HTTPS to

© 2007 Cisco Systems, Inc. Intrusion Prevention Overview 1-75


The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
transmit XML documents between the sensor and external systems. The industry standard
HTTP and HTTPS provide a standardized interface for the exchange of XML documents.
RDEP2 does not specify the schemas for the XML documents exchanged in RDEP2 messages.
The Intrusion Detection Configuration (IDCONF) data format standard defines the XML
messages used for configuration.

The SDEE standard specifies both the format of events and the protocols for communicating
the events. SDEE supports multiple protocols for communicating events but currently specifies
an HTTP-based protocol that is very similar to RDEP.

SDEE is an enhancement of RDEP. It adds extensibility features that are needed for
communicating events generated by various types of security devices. The Cisco Intrusion
Detection Event Exchange specifies Cisco IPS extensions to SDEE. The extensions add
information to the event format. Therefore, some items in an alert are specified by SDEE, and
some are Cisco Intrusion Detection Event Exchange extensions.

Both SDEE and RDEP2 use a pull communication model for event messages. The pull
communication model allows the management console to pull alerts at its own pace. In Cisco
IPS Sensor Software Version 6.0, alerts remain on the sensor until the 30-MB limit of the Event
Store is met. When that limit is met, alarms are overwritten.

1-76 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Cisco IPS Element Management Products
This topic describes the Cisco IPS management products that you can use to manage a single
device.

Element Management

Strengths:
ƒ Easy to deploy
ƒ No additional cost
Separate
Weakness: Sessions

ƒ No consistent policy across


multiple devices
Single
Commands

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—1-5

Element management or single device management is the basic way to configure individual
Cisco network devices. The CLI and Cisco IDM are examples of tools that you can use to
perform single device management.

Benefits
The benefit of single device management is that an organization can deploy it at no extra cost,
because all of the necessary functions are included in the network device. Additionally, the
workstation of the administrator needs only standard software such as terminal emulation,
Telnet, SSH, or a Java-capable web browser with SSL support for secure browsing.

Drawbacks
The drawbacks of single device management include the following:
„ The provisioning of end-to-end network services is difficult because a global network
policy such as “Clients on network X may access server Y with FTP and HTTP services”
must be broken into small units, one for each device on the path. The result is a certain risk
that all these policies become inconsistent after awhile.
„ The administrator must translate the per-device “subpolicies” into the specific language and
applicable commands or settings of the device. This configuration means a high effort and
a certain risk of inconsistencies because of different software versions throughout the
network, which might behave differently because of version-specific default values or
different implemented features or both.

© 2007 Cisco Systems, Inc. Intrusion Prevention Overview 1-77


The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Command-Line Interface

sensorP# configure terminal


sensorP(config)#
CLI:
ƒ Device-specific commands,
version-specific commands,
feature-specific commands
ƒ Considerable amount of
typing
ƒ Best tool for troubleshooting

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—1-6

The CLI, which is the basic way to configure network devices, is also the hardest way to deploy
network policies in a complex environment. However, the CLI is a very direct way to access
devices without the need for specialized tools or programs, but it has some disadvantages.

Each type of device, such as a switch, router, firewall, or encryption device, has its own
configuration language, and in many cases even version-specific commands and default
settings. In addition to entering the commands, the administrator must have a thorough
knowledge of all the configuration languages, versions, and feature sets.

1-78 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Cisco IDM

Cisco IDM is a
web-based application
that allows you to
configure, manage, and
monitor the sensor.

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—1-7

Cisco IDM is a web-based Java application that enables you to configure and manage your
sensor using a GUI. The web server for Cisco IDM resides on the sensor. You can access it
through Internet Explorer, Netscape, or Mozilla web browsers.

Cisco IDM allows you to perform these actions remotely:


„ Restart the sensor
„ Power down the sensor
„ Configure the sensor
„ Monitor the sensor

© 2007 Cisco Systems, Inc. Intrusion Prevention Overview 1-79


The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Cisco IPS Enterprise Management Products
This topic describes the Cisco IPS management products that you can use for the enterprise.

Enterprise Management

Strengths:
ƒ Single administration tool
ƒ Consistent policies
Single
Weaknesses: Application

ƒ Platform-specific tools
ƒ Not always topology-aware
Policy Generated
Commands

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—1-8

Enterprise management tools allow you to manage many devices of the same type at the same
time. Their main advantage is that they provide central management with consistent policies
and topology information.

1-80 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Cisco IPS Event Viewer

Cisco IEV is a desktop


application that allows
you to monitor up to five
sensors simultaneously.

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—1-9

The Cisco IPS Event Viewer (IEV) offers a free monitoring solution for small-scale IPS
deployments. Monitoring individual IPS devices, the Cisco IEV is easy to set up and use, and
provides the user with the following:
„ Support for Cisco IPS Sensor Software Version 6 through SDEE compatibility
„ Customizable reporting
„ Tunable notification actions such as e-mail and paging
„ Visibility into applied response actions, virtual sensor ID, daylight saving time (DST),
learned operating system, and threat rating

© 2007 Cisco Systems, Inc. Intrusion Prevention Overview 1-81


The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Cisco Security Manager

Cisco Security Manager:


ƒ Centrally provision the
following devices:
– Cisco firewalls
– VPNs
– IPSs
ƒ Scales to thousands of
devices
ƒ Provides automated
configuration
and deployment

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—1-10

Cisco Security Manager is part of the Cisco Security Management Suite. It delivers
comprehensive policy administration and enforcement for the Cisco Self-Defending Network.
Unlike point security products from multiple vendors, which often do not work together and
can leave vulnerable gaps, the Cisco Security Management Suite provides a comprehensive
solution for provisioning, monitoring, mitigation, and identity to keep networks safer, more
resilient, and easier to operate. The Cisco Security Management Suite also includes Cisco
Security Monitoring, Analysis, and Response System (MARS) for monitoring and mitigation.

Using powerful policy-based management techniques, Cisco Security Manager excels at


efficiently managing networks of all sizes. Its rich client GUI provides superior ease of use.
Cisco Security Manager provides multiple views into the application to accommodate different
tasks and user experience levels.

Cisco Security Manager can be used to centrally provision all aspects of device configurations
and security policies for Cisco firewalls, virtual private networks (VPNs), and IPSs. The
solution is effective for managing even small networks consisting of fewer than 10 devices, but
also scales to efficiently manage large-scale networks composed of thousands of devices.
Scalability is achieved through intelligent policy-based management techniques that can
simplify administration.

1-82 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Cisco Security MARS

Cisco Security MARS:


ƒ Recognizes and correlates
real network attacks and
then defines how to stop
them
ƒ Reduces false positives
ƒ Simplifies audit compliance

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—1-11

Cisco Security MARS recognizes and correlates real network attacks and then defines how to
stop them. This ability allows you to free more network resources by reducing false positives
and simplifying audit compliance.

Going beyond first- and second-generation security information management systems, Cisco
Security MARS more efficiently aggregates and reduces massive amounts of network and
security data from popular network devices and security countermeasures. By gaining network
intelligence, Cisco Security MARS effectively identifies network and application threats
through sophisticated event correlation and threat validation. Verified attacks are visualized
through an intuitive, drill-down topology map to augment incident identification, investigation,
and workflow. Upon attack discovery, it allows the operator to prevent, contain, or stop an
attack in real time by pushing specific mitigation commands to network enforcement devices.
The system supports customer-centric rule creation, threat notification, incident investigation,
and a host of security posture and trend reports.

Cisco Security MARS provides security monitoring for Cisco devices and devices from other
vendors. It helps with the following:
„ Greatly reduce false positives
„ Define the most effective mitigation responses
„ Provide quick and easy access to audit compliance reports
„ Make precise recommendations for removal of threats, including the ability to visualize the
attack path and identify the source of the threat

Each signature now contains a new parameter, Cisco Security MARS category, which contains
the list of the Cisco Security MARS attack categories associated with the signature. This
category is included in the signature alerts. You can modify the Cisco Security MARS category
for custom signatures but not for built-in signatures.

© 2007 Cisco Systems, Inc. Intrusion Prevention Overview 1-83


The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Summary
This topic summarizes the key points that were discussed in this lesson.

Summary

ƒ RDEP2 is used for legacy communications between IPS


applications. SDEE is a standards-based communications
protocol used by the latest Cisco IPS products.
ƒ Element management is used to administer a single Cisco IPS
sensor at a time.
ƒ Cisco Security Manager can be used to centrally provision all
aspects of device configurations and security policies for Cisco
firewalls, VPNs, and IPSs. Cisco Security MARS recognizes and
correlates real network attacks and then defines how to stop
them.

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—1-12

1-84 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Lesson 4

Examining Evasive Techniques

Overview
In this lesson, you will become aware of the various methods used by skilled attackers to evade
detection, helping you understand how to prevent the attacks. Awareness of these methods
allows you to more fully appreciate and utilize the anti-evasion technologies built into the
Cisco Intrusion Prevention System (IPS) product.

Objectives
Upon completing this lesson, you will be able define major evasion techniques in order to
justify several intrusion prevention system (IPS) features. This ability includes being able to
meet these objectives:
„ Explain what an evasive technique is and provide examples of evasive techniques
„ Explain how attackers use string match attacks to avoid detection by intrusion detection
and intrusion prevention products
„ Explain how attackers use fragmentation attacks to avoid detection by intrusion detection
and intrusion prevention products
„ Explain how attackers use session attacks to avoid detection by intrusion detection and
intrusion prevention products
„ Explain how attackers use insertion attacks to avoid detection by intrusion detection and
intrusion prevention products
„ Explain how attackers use evasion attacks to avoid detection by intrusion detection and
intrusion prevention products
„ Explain how attackers use TTL-based attacks to avoid detection by intrusion detection and
intrusion prevention products
„ Explain how attackers use encryption-based attacks to avoid detection by intrusion
detection and intrusion prevention products
„ Explain how attackers use resource exhaustion attacks to avoid detection by intrusion
detection and intrusion prevention products

The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Evasive Techniques
This topic describes what an evasive technique is and provides examples of common evasive
techniques.

Evasive Techniques

ƒ Attempts to elude intrusion prevention and detection use evasive


techniques such as:
– Obfuscation
– Fragmentation
– Encryption
– Flooding
ƒ There are many hacker tools designed to evade detection.
Examples of such script kiddie products are:
– Snot
– Stick
– Fragroute
– Whisker

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—1-2

The hacker community is aware of the various intrusion detection system (IDS) and IPS
technologies and has identified ways to evade them. Here are common, general, evasive
techniques:
„ Flooding
„ Fragmentation
„ Encryption
„ Obfuscation

1-86 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
String Match Attacks
This topic discusses how attackers use string match attacks to avoid detection by intrusion
detection and intrusion prevention products.

String Match Attacks

ƒ Signatures that key on specific strings can be evaded by


changing the malicious string in minor ways, such as:
– Obfuscation
– Change of case
ƒ If signatures do not anticipate such modifications, they miss the
malicious traffic.

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—1-3

Black hats, security researchers, and IPS developers have continually played a game of back
and forth when it comes to intrusion detection. The black hats are continually developing
methods to evade detection while the vendors continually attempt to counter with patches,
service packs, and new releases.

One common form of attack is the string match attack. By changing strings in minor ways, an
attacker can sometimes easily evade detection. The following are common types of string
match attacks:
„ Obfuscation
„ Change of case

For more information, refer to IDS Evasion Techniques and Tactics by Kevin Timm at
http://www.securityfocus.com/infocus/1577.

© 2007 Cisco Systems, Inc. Intrusion Prevention Overview 1-87


The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Obfuscation

Disguising an attack by using special characters to


conceal it from a sensor is commonly referred to as
obfuscation. Various types of obfuscation are:
ƒ Control characters
ƒ Hexadecimal representation
ƒ Unicode representation

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—1-4

In the past, intrusion detection was easily evaded by using special characters to disguise an
attack. The term used to describe this evasive technique is obfuscation. Obfuscation is now
once again becoming popular. Different forms of obfuscation include the following:
„ Control characters: These include space, tab, backspace, and delete characters.
„ Hexadecimal representation: Each character can be represented in hexadecimal format.
For example, a space is represented by the hexadecimal number 0x20.
„ Unicode representation: Unicode provides a unique value for every character, regardless
of platform, program, or language. For example, the slash character (/) is represented by the
value c1.

1-88 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Control Characters

ƒ Spaces can be changed into other characters to avoid detection:


– One space can become two spaces.
– One space can become one tab or two tabs.
– One space can become a soft carriage return.
ƒ Many applications treat each of these variations the same.

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—1-5

One of the difficulties in writing string signatures is dealing with the different variations into
which the attack can evolve. Control characters, such as spaces or tabs, are interpreted by many
applications identically. This presents the writer of a string match with a challenge; how to
write one signature that addresses the original attack and all reasonably expected mutations of
that same attack without having to write a new signature for every variation.

© 2007 Cisco Systems, Inc. Intrusion Prevention Overview 1-89


The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Change of Encoding

ƒ The slash character (/) can be represented a number of ways by


changing the encoding. All of the following represent the same
character:
–\
– %5c
– %255c
– %%35c
– %%35%63
– %25%35%63
ƒ It is important that signatures anticipate such modifications of
malicious strings.

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—1-6

Unicode was developed to make allowances for languages that are more complex than the 26-
character alphabet of English. Characters in Unicode can be single byte, double byte, triple
byte, or quadruple byte. This flexibility in the standard can be exploited by attackers because
many different strings can be used to represent data.

Note The Unicode value is dependent on the Unicode encoding version used.

For more information, refer to RFC 2279, UTF-8, a Transformation Format of ISO 10646, and
visit http://www.unicode.org.

1-90 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Change of Case

Phase 1 of attack:
Malicious string is “attack”

Phase 2 of attack:
Malicious string is “AtTaCk”

Phase 3 of attack:
Malicious string is “ATTACK”

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—1-7

Many applications are not case-sensitive. Therefore, the custom signature writer has to be
prepared for the morphing of an attack by a simple change of case. Well-written signatures
anticipate such evolution and are able to detect and prevent future versions of attacks.

© 2007 Cisco Systems, Inc. Intrusion Prevention Overview 1-91


The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Fragmentation Attacks
This topic describes how attackers use fragmentation attacks to avoid detection by intrusion
detection and intrusion prevention products.

Fragmentation

Splitting malicious packets into smaller packets to avoid


detection and prevention is known as fragmentation.

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—1-8

Networks are connected using various media types, such as Ethernet, FDDI, Token Ring, and
ATM. Each of these technologies specifies the allowed maximum transmission unit (MTU).
The MTU value is different for each technology. Consequently, fragmentation of these
transmission units (packets, cells) is allowed to accommodate differing MTU sizes.

Fragmentation adds a level of complexity that sensors must address. The sensor now must keep
track of the fragmented packets and perform reassembly. Reassembly is highly processor-
intensive and requires sufficient memory.

In the figure, the attacker is splitting malicious packets into smaller packets that are transmitted
to the target host in an attempt to elude intrusion detection and prevention and make the target
host reassemble the packets.

1-92 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Fragment Reassembly Timer Too Short

Fragment Fragment
Reassembly Reassembly
Timeout = 15 sec. Timeout = 30 sec.

0 seconds Frag 1 Frag 1 Frag 1

15 seconds Waiting Dropped Frag 1

25 seconds Frag 2 Frag 2 Frag 2 Frag 1

Attack

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—1-9

If the fragment reassembly timer of the sensor is less than the fragment reassembly timer of the
hosts that it is protecting, the sensor is vulnerable to a specific fragment attack.

In the figure, the attacker sends the first fragment and then waits 25 seconds before sending the
second fragment, which completes the packet. After 15 seconds, the sensor drops the first
fragment because of the fragment reassembly timer on the sensor, and misses detecting the
malicious code when the second fragment arrives.

Because the fragment reassembly timer of the victim was 30 seconds, it received both
fragments, reassembled them, and processed them leaving the victim vulnerable, and the IPS
sensor silent.

© 2007 Cisco Systems, Inc. Intrusion Prevention Overview 1-93


The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Fragment Reassembly Timer Too Long

Fragment Fragment
Reassembly Reassembly
Timeout = 60 sec. Timeout = 30 sec.

0 seconds Frag 2 Frag 4 Frag 2 Frag 4 Frag 2 Frag 4

35 seconds Waiting Frag 2 Frag 4


Dropped
Reassembled, processed, and dropped

45 seconds Frag 1 Frag 3 Frag 4 Frag 3 Frag 2 Frag 1 Frag 1 Frag 3

65 seconds Frag 2 Frag 4 Frag 2 Frag 4 Frag 4 Frag 3 Frag 2 Frag 1

Attack
© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—1-10

A similar problem can occur if the fragment reassembly timer of the IPS sensor is longer than
the fragment reassembly timer of the host that it is protecting.

In the figure, the timer of the sensor is longer than the timer of the protected host. The attacker
sends fragments 2 and 4, with a false payload, from a packet that it has been split into four
fragments. Both the sensor, and intended victim, buffer these two packets and wait for packets
1 and 3. After 30 seconds, the intended victim drops fragments 2 and 4, but the sensor retains
them in memory. Because the victim has not received fragment 1, it quietly drops fragments 2
and 4 and does not generate an Internet Control Message Protocol (ICMP) error message.

After 45 seconds, the attacker sends fragments 1 and 3, which complete the packet for the IPS
sensor. The intended victim sees these as the first two fragments of a packet, and buffers them.
When the attacker sends fragments 2 and 4 again at the 65-second mark, the sensor sees them
as the beginning of a new series of fragments, and the victim sees them as the conclusion of a
series of fragments which complete a packet. The sensor has been evaded.

1-94 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Resent Fragments

Attacker Microsoft Windows XP UNIX Server

Frag 3 Frag 2 Frag 1 Frag 3 Frag 2 Frag 1 Frag 3 Frag 2 Frag 1

Frag 4 Frag 3 Frag 2 Frag 4 Frag 3 Frag 2 Frag 1 Frag 4 Frag 3 Frag 2 Frag 1

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—1-11

In their paper Active Mapping: Resisting NIDS Evasion Without Altering Traffic, Paxson and
Shankar indicate that different operating systems perform fragmentation reassembly differently.
They conclude that there are five different reassembly approaches.

In the example, the attacker carries out the attack by first breaking the malicious code into four
fragments. Fragments 1, 2, and 3 are sent and accepted by all operating systems.

The attacker then sends fragments 2, 3, and 4. Fragments 2 and 3 are different, but are marked
as if they are the same. The fragment offset, the packet length, and most of the other fields in
the IP header are not changed.

Different operating systems handle this situation differently. The Microsoft Windows operating
systems gives preference to the first fragments labeled 2 and 3 and will process them along
with the uncontested fragments 1 and 4.

UNIX servers handle these situations differently. UNIX gives preference to the retransmitted
fragments labeled 2 and 3, and therefore, will process a completely different payload. If an IPS
sensor in the path takes the Microsoft Windows approach to fragment reassembly, it will miss
the attack against devices that use Cisco IOS Software. If the sensor takes the Cisco IOS
Software approach to fragment reassembly, it will miss the attacks against Microsoft Windows
devices.

© 2007 Cisco Systems, Inc. Intrusion Prevention Overview 1-95


The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Overlapping Fragments

Frag 1 – GET script.idd


+ Frag 2 – a.?

= GET script.ida? (buffer overflow)

Attack

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—1-12

In addition to the class of fragmentation attacks that have been discussed, there is a class of
attacks involving overlapping fragments. In this class of attack, the offset values in the IP
header do not match up as they should, and therefore one fragment overlaps another. Once
again, different operating systems handle this situation differently.

In the example, the first fragment is received normally but the offset in the second fragment
overwrites the last byte of the first fragment. Therefore, the intended victim gets the HTTP
string: GET script.ida? (buffer overflow). If the IPS sensor in the path does not reassemble the
overlapping fragments in the same manner that the intended victim does, the IPS sensor will
miss the attack.

Note The Cisco IPS product line is not vulnerable to this attack.

1-96 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Session Attacks
This topic describes how attackers use session attacks to avoid detection by intrusion detection
and intrusion prevention products.

Session Splicing

ƒ Attackers spread the malicious string across a number of packets,


without utilizing IP fragmentation.
ƒ This is usually done slowly, splicing the session into many more
packets than would ordinarily be required.
ƒ TCP segment reassembly is helpful in countering session
splicing.

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—1-13

Not all attempts at evasion leverage the fragmentation capabilities of the IP protocol.
Sometimes, hackers attempt to evade detection by fragmenting data at the application or
transport layer. An example of this type of fragmentation is session splicing.

An example of session splicing would be an application that sends unusually small datagrams
of one byte. By splintering the malicious code into multiple datagrams, any IPS sensor in the
path would have to be aware of the entire session to recognize the malicious code. The
challenge in defending against this type of attack is similar to defending against fragmentation
attacks at the network layer; the IPS sensor has to be aware of all of the traffic in the session,
buffer it, and then process it as a whole to detect the malicious behavior.

© 2007 Cisco Systems, Inc. Intrusion Prevention Overview 1-97


The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Insertion Attacks
This topic describes how attackers use insertion attacks to avoid detection by intrusion
detection and intrusion prevention products.

Insertion Attack

ƒ The attacker attempts to insert data that is read only by the IPS
sensor.
ƒ Malicious data is sent, along with additional, harmless characters.
ƒ The combined data appears to be acceptable because it does not
match any of the IPS signatures.
ƒ The harmless characters are then dropped by the end system.
ƒ This leaves only the malicious data to be processed, and evades
detection by the IPS sensor.

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—1-14

An IPS sensor can accept a packet that an end system rejects. The sole purpose of this insertion
of data is to evade detection by the IPS system. In general, insertion attacks occur whenever an
IPS sensor is less strict in processing a packet than an end system. An obvious reaction to this
problem might be to make the IPS sensor as strict as possible in processing packets; this
minimizes insertion attacks.

1-98 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Insertion Attack Example
Attacker sends single-byte packets
AXCTTXAKX

IPS sees
AXCTTXAKX

End system processes


ATTACK

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—1-15

In the figure, the attacker sends each packet with a single byte of data, with the User Datagram
Protocol (UDP) checksum on the packets, which contain the X wrong on purpose. The IPS
allows the packet through, but the end system rejects the X when the UDP checksum fails, and
then the malicious string executes.

Note The Cisco IPS product line is not vulnerable to this attack.

© 2007 Cisco Systems, Inc. Intrusion Prevention Overview 1-99


The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Evasion Attacks
This topic describes how attackers use evasion attacks to avoid detection by intrusion detection
and intrusion prevention products.

Evasion Attack

ƒ An evasion attack is similar to an insertion attack.


ƒ An evasion attack causes the IPS sensor to miss packets
that are intended for the end system.
ƒ Similar to the insertion attack, the IPS sensor sees a
different data stream than the end system.
ƒ This attack is done to bypass IPS sensors that are too strict
about processing.

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—1-16

Similar to an insertion attack, an evasion attack also attempts to have the IPS sensor see
different traffic than the intended victim. However, this time the sensor has to be tricked into
rejecting packets that the victim does not.

If a sensor is vulnerable to an evasion attack, either by configuration or flaw, it can be


devastating to the accuracy of a sensor. Entire sessions can be carried back and forth between
attacker and victim, and the sensor never sees any of it.

1-100 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Evasion Attack Example
Attacker sends single-byte packets
ATTACK

IPS sees
ATTCK

End system processes


ATTACK

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—1-17

Evasion attacks are designed to get around signature-based solutions in a manner similar to
insertion attacks. The goal of the attacker is to cause the sensor to see a different data stream
than the intended victim, but this time the end system sees more data than the sensor.

In the example, the attacker sends a series of packets designed to have one or more packets
rejected by the sensor, but accepted by the intended victim. If successful, the sensor sees a
different data stream than the end system.

Note The Cisco IPS product line is not vulnerable to this attack.

© 2007 Cisco Systems, Inc. Intrusion Prevention Overview 1-101


The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
TTL-Based Attacks
This topic describes how attackers use Time to Live (TTL)-based attacks to avoid detection by
intrusion detection and intrusion prevention products.

TTL-Based Attacks

Frag 1 Frag 1 Frag 1 Frag 1

Frag 2 Frag 2
Frag 1 Dropped Waiting
TTL=1 TTL=1

Reassembled, processed, and dropped

Frag 3 Frag 3 Frag 2 Frag 3 Frag 1


Frag 1
TTL=1

Frag 2 Frag 2 Frag 3 Frag 2 Frag 1

Attack
© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—1-18

If an attacker has knowledge of the topology of the network of an intended victim, the attacker
can cause the IPS sensor to see a different data stream than the end system by manipulating the
TTL field in the IP header.

In the figure, the attacker sends a frame that the attacker does not want the end system to
receive. To accomplish this, the attacker sends a frame with a TTL set to a value that causes the
TTL to be 1 when the sensor receives it. If the TTL is 1 when the sensor receives the frame, the
frame expires on the next router, and the end system never receives it. In this way, the sensor
sees a different data stream than the end system. In our example, the Frag 2 packet with a TTL
of 1 is processed by the IPS sensor and then dropped by the router. Therefore, the receiving end
host does not see the Frag 2 TTL=1 packet and cannot perform packet reassembly until the
second Frag 2 packet arrives.

This strategy can be used in an insertion attack.

Note The Cisco IPS product line is not vulnerable to this attack.

1-102 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Encryption-Based Attacks
This topic describes how attackers use encryption-based attacks to avoid detection by intrusion
detection and intrusion prevention products.

Encryption

SSL Session

ƒ Launching an attack via an encrypted session can avoid


network-based intrusion detection and prevention.
ƒ This type of evasive technique assumes that the attacker has
already established a secure session with the target network or host.

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—1-19

Sensors monitor the network and capture the packets as they traverse the network. Network-
based sensors rely on the data being transmitted in plaintext. When packets are encrypted, the
sensor captures the data but is unable to decrypt it and cannot perform meaningful analysis.
This type of evasive technique assumes that the attacker has already established a secure
session with the target network or host. Here are some examples of secure sessions that can be
used:
„ Secure Sockets Layer (SSL) connection to a secure website
„ Secure Shell (SSH) connection to an SSH server
„ Site-to-site IP Security (IPsec) virtual private network (VPN) tunnel
„ Client-to-LAN IPsec VPN tunnel

© 2007 Cisco Systems, Inc. Intrusion Prevention Overview 1-103


The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Resource Exhaustion Attacks
This topic describes how attackers use resource exhaustion attacks to avoid detection by
intrusion detection and intrusion prevention products.

Resource Exhaustion Attacks

ƒ The least subtle method of evading detection is DoS.


ƒ An excessive number of alarms can:
– Consume the IPS processor handling alarms
– Consume the IPS memory resources handling alarms
– Prevent the management system from being able to
handle the load
– Cause personnel to have too many alarms to investigate
sufficiently
ƒ State-aware devices are less vulnerable to DoS attacks.
ƒ UDP and ICMP are not stateful, and therefore are good
candidates for this type of attack.

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—1-20

A less subtle method of evading detection is through denial of service (DoS); it does not matter
if the DoS is against the device or the personnel managing the device. Tools such as Stick and
Snot can be used to create a tremendous number of alarms that consume the resources of the
IPS device and prevent attacks from being logged. Sometimes, these attacks can overwhelm the
management system—server, database server, or out-of-band (OOB) network. These attacks
can also be successful if the only thing they overwhelm is the administrative staff that does not
have the time or skill necessary to investigate the numerous false alarms that have been
triggered.

1-104 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Flooding

Saturating the network with noise traffic while also


trying to launch an attack against the target is referred
to as flooding.

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—1-21

Intrusion detection and prevention systems rely on their ability to capture packets off the wire
and analyze them as quickly as possible. This ability requires the sensor to have adequate
memory capacity and processor speed. By flooding the network with noise traffic and causing
the sensor to capture unnecessary packets, the attacker can cause an attack to go undetected. If
the attack is detected, the sensor resources may be exhausted and thus unable to respond in a
timely manner. In the figure, the attacker is sending large amounts of traffic, as signified by the
larger pipe. Meanwhile, the actual attack is being sent to the target host, as represented by the
thin pipe that reaches the target host.

© 2007 Cisco Systems, Inc. Intrusion Prevention Overview 1-105


The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Summary
This topic summarizes the key points that were discussed in this lesson.

Summary

ƒ Hackers employ a number of evasive techniques to avoid detection.


ƒ String matches are evaded by changing the string in a variety of ways such as
encoding changes, obfuscation, and encryption.
ƒ If the fragment reassembly timer of the sensor is either too long or too short, the
sensor can be vulnerable to fragmentation attacks.
ƒ Session splicing is an example of a session attack that splinters malicious code
into multiple, smaller datagrams to avoid detection.
ƒ Insertion attacks attempt to avoid detection by causing the sensor to see more
data than the end system.
ƒ Evasion attacks attempt to avoid detection by slipping packets past the sensor.
ƒ For TTL-based attacks to be effective, the attacker must have knowledge of the
network of the intended victims.
ƒ When a sensor captures encrypted data, it cannot perform meaningful analysis.
ƒ Flooding is an effective method to consume system resources and overwhelm
personnel with excessive alarms.

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—1-22

1-106 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Module Summary
This topic summarizes the key points that were discussed in this module.

Module Summary

ƒ IDS systems passively observe traffic and alert on malicious traffic, while
IPS systems observe the same traffic but have the capability of denying
malicious traffic. Both IDS and IPS technologies can take a number of
strategies including anomaly-based, policy-based, signature-based, and
protocol analysis.
ƒ Cisco offers two types of IPS solutions, network-based and host-based,
which are complementary to each other.
ƒ SDEE is a standards-based communications protocol used by the latest
IPS products. RDEP2 is used for legacy communications between IPS
applications. Element management administers a single IPS sensor at a
time, while enterprise management administers multiple IPS sensors
simultaneously.
ƒ Attackers employ a variety of strategies to avoid detection including
fragmentation, resource exhaustion, encryption, insertion, attacks against
sessions, and string matches.

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—1-1

Intrusion prevention system (IPS) solutions are superior to intrusion detection system (IDS)
solutions because of the capability of IPS solutions to deny malicious traffic. IPS solutions can
take a number of approaches, which are different, and not equal. Policy-based solutions are the
most effective when configured correctly. The challenge comes in defining the policy.
Signature-based solutions are the least effective, but the easiest to deploy.

References
For additional information, refer to these resources:
„ Cisco Systems, Inc. Network Admission Control Introduction.
http://www.cisco.com/go/nac.
„ Cisco Systems, Inc. Cisco Network Foundation Protection (NFP).
http://www.cisco.com/go/nfp.
„ Timm, K. IDS Evasion Techniques and Tactics.
http://www.securityfocus.com/infocus/1577.
„ RFC 2279, UTF-8, a Transformation Format of ISO 1064.
„ Unicode, Inc. Unicode home page. http://www.unicode.org.

© 2007 Cisco Systems, Inc. Intrusion Prevention Overview 1-107


The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
1-108 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Module 2

Installation of a Cisco IPS


4200 Series Sensor

Overview
This module provides an overview of the steps necessary to initialize and prepare an intrusion
prevention system (IPS) sensor to function in a production environment.

Module Objectives
Upon completing this module, you will be able to install and configure the basic settings on a
Cisco IPS 4200 Series Sensor. This ability includes being able to meet these objectives:
„ Install and initialize a Cisco IPS sensor appliance in the network using the CLI
„ Use the Cisco IDM to launch, navigate, manage, and monitor an IPS device
„ Use the Cisco IDM to configure basic sensor settings

The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
2-2 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Lesson 1

Installing a Cisco IPS Sensor


Using the CLI

Overview
This lesson provides an overview of the Cisco Intrusion Prevention System (IPS) sensor
appliances. The lesson explains the parameters necessary to initialize a sensor and perform
basic functions using the command-line interface (CLI).

Objectives
Upon completing this lesson, you will be able to install and initialize a Cisco IPS sensor
appliance in the network using the CLI. This ability includes being able to meet these
objectives:
„ Explain the CLI of the Cisco IPS sensor
„ Gain management access and initialize a sensor
„ Explain some of the administrative tasks that are done from the CLI
„ Explain some of the additional commands that are available from the CLI

The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Introducing the CLI
This topic introduces the CLI and explains the various CLI modes.

Accessing the CLI

You can access the CLI of a


sensor appliance running Cisco
IPS Sensor Software Version 6.0
via the following:
ƒ SSH
ƒ Serial interface connection
ƒ Telnet (disabled by default)

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—2-2

The Cisco IPS Sensor Software Version 6.0 includes a full CLI. The IPS CLI resembles the
Cisco IOS Software CLI; however, it has fewer Cisco IOS configuration commands than the
Cisco IOS Software. It also has additional configuration modes and commands.

You can access the CLI of a sensor appliance via Telnet, Secure Shell (SSH), or a serial
interface connection. Enter your username and password at the login prompt. The default
username is “cisco”; and the default password is “cisco.” When you log in for the first time,
you are prompted to change the default password.

Note Telnet access is disabled by default.

The number of concurrent CLI sessions is limited, based on the platform. The Cisco IDS 4215
Sensor is limited to three concurrent CLI sessions. All other platforms allow 10 concurrent
sessions.

The CLI for Cisco IPS Sensor Software Version 6.0 permits multiple users to log in at one
time. You can create and remove users from the local sensor. You can modify only one user
account at a time. Each user is associated with a role that controls what that user can and cannot
modify.

The CLI supports four user roles: administrator, operator, viewer, and service. The privilege
levels for each role are different; therefore, the menus and available commands vary for each
role. More detail about the privileges of each user role is provided in the “Configuring Basic
Sensor Settings” lesson.

2-4 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
CLI Features

The Cisco IPS Sensor Software


Version 6.0 CLI includes the
following features:
ƒ Help
ƒ Tab completion
ƒ Command abbreviation
ƒ Command history
ƒ User interactive prompts

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—2-3

The Cisco IPS CLI features these components:


„ Help: Enter ? after the command to display command help. Help displays only commands
available in the current mode.
„ Tab completion: If you are unsure of the complete syntax for a command, enter a portion
of the command and press Tab to complete the command. If multiple commands match for
tab completion, nothing is displayed. The terminal repeats the line you entered. Only
commands available in the current mode will display by tab completion.
„ Command abbreviation: The CLI recognizes shortened forms of many common
commands. You have to enter only enough characters for the sensor to recognize the
command as unique. For example, sh ver executes the show version command.
„ Command history: Use the Up Arrow or Down Arrow keys or press Ctrl-P or Ctrl-N to
recall the commands entered in a mode. The recall list does not report Help and tab
complete requests.
„ User interactive prompts: The CLI displays user interactive prompts when the system
displays a question and waits for user input. The default input is displayed within brackets.
Press Enter to accept the default input.

The CLI is not case-sensitive, but it does echo the text exactly as you entered it. These steps
provide an example:
Step 1 Enter CONF at the privileged EXEC prompt as follows:
sensorP# CONF
Step 2 Press the Tab key. The sensor displays the following:
sensorP# CONFigure

An interactive prompt, —More—, indicates that the terminal output exceeds the allotted
display space. Press the spacebar to display the next page of output, or press Enter to display

© 2007 Cisco Systems, Inc. Installation of a Cisco IPS 4200 Series Sensor 2-5
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
the output one line at a time. Press Ctrl-C to clear the contents of the current command line and
return to a blank command line.

You can usually disable features or functions by using the no form of a command. Use the
command without the keyword no to enable a disabled feature or function. For example, the
command ssh host-key ip_address adds an entry to the known hosts table while the command
no ssh host-key ip_address removes the entry from the known hosts table. Refer to the
individual commands for a complete explanation of the no form of that command.

Configuration commands that specify a default value in the configuration files can have a
default form of the command. The default form of a command returns the command setting to
the default value.

2-6 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
CLI Editing
Command Description
Ctrl-A Moves the cursor to beginning of line
Ctrl-B Moves the cursor back one character
Ctrl-D Deletes the character at the cursor
Ctrl-E Moves the cursor to the end of the line
Ctrl-F Moves the cursor forward one character
Ctrl-L Clears the screen
Ctrl-V Inserts a code to indicate to the sensor that the next
keystroke is a command entry, not an editing key
Ctrl-W Deletes the word to the left
Esc-B Moves the cursor back one word
Esc-D Deletes from the cursor to the end of the word
Esc-F Moves the cursor forward one word

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—2-4

The CLI provides many editing capabilities. This table lists the editing keys available at the
CLI of a Cisco IPS.

CLI Editing Keys

Keys Description

Tab This key completes a partial command name entry. When you type a unique set of
characters and press Tab, the system completes the command name. If you enter a
set of characters that could indicate more than one command, the system beeps to
indicate an error. Enter a question mark (?) immediately following the partial command
(no space). The system provides a list of commands that begin with that string.

Backspace This key erases the character to the left of the cursor.

Enter At the command line, pressing Enter processes a command. At the ---More---
prompt on a terminal screen, pressing Enter scrolls down a line.

Spacebar The spacebar enables you to see more output on the terminal screen. Press the
spacebar when you see the line ---More--- on the screen to display the next screen.

Left Arrow This key moves the cursor one character to the left. When you enter a command that
extends beyond a single line, you can press the Left Arrow key repeatedly to scroll
back toward the system prompt and verify the beginning of the command entry.

Right Arrow This key moves the cursor one character to the right.

Up Arrow or This recalls commands in the history buffer, beginning with the most recent command.
Ctrl-P Repeat the key sequence to recall successively older commands.

Down Arrow or This returns to more recent commands in the history buffer after recalling commands
Ctrl-N with the Up Arrow or Ctrl-P. Repeat the key sequence to recall successively more
recent commands.

Ctrl-A This key moves the cursor to the beginning of the line.

Ctrl-B This key moves the cursor back one character.

Ctrl-D This key deletes the character at the cursor.

© 2007 Cisco Systems, Inc. Installation of a Cisco IPS 4200 Series Sensor 2-7
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Keys Description

Ctrl-E This key moves the cursor to the end of the command line.

Ctrl-F This key moves the cursor forward one character.

Ctrl-K This key deletes all characters from the cursor to the end of the command line.

Ctrl-L This key clears the screen and redisplays the system prompt and command line.

Ctrl-T This key transposes the character to the left of the cursor with the character located at
the cursor.

Ctrl-U This key deletes all characters from the cursor to the beginning of the command line.

Ctrl-V This key inserts a code to indicate to the system that the keystroke immediately
following should be treated as a command entry, not as an editing key.

Ctrl-W This key deletes the word to the left of the cursor.

Ctrl-Y This key recalls the most recent entry in the delete buffer. The delete buffer contains
the last 10 items you deleted or cut.

Ctrl-Z This key ends configuration mode and returns you to the EXEC prompt.

Esc-B This key moves the cursor back one word.

Esc-C This key capitalizes the word at the cursor.

Esc-D This key deletes from the cursor to the end of the word.

Esc-F This key moves the cursor forward one word.

Esc-L This key changes the word at the cursor to lowercase.

Esc-U This key capitalizes from the cursor to the end of the word.

2-8 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
CLI Uses

The CLI can be used to perform


the following :
ƒ Sensor initialization tasks
ƒ Configuration tasks
ƒ Administrative tasks
ƒ Troubleshooting

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—2-5

You can use the CLI to perform theses tasks:


„ Sensor initialization tasks: These include such tasks as assigning the sensor IP address,
specifying trusted hosts, and creating user accounts.
„ Configuration tasks: These include such tasks as tuning signature engines and defining
the ports where web servers are running.
„ Administrative tasks: These include such tasks as backing up and restoring the current
configuration file.
„ Troubleshooting: These include such tasks as verifying statistics and settings.

© 2007 Cisco Systems, Inc. Installation of a Cisco IPS 4200 Series Sensor 2-9
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
CLI Modes

Mode Description

Privileged EXEC mode Entered into when you log in to CLI

Global configuration mode Entered from privileged EXEC mode


by typing configure terminal
Service Mode Entered from global configuration
mode by typing service service-name
Multi-instance service mode Entered into from global configuration
mode by typing service service-name
log-instance-name

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—2-6

The CLI supports the following command modes. Each command mode provides access to a
subset of commands:
„ Privileged EXEC mode: Privileged EXEC mode is the first level of the CLI. You enter
privileged EXEC mode by logging into the CLI. The prompt sensorP# denotes privileged
EXEC mode.
„ Global configuration mode: Global configuration mode is the second level of the CLI.
You enter global configuration mode by first logging into the CLI and then typing
configure terminal. The prompt sensor(config)# denotes global configuration mode .
„ Service mode: Service mode is a generic command mode used to edit the configuration of
a service. A service is a related set of functionality provided by an IPS application. An IPS
application may provide more than one service. You can enter service mode from global
configuration mode by typing service <serviceName>, where serviceName identifies the
actual service that you are trying to access. The prompt sensor(config-ser)# denotes service
mode, where ser is the first three characters of the service name.
„ Multi-instance service mode: The signature definition service, event action rules service,
and anomaly detection service are multi-instance services. Their respective configuration
modes are as follows:
— Signature definition mode
— Event action rules mode
— Anomaly detection mode
You can enter these modes from global configuration mode by typing service service-name
log-instance-name. The prompt sensor(config-log)# denotes the multi-instance service
mode, where log is the first three characters of the logical instance name. For example, this
command enters configuration mode for the logically named configuration, rules0:
sensorP(config)# service event-action-rules rules0
sensorP(config-rul)#

2-10 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Note There are currently only two valid logical instance names: rules0 for event action rules and
sig0 for signature definition.

You can use the exit command to exit any configuration mode or close an active terminal
session and terminate privileged EXEC mode. When you exit a service mode, you are
prompted to apply any modifications you have made within the service mode or any submodes
contained within it. If you answer “yes,” your changes are applied to the service immediately.

© 2007 Cisco Systems, Inc. Installation of a Cisco IPS 4200 Series Sensor 2-11
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Privileged EXEC Mode

The following tasks are performed in privileged EXEC


mode:
ƒ Initialize the sensor
ƒ Reboot the sensor
ƒ Enter configuration mode
ƒ Terminate current login session
ƒ Display system settings
ƒ Ping

sensorP#

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—2-7

The first level of the CLI is the privileged EXEC mode. This mode enables you to perform such
tasks as initializing the sensor and displaying system settings. The example shows the
commands available in privileged EXEC mode to a user with administrator privileges:
sensorP# ?
anomaly-detection Perform an action on the anomaly detection
application
clear Clear system settings or devices
clock Set system clock settings
configure Enter configuration mode
copy Copy iplog, license key, or configuration
files
erase Erase a logical file
exit Terminate current CLI login session
iplog Control IP logging on the interface group
iplog-status Display a list of IP logs currently existing
in the system
more Display a logical file
no Remove or disable system settings
packet Capture traffic on an interface or display a
previously captured file or iplog
ping Send echo messages to destination
reset Shut down the sensor applications and reboot
setup Perform basic sensor configuration
show Display system settings and/or history
information

2-12 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
ssh Secure Shell settings
terminal Change terminal configuration parameters
tls Configure TLS settings
trace Display the route an IP packet takes to a
destination

Note The CLI supports the administrator, operator, service, and viewer user roles. The privilege
levels for each role are different; therefore, the menus and available commands vary for
each role. All help command output in this topic shows the commands available when you
are logged in as a user with the administrator role.

© 2007 Cisco Systems, Inc. Installation of a Cisco IPS 4200 Series Sensor 2-13
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Global Configuration Mode

The following tasks are performed in global


configuration mode:
ƒ Create user accounts
ƒ Configure SSH and TLS settings
ƒ Reimage the application partition
ƒ Upgrade and downgrade system software and signatures
ƒ Enter service configuration mode

sensorP# configure terminal


sensorP(config)#

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—2-8

The second level of the CLI is global configuration mode. This mode enables you to perform
global configuration tasks such as creating user accounts. The example shows the commands
available in global configuration mode:
sensorP(config)# ?
banner Define a login banner
default Reset settings back to default
downgrade Remove the last applied upgrade
end Exit configuration mode and return to EXEC
mode
exit Exit configuration mode and return to EXEC
mode
no Remove configuration
password Modify current user password on the local
sensor
privilege Modify user privilege
recover Reimage the application partition from the
recovery partition
service Enter configuration mode for node services
show Display system settings and/or history
information
ssh Secure Shell settings
tls Configure TLS settings
upgrade Upgrade system software and signatures
username Add a user to the local sensor

2-14 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Note The Transport Layer Security (TLS) protocol is closely related to the Secure Sockets Layer
(SSL) protocol.

If you attempt to execute a deprecated or unknown command, an error is generated. The


example shows a command error:
sensorP(config)# hostname sensorP
^
% Invalid input detected at ‘^’ marker

© 2007 Cisco Systems, Inc. Installation of a Cisco IPS 4200 Series Sensor 2-15
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Service Mode
sensorP(config)# service ?

analysis-engine Enter configuration mode for global


analysis engine options
anomaly-detection Enter configuration mode for anomaly-
detection
authentication Enter configuration mode for user
authentication options
event-action-rules Enter configuration mode for the event
action rules
external-product-interface Enter configuration mode for the
interfaces to external products
host Enter configuration mode for node
configuration
interface Enter configuration mode for interface
configuration
logger Enter configuration mode for debug
logger
--MORE--

ƒ Service mode is a generic command mode.


ƒ It allows you to enter configuration mode for various services.
© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—2-9

The service mode is a generic command mode. It enables you to enter configuration mode for
various services. The example shows the services that you can configure via their respective
service modes:
sensorP(config)# service ?
analysis-engine Enter configuration mode for
global analysis engine options
anomaly-detection Enter configuration mode for
anomaly detection
authentication Enter configuration mode for
user authentication options
event-action-rules Enter configuration mode for the
event action rules
external-product-interface Enter configuration mode for the
interfaces to external products
host Enter configuration mode for
host configuration
interface Enter configuration mode for
interface configuration
logger Enter configuration mode for
debug logger
network-access Enter configuration mode for the
network access controller
notification Enter configuration mode for the
notification application
signature-definition Enter configuration mode for the
signature definition
ssh-known-hosts Enter configuration mode for
configuring SSH known hosts

2-16 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
trusted-certificates Enter configuration mode for
configuring trusted certificates
web-server Enter configuration mode for the
web server application

© 2007 Cisco Systems, Inc. Installation of a Cisco IPS 4200 Series Sensor 2-17
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Service Signature Definition Mode
The following tasks are performed in service signature
definition mode:
ƒ Modify signatures
ƒ Reset signature settings to the defaults
sensorP(config)# service signature-definition sig0
sensorP(config-sig)# ?
application-policy Application Policy Enforcement
Parameters
default Set the value back to the system
default settings.
exit Exit service configuration mode.
fragment-reassembly IP Fragment reassembly configuration.
ip-log IP log configuration
no Remove an entry or selection setting.
show Display system settings and/or history
information
--MORE--

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—2-10

Within the service signature definition mode, you can perform such tasks as modifying
signatures and using the default command to reset signature settings to the default settings. The
example shows the commands available in service signature definition mode:
sensor(config)# service signature-definition sig0
sensor(config-sig)# ?
application-policy Application policy enforcement
parameters
default Set the value back to the system
default setting
exit Exit service configuration mode
fragment-reassembly IP fragment reassembly configuration
ip-log IP log configuration
no Remove an entry or selection setting
show Display system settings and history
information
signatures Signature definitions
stream-reassembly TCP stream assembly configuration
variables User and system defined variables
(This is a definition of the variables
option. This text will not actually
display when you ask for online help.)

2-18 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Initializing the Sensor
This topic describes how to initialize the Cisco IPS sensor appliance.

Management Access

You can use these methods


to gain management access
to a Cisco IPS sensor:
ƒ Console port (cable provided)
ƒ Telnet
ƒ SSH
ƒ HTTPS

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—2-11

The methods that you can use to gain management access to a sensor are as follows:
„ Console port: Requires the use of the RS-232 cable provided with the sensor and a
terminal emulation program such as HyperTerminal.
„ Telnet: Requires an IP address that has been assigned to the command and control
interface via the CLI setup command. You must enable this IP address to allow Telnet
access. Telnet is disabled by default.
„ SSH: Requires an IP address that has been assigned to the command and control interface
via the CLI setup command and uses a supported SSH client. The SSH server in the sensor
is enabled by default.
„ HTTPS: Requires an IP address that has been assigned to the command and control
interface via the CLI setup command and uses a supported web browser. HTTPS is
enabled by default but can be disabled.

Note You can perform the initial sensor appliance setup only via a console connection. After you
configure network settings, SSH and Telnet are available.

© 2007 Cisco Systems, Inc. Installation of a Cisco IPS 4200 Series Sensor 2-19
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Sensor Initialization Tasks

Perform these tasks to initialize the sensor:


ƒ Assign a name to the sensor
ƒ Assign an IP address and netmask to the
command interface and control interface
ƒ Assign a default gateway
ƒ Enable or disable the Telnet server
ƒ Specify the web server port
ƒ Create network ACLs
ƒ Configure the date and time
ƒ Configure the sensor interfaces
ƒ Configure virtual sensors
ƒ Configure threat prevention

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—2-12

You perform sensor initialization tasks by using an interactive dialog that you initiated with the
setup command. The initialization tasks are as follows:
„ Assign the sensor a hostname
„ Assign an IP address and a subnet mask to the command and control interface
„ Assign a default route
„ Enable or disable the Telnet server
„ Specify the web server port
„ Add and remove access control list (ACL) entries that specify which hosts are allowed to
connect to the sensor
„ Configure the date and time
„ Configure the sensor interfaces
„ Configure virtual sensors
„ Configure threat prevention

Note If you later change the IP address of the sensor, you must generate a self-signed X.509
certificate. HTTPS communications need this certificate.

2-20 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
setup Command

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—2-13

You accomplish most of the initialization tasks by using the setup command of the sensor. It
walks you through the configuration of the hostname, IP address, netmask, gateway, and
communications options. After you enter the setup command, the default settings are
displayed. Press the spacebar to continue.

© 2007 Cisco Systems, Inc. Installation of a Cisco IPS 4200 Series Sensor 2-21
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
setup Command (Cont.)

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—2-14

When you press the spacebar to continue, this question appears:


Continue with configuration dialog? [yes]: yes

Enter yes to continue with the configuration dialog. Enter no to cancel the setup.

The figure shows the configuration dialog presented by the setup command. The configuration
dialog is a series of interactive prompts that enables you to configure these settings:
„ Hostname: The hostname is a case-sensitive character string up to 256 characters.
Numbers, “_” and “-” are valid, but spaces are not acceptable. The default hostname is
“sensor.”

Note The CLI prompt of the current session and other existing sessions do not update with the
new hostname. Subsequent CLI login sessions will reflect the new hostname in the prompt.

„ IP address/netmask/gateway: The syntax for these values is X.X.X.X/nn,Y.Y.Y.Y, where


X.X.X.X specifies the sensor IP address, nn specifies the number of bits in the netmask, and
Y.Y.Y.Y specifies the default gateway. The default is 10.1.9.201/24, 10.1.9.1.
„ Telnet server status: You can disable or enable Telnet services. The default is disabled.
„ Web server port: The web server port is the TCP port used by the web server (1 to
65535). The default is 443. If you change the web server port, you must specify the port in
the URL address of your browser when you connect to Cisco IPS Device Manager (IDM),
in the format https://sensor_ ip_address: port (for example, https://10.1.9.201:1040).

2-22 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
„ Network access lists: The network ACL specifies networks that are allowed to access the
sensor. If you answer “yes” when prompted to modify the network ACL, the current ACL
entries are displayed. You are then prompted to delete any existing entries. Enter the
number corresponding to the entry you want to delete. Repeat this step until you have
deleted all of the entries that you want to delete from the ACL. Pressing Enter without
entering a number retrieves the Permit prompt. You can then add entries to the list to
enable other hosts or networks to access the sensor. Enter the IP address and number of bits
in the netmask in the form X.X.X.X/nn to add a network address to the list. To add a single
host address, enter the IP address and use /32 for the netmask. Repeat this step until you
have entered all of the addresses that you want to add to the ACL. Pressing Enter at this
point without entering a number retrieves the prompt to modify the system clock settings.
„ System clock settings: Answering “yes” when prompted to modify the system clock
settings enables you to configure Network Time Protocol (NTP), summertime settings, and
the system time zone.

Note You can also use the Cisco IDM to configure the system clock settings and the sensor
interfaces later.

„ Virtual sensor configuration: The virtual sensor interactive prompts enable you to
configure promiscuous interfaces and, if your platform supports inline functionality, inline
interface pairs.
„ Threat prevention configuration: There is an event action override that denies high-risk
network traffic with a risk rating of 90 to100. Choosing this option gives you the ability to
disable this feature.

Note A value shown in brackets next to a prompt is the current value.

© 2007 Cisco Systems, Inc. Installation of a Cisco IPS 4200 Series Sensor 2-23
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
setup Command (Cont.)

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—2-15

After you respond to the virtual sensor and threat prevention prompts, your configuration is
displayed. After the configuration displays, you are presented with these options:
„ [0] Go to the command prompt without saving this config.
„ [1] Return back to the setup without saving this config.
„ [2] Save this configuration and exit setup.

If you choose [2] to save your configuration, you are prompted to modify the system date and
time. If you answer “yes” when prompted to modify the system date and time, the local date
prompt is displayed. Enter the date in the format YYYY-MM-DD. When presented with the
local time prompt, enter the time in 24-hour format.

2-24 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Performing Administrative Tasks
This topic describes the administrative tasks that you can perform by using the CLI.

Diagnosing Network Connectivity

sensorP#
ping address [count]

ƒ Diagnoses basic network connectivity

sensorP# ping 172.26.26.50 3


ƒ Diagnoses network connectivity to host 172.26.26.50 by sending
three echo requests to host 172.26.26.50

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—2-16

You can use the ping command to diagnose basic network connectivity.

The syntax for the ping command is ping address [count].

ping Parameters

Command Description

address IP address of the system to ping

count Number of echo requests to send

If no value is entered, four requests are sent. The valid range is 1


to 10,000.

Caution No command interrupt is available for this command. It must run to completion.

This is an example of a successful ping:


sensorP# ping 172.26.26.50 6
PING 172.26.26.50 (172.26.26.50): 56 data bytes
64 bytes from 172.26.26.50: icmp_seq=0 ttl=61 time=0.3 ms
64 bytes from 172.26.26.50: icmp_seq=1 ttl=61 time=0.1 ms
64 bytes from 172.26.26.50: icmp_seq=2 ttl=61 time=0.1 ms
64 bytes from 172.26.26.50: icmp_seq=3 ttl=61 time=0.2 ms

© 2007 Cisco Systems, Inc. Installation of a Cisco IPS 4200 Series Sensor 2-25
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
64 bytes from 172.26.26.50: icmp_seq=4 ttl=61 time=0.2 ms
64 bytes from 172.26.26.50: icmp_seq=5 ttl=61 time=0.2 ms
--- 172.26.26.50 ping statistics ---
6 packets transmitted, 6 packets received, 0% packet loss
round-trip min/avg/max = 0.1/0.1/0.3 ms

This is an example of an unsuccessful ping:


sensorP# ping 172.16.2.2 3
PING 172.16.2.2 (172.16.2.2): 56 data bytes
--- 172.16.2.2 ping statistics ---
3 packets transmitted, 0 packets received, 100% packet loss

2-26 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Tracing a Route
sensorP#
trace address [number of hops]

ƒ Displays the route that an IP packet takes to a destination

sensor1# trace 172.26.26.150


traceroute to 172.26.26.150 (172.26.26.150), 4 hops max, 40 byte
packets
1 10.0.1.2 (10.0.1.2) 21.693 ms 11.061 ms 9.659 ms
2 172.16.1.1 (172.16.1.1) 13.303 ms 11.943 ms 15.468 ms
3 172.30.1.1 (172.30.1.1) 32.837 ms * 14.304 ms
sensor1#

ƒ Displays the route that an IP packet takes to host 172.26.26.150

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—2-17

You can use the trace command to display the route that an IP packet takes to a destination.

The syntax for the trace command is trace address [number_of_hops].

trace Parameters

Command Description

address Address of the system to which to trace the route

number of hops Number of hops to take

The default is four. Valid values range from 1 to 100.

Caution There is no command interrupt available for this command. It must run to completion.

© 2007 Cisco Systems, Inc. Installation of a Cisco IPS 4200 Series Sensor 2-27
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Creating a Login Banner
sensorP(config)#
banner login
ƒ Creates a banner message to display on the terminal screen
at login

sensorP(config)# banner login


Banner[]:Authorized access only^MThis system is the
property of Cisco Systems^MDisconnect IMMEDIATELY
if you are not an authorized user

Creates the following banner message:


“Authorized access only
This system is the property of Cisco Systems
Disconnect IMMEDIATELY if you are not an authorized user”

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—2-18

You can use the banner login command to create a login banner that is displayed before the
user and password login prompts. The maximum message length is 2500 characters. Use the no
banner login command to remove the banner.

Follow these steps to create a login banner:

Step 1 Log into the CLI using an account with administrator privileges.

Step 2 Enter global configuration mode:


sensorP# configure terminal
Step 3 Create the login banner:
sensorP(config)# banner login
Banner[]:
Step 4 Enter your message:
Banner[]: Authorized access only. This system is the property
of Cisco Systems. Disconnect IMMEDIATELY if you are not an
authorized user.

Note To insert a carriage return in the message, press Ctrl-V and then press Enter. The carriage
return is represented in the message by the characters ^M as you enter the message. The
characters ^M do not appear when the message is displayed at login.

2-28 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Additional Administrative Commands
This topic describes useful commands for verifying version information, verifying the
configuration, backing up a configuration, and restoring a configuration.

Displaying the Current Version


sensorP#
show version
ƒ Displays version information for all installed operating system
packages and signature packages

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—2-19

Use the show version command to display version information for all installed operating
system packages and signature packages. The show version command also displays this
information, which can be useful for troubleshooting:
„ Platform
„ Serial number
„ License information
„ Memory usage
„ IPS processes running on the system
„ Upgrade history
„ Recovery partition information

The recovery partition information is available for appliances only. The license information
follows the serial number and can be one of the following:
„ No license present
„ Expired license: <expiration-date>
„ Valid license, expires: <expiration-date>
„ Valid demo license, expires: <expiration-date>

Note The expiration date is in the form dd-mmm-yyyy, as in 04-jan-2007.

© 2007 Cisco Systems, Inc. Installation of a Cisco IPS 4200 Series Sensor 2-29
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
This is an example of the show version command output:
sensorP# show version
Application Partition:

Cisco Intrusion Prevention System, Version 6.0(0.222)E0.1


Host:
Realm Keys key1.0
Signature Definition:
Signature Update S243.0 2006-08-28
Virus Update V1.2 2005-11-04
OS Version 2.4.30-IDS-smp-bigphys
Platform: IDS-4215
Serial Number: 88807464958
No license present
Sensor up-time is 1:37.
Using 202260480 out of 460161024 bytes of available memory
(43% usage)
system is using 17.3M out of 29.0M bytes of available disk
space (59% usage)
application-data is using 33.5M out of 166.8M bytes of
available disk space (21% usage)
boot is using 35.4M out of 68.6M bytes of available disk space
(54% usage)
application-log is using 528.6M out of 2.8G bytes of available
disk space (20% usage)

MainApp 2006_Oct_31_15.11 (Release) 2006-10-


31T16:01:42-0600 Running
AnalysisEngine 2006_Oct_31_15.11 (Release) 2006-10-
31T16:01:42-0600 Running
CLI 2006_Oct_31_15.11 (Release) 2006-10-
31T16:01:42-0600

Upgrade History:

IDS-K9- 6.0-0.222-E0.1 15:11:00 UTC Tue Oct 31 2006

Recovery Partition Version 1.1 - 6.0(0.222)E0.1

2-30 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Backing Up and Restoring
Configurations

sensor#

copy [/erase] source-url destination-url


ƒ Copies configuration files

sensor# copy current-config backup-config


ƒ Creates a backup configuration

sensor# copy /erase backup-config current-config


ƒ Overwrites the current configuration with the backup configuration

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—2-20

You can use the copy command to make a snapshot of a good configuration. This practice
allows you to copy the current configuration to a backup configuration and to restore the
current configuration from a backup.

The syntax for the copy command is as follows:

copy [/erase] source-url destination-url

copy iplog log-id destination-url

copy Parameters

Command Description

/erase (Optional) Erases the destination file before copying

This keyword only applies to the current configuration. The


backup configuration is always overwritten. If this keyword is
specified for the destination current-config, the source
configuration is applied to the system default configuration. If it is
not specified for the destination current-config, the source
configuration is merged with the current configuration.

source-url The location of the source file to be copied; can be a URL or


keyword

destination-url The location of the destination file to be copied; can be a URL or


keyword

log-id The log ID of the file to copy

You can use keywords to designate the file location on the sensor. The keywords listed in the
table are supported.

© 2007 Cisco Systems, Inc. Installation of a Cisco IPS 4200 Series Sensor 2-31
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
File Location Keywords

Keyword Description

current-config The current running configuration

This configuration, unlike in Cisco IOS Release 12.0, becomes


persistent as the commands are entered. The file format is CLI
commands.

backup-config Storage location for configuration backup

The file format is CLI commands.

iplog An IP log contained on the system

You can use the copy command to do the following:


„ Transfer a configuration to or from another host system using FTP or Secure Copy Protocol
(SCP).
„ Copy IP log files to another host system.

Note See the CLI reference document for the complete copy command specification.

Follow these steps to back up and restore the configuration of the sensor:

Step 1 Enter the command copy current-config backup-config in privileged EXEC mode
to save the current configuration in a backup file.
Step 2 Enter the command more backup-config to verify the backed up configuration file.

Step 3 Choose one of the following to restore a configuration:


„ Enter the command copy backup-config current-config to merge the backup
configuration into the current configuration.
„ Enter the command copy /erase backup-config current-config to overwrite the
current configuration with the backup configuration.

2-32 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Displaying the Configuration
sensorP#
more keyword |[ begin | exclude | include
filter]

ƒ Displays the sensor configuration

sensor# more current-config | include access-


list
access-list 10.0.1.12/32
access-list 10.0.2.0/24
ƒ Displays only the “access-list” portions of the current
configuration

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—2-21

You can use the more command to display the entire sensor configuration. You can also use
the more begin, more exclude, or more include commands to limit the output of the more
command.

The syntax for the more commands is more keyword | [begin | exclude | include filter].

more Parameters

Command Description

keyword The possible values are as follow:

„ current-config: Displays the current running configuration

„ backup-config: Displays the saved backup system


configuration

begin Causes the output to start with the first line that matches the filter

exclude Causes the output to exclude all lines that match the filter

include Causes the output to include only lines that match the filter

filter A regular expression

The example shows a partial output from the more current-config command when you use the
command with no options:
sensorP# more current-config
! ------------------------------
! Current configuration last modified Wed Dec 13 11:46:29 2006
! ------------------------------
! Version 6.0(0.222)
! Host:
! Realm Keys key1.0

© 2007 Cisco Systems, Inc. Installation of a Cisco IPS 4200 Series Sensor 2-33
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
! Signature Definition:
! Signature Update S243.0 2006-08-28
! Virus Update V1.2 2005-11-04
! ------------------------------
service interface
exit
! ------------------------------
service authentication
exit
! ------------------------------
service event-action-rules rules0
exit
! ------------------------------
service host
network-settings
host-ip 10.0.1.4/24,10.0.1.2
host-name sensorP
exit
exit
! ------------------------------
service logger
exit
! ------------------------------
service network-access
exit
! ------------------------------
service notification
exit
! ------------------------------
service signature-definition sig0
exit
! ------------------------------
service ssh-known-hosts
exit
! ------------------------------
service trusted-trusted certificates
exit
! ------------------------------
service web-server
exit
! ------------------------------
service anomaly-detection ad0
exit
! ------------------------------
service external-product-interface
exit
! ------------------------------
service ssh-known-hosts
exit
! ------------------------------
service analysis-engine

2-34 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
exit

Note You can also use the show configuration command to display the configuration.

© 2007 Cisco Systems, Inc. Installation of a Cisco IPS 4200 Series Sensor 2-35
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Displaying Settings
sensorP(config-hos)#

show settings [terse] | [ begin | exclude |


include filter]

ƒ Displays the contents of the configuration contained in the


current mode

sensor(config-hos)# show settings terse | begin


access-list

ƒ Displays the contents of the configuration contained in the


service host mode beginning with the regular expression
“access-list”

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—2-22

Use the show settings command to display the contents of the configuration contained in the
current mode. This command is available in all of the service modes and is useful for
troubleshooting. For example, it facilitates the troubleshooting of blocking by enabling you to
view all settings for the Attack Response Controller (ARC).

The syntax for the show settings command is show settings [terse] [ begin | exclude | include
filter].

show Parameters

Command Description

terse Reduces the amount of detail displayed

begin Causes the output to start with the first line that matches the filter

exclude Causes the output to exclude all lines that match the filter

include Causes the output to include only lines that match the filter

filter A regular expression

This is an example of the show settings command used with no options:


sensorP(config-hos)# show settings
network-settings
-----------------------------------------------
host-ip: 10.0.1.4/24,10.0.1.2 default:
10.1.9.201/24,10.1.9.1
host-name: sensorP default: sensor
telnet-option: disabled default: disabled
access-list (min: 0, max: 512, current: 1)

2-36 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
-----------------------------------------------
network-address: 10.0.2.0/24
-----------------------------------------------
-----------------------------------------------
ftp-timeout: 300 seconds <defaulted>
login-banner-text: <defaulted>
-----------------------------------------------
time-zone-settings
-----------------------------------------------
offset: 0 minutes default: 0
standard-time-zone-name: UTC default: UTC
-----------------------------------------------
ntp-option
-----------------------------------------------
disabled
-----------------------------------------------
-----------------------------------------------
-----------------------------------------------
summertime-option
-----------------------------------------------
disabled
-----------------------------------------------
-----------------------------------------------
-----------------------------------------------
auto-upgrade-option
-----------------------------------------------
disabled
-----------------------------------------------
-----------------------------------------------
-----------------------------------------------

© 2007 Cisco Systems, Inc. Installation of a Cisco IPS 4200 Series Sensor 2-37
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Displaying Events
sensorP#
.
show events [alert | error | hh:mm:ss | log |
NAC | past | status]

ƒ Displays the requested events

sensor# show events alert high 10:00 jan 1 2007

ƒ Displays all high-severity alerts since 10:00 a.m.,


January 1, 2007

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—2-23

Events are the data generated by the sensor applications, such as the alerts produced by the
SensorApp or errors caused by an application. There are currently four types of events:
„ evIdsAlert: Intrusion detection alerts
„ evError: Application errors
„ evStatus: Status changes such as a software upgrade being completed
„ evShunRqst: Shun requests

All events are stored in the sensor Event Store. Events remain in the Event Store until they are
overwritten by newer events. It takes 30 MB of newer events to overwrite an existing event.
You can view events from the top-level prompt of the CLI using the show events command.
You can display new events, events from a specific time, and events of a specific severity.

The show events command displays the requested event types beginning at the requested start
time. If no start time is entered, the selected events are displayed beginning at the current time.
If no event types are entered, all events are displayed. Events are displayed as a live feed. You
can cancel the live feed by pressing Ctrl-C.

This command is helpful for troubleshooting event capture issues in which you are not seeing
events in the CiscoWorks Monitoring Center for Security, and you are trying to determine
which events are being generated on the sensor. A user with the administrator privilege can use
the clear events command to remove all events from the Event Store.

The syntax for the show events command is as follows:

show events [ { [alert [informational] [low] [medium] [high] [include-traits traits] [min-
threat-rating min-rr] [max-threat-rating max-rr] [exclude-traits traits] | error [warning]
[error] [fatal] | log | NAC | status} ] [hh:mm:ss month day [year] | past hh:mm:ss ]

2-38 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Note The traits option is useful only if you configure the alert traits attribute for signatures. An
alert trait is a user-defined number for custom categorization of signatures.

show events Parameters

Command Description

alert [informational] Displays alerts


[low] [medium] [high]
This command provides notification of some suspicious activity
that may indicate that an intrusion attack is in progress or has
been attempted. Alert events are generated by the Analysis
Engine whenever a signature is triggered by network activity. If
no level is selected (informational, low, medium, or high), all
alert events are displayed.

include-traits Displays alerts that have the specified traits

exclude-traits Does not display alerts that have the specified traits

traits Trait bit position in decimal (0 to 15)

min-threat-rating min-rr Displays events with a threat rating above or equal to the min-
rr value

The valid range is 0 to 100. The default is 100.

max-threat-rating max-rr Displays events with a threat rating below or equal to the max-
rr value

The valid range is 0 to 100. The default is 100.

error [warning] [error] Displays error events


[fatal]
Error events are generated by services when error conditions
are encountered. If no level is selected (warning, error, or
fatal), all error events are displayed.

log Displays log events

These events are generated whenever a transaction is


received and responded to by an application. It contains
information about the request, response, and success or
failure of the transaction.

NAC Displays ARC requests (block requests). Network Access


Controller (NAC) is the former name of ARC.

status Displays status events

hh:mm:ss Start time in hours (24-hour format), minutes, and seconds

month Start month (by name)

day Start day (by date ) in the month

year Start year (no abbreviation)

past Displays events starting at the current time minus hh:mm:ss

The example shows the output from the show events command:
sensorP# show events 10:00:00 jan 5 2007
evIdsAlert: eventId=1104929403483006063 severity=informational
vendor=Cisco

© 2007 Cisco Systems, Inc. Installation of a Cisco IPS 4200 Series Sensor 2-39
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
originator:
hostId: sensorP
appName: sensorApp
appInstanceId: 374
time: 2005/01/05 17:40:21 2005/01/05 17:40:21 UTC
signature: description=ICMP Echo Req id=2004 version=1.0
subsigId: 0
sigDetails: empty
interfaceGroup:
vlan: 0
participants:
attacker:
addr: locality=OUT 10.0.2.11
target:
addr: locality=OUT 10.0.1.11
riskRatingValue: 23
interface: fe0_1
protocol: icmp

evStatus: eventId=1104929403483006065 vendor=Cisco


originator:
hostId: sensorP
appName: mainApp
appInstanceId: 274
time: 2005/01/05 18:11:49 2005/01/05 18:11:49 UTC
controlTransaction: command=getVersion successful=true
description: Control transaction response.
requestor:
user: cisco
application:
hostId: UNKNOWN
appName: -cidcli
appInstanceId: 381

You can use the default command to reset the entire configuration for a service back to factory
defaults.

The syntax for the default command is as follows:

default service { analysis-engine | anomaly-detection | authentication | event-action-rules |


external-product-interface | host | interface | logger | network-access | notification |
signature-definition | ssh-known-hosts | trusted-certificates | web-server }

2-40 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
default service Parameters

Command Description

analysis-engine Configures the global analysis engine parameters

This configuration lets you create virtual sensors and assign


signature definitions, event action rules, and sensing interfaces to
virtual sensors.

anomaly-detection Configures the anomaly detection settings

authentication Configures the order of methods that should be used to


authenticate users

event-action-rules Configures the parameters for an event action rules configuration

This configuration replaces the 4.X alarm channel configuration.

external-product-interface Configures the external product interface, which currently


supports only Cisco Security Agent

host Configures the system clock settings, upgrades, and IP access


list

interface Configures the physical interfaces and inline interface pairs

logger Configures debug levels

network-access Configures parameters relating to the ARC.

notification Configures the notification application

signature-definition Configures the parameters for a signature definition configuration

ssh-known-hosts Configures the known-hosts keys for the system

trusted-certificates Configures the list of X.509 certificates for trusted certificate


authorities

web-server Configures parameters relating to the web server, such as web


server port

© 2007 Cisco Systems, Inc. Installation of a Cisco IPS 4200 Series Sensor 2-41
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Command and Platform Dependencies

Command Invalid Platforms

display-serial IDSM-2, AIP-SSM-10, AIP-SSM-20, IPS-4215,


IPS-4240 DC, IPS-4255
clock set IDSM-2, AIP-SSM-10, AIP-SSM-20

show inventory IDSM-2, AIP-SSM-10, AIP-SSM-20, IPS-4235,


IPS-4250 XL
show interfaces IDSM-2, AIP-SSM-10, AIP-SSM-20, IPS-4215,
management IPS-4235, IPS-4250 XL

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—2-24

Use the command display-serial to view messages on a remote console, using the serial port,
during the boot process. The local console is not available as long as this option is enabled.
Unless you set this option when you are connected to the serial port, you do not get any
feedback until Linux has fully booted and enabled support for the serial connection.

Use the clock set command to set the clock of the IPS device. You cannot set the clock of a
Cisco Catalyst 6500 Series Intrusion Detection System Module 2 (IDSM-2), Cisco Adaptive
Security Appliance Advanced Inspection and Prevention Security Services Module (ASA AIP-
SSM)-10, and ASA AIP-SSM-20, because these devices acquire their clock settings from the
Cisco Catalyst 6500 Series Switch or Cisco adaptive security appliance to which they are
attached. Alternatively, these devices can get their clock settings from an NTP server, but they
cannot have their clocks set manually separate from the parent device.

Use the show inventory command to display Cisco Product Evolution Program information.
This command displays the Unique Device Identifier (UDI) information that consists of
product identifier (PID), version identifier (VID), and serial number (SN) of the sensor.

To display statistics for the management interface, use the show interfaces management
command in privileged EXEC mode. This command works only with platforms that have an
external interface marked as “Management.” For all other platforms, use the show interfaces
command.

2-42 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
New Commands for Cisco IPS Sensor
Software Version 6.0

Commands that are new to Cisco IPS Sensor Software


Version 6.x:
ƒ anomaly-detection load
ƒ anomaly-detection save
ƒ clear os-identification
ƒ copy ad-knowledge-base
ƒ copy instance
ƒ erase ad-knowledge-base
ƒ list component-configurations
ƒ rename ad-knowledge-base
ƒ show ad-knowledge-base
ƒ show os-identification

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—2-25

All of these new commands relate to the features that were added to the Cisco IPS Sensor
Software Version 6.0—such as anomaly detection, operating system fingerprinting, and virtual
sensor configurations.

© 2007 Cisco Systems, Inc. Installation of a Cisco IPS 4200 Series Sensor 2-43
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Summary
This topic summarizes the key points that were discussed in this lesson.

Summary

ƒ Cisco IPS Sensor Software Version 6.0 includes a full CLI, which
uses syntax similar to that of the Cisco IOS Software.
ƒ You can obtain management access to a sensor appliance by
attaching a console cable, or by using Telnet or SSH.
ƒ You can use the ping and trace commands from the CLI to test
network connectivity.
ƒ The CLI provides all of the necessary functionality to configure
and manage the sensor. It provides commands to verify the
configuration and system information, perform maintenance on
the sensor, and troubleshoot the sensor.

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—2-26

2-44 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Lesson 2

Using the Cisco IDM

Overview
This lesson will instruct you on how to launch and navigate the Cisco Intrusion Prevention
System (IPS) Device Manager (IDM) and describe its management and monitoring capabilities.
This interface is the primary interface for administration in this course.

Objectives
Upon completing this lesson, you will be able to use the Cisco IDM to launch, navigate,
manage, and monitor a Cisco IPS device. This ability includes being able to meet these
objectives:
„ Explain the features, benefits, and system requirements of the Cisco IDM
„ Log into and navigate the Cisco IDM
„ Configure SSH
„ Reboot and shut down a Cisco IPS

The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Introducing the Cisco IDM
This topic describes the features, benefits, and system requirements of the Cisco IDM.

Cisco IDM

ƒ Cisco IDM is a
web-based application
that enables you to
configure, manage, and
monitor the sensor.
ƒ The Cisco IDM web
server resides on the
sensor and can be
accessed via your web
browser.

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—2-2

Cisco IDM is a web-based Java application that enables you to configure and manage your
sensor. The web server for Cisco IDM resides on the sensor. You can access it through the
Internet Explorer, Netscape, or Mozilla web browsers.

Cisco IDM enables you to perform these actions remotely:


„ Restart the sensor
„ Power down the sensor
„ Configure the sensor

2-46 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Cisco IDM Features and Benefits

ƒ Web-based embedded architecture


ƒ Task-based GUI
ƒ Configuration and monitoring
ƒ Sensor system administration
ƒ Signature grouping
ƒ Signature customization
ƒ Secure communication (TLS and SSL)

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—2-3

The Cisco IDM GUI was designed to simplify sensor configuration, management, and
monitoring tasks. For example, you can use Cisco IDM to easily sort and view all signatures
currently stored on the sensor. You can sort by attack type, protocol, service, operating system,
action to be performed, engine, signature ID, or signature name.

The Cisco IDM also has a Custom Signature Wizard to assist you in creating new signatures.
The wizard guides you through the parameters that you must select to configure a custom
signature, including selection of the appropriate signature engine.
To provide security, the web server for Cisco IDM uses an encryption protocol known as
Transport Layer Security (TLS), which is closely related to the Secure Sockets Layer (SSL)
protocol. Cisco IDM is enabled by default to use TLS. When you enter a URL into your web
browser that starts with https://<sensor_ip_address>, the web browser responds by using the
TLS protocol to negotiate an encrypted session with the sensor. Although you can disable the
use of TLS, it is highly recommended that you use TLS because it provides security for
communications between the sensor and external systems. A secure TLS session begins with a
client initiating a TCP connection to an HTTPS server on the target host. TCP provides a
reliable stream transport, while TLS provides cipher and secret key negotiation, session privacy
and integrity, server authentication, and optional client authentication.

© 2007 Cisco Systems, Inc. Installation of a Cisco IPS 4200 Series Sensor 2-47
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
TLS and SSL Communications

Cisco
IDM HTTPS
(TLS and SSL)

HTTPS Client HTTPS Server

ƒ TLS and SSL use a process called handshaking, which involves a number of
coordinated exchanges between a client and a server.
ƒ A trusted host certificate is used by the server to verify the identity of a
connecting client.
ƒ A server certificate is used by the server to prove its identity to the client.

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—2-4

The process of negotiating an encrypted session in TLS is called handshaking because it


involves a number of coordinated exchanges between client and server. After a client initiates
an HTTPS session, the server sends its server certificate to the client. The client performs a
three-part test on this certificate.
1. Is the issuer identified in the certificate trusted? Every web browser is shipped with a list of
trusted third-party certificate authorities (CAs). If the issuer identified in the certificate is in
the list of CAs trusted by your browser, the first test is passed.

2. Is the date on the certificate within the range of dates during which the certificate is
considered valid? Each certificate contains a validity field, which is a pair of dates. If the
date falls within this range, the second test is passed.

3. Does the common name of the subject identified in the certificate match the URL
hostname? The URL hostname is compared with the subject common name. If they match,
the third test is passed.

Note HTTPS is HTTP over SSL or TLS.

You can use the Cisco IDM to configure the sensor to use certificates for secure
communications as follows:

„ Generate a server certificate on the sensor for the sensor. The sensor uses its server
certificate to prove its identity to a client. This is the certificate the sensor returns when you
direct your web browser to connect with Cisco IDM.
„ Configure a list of trusted hosts. The sensor can use trusted host certificates to verify the
identity of a connecting client. Creating a list of trusted hosts configures the sensor to
accept the certificates of remote hosts. The trusted hosts list is useful in master blocking
sensor scenarios. Master blocking sensors are discussed in the “Configuring Blocking”
lesson in the “Advanced Cisco IPS Configuration” module.

2-48 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
SDEE and RDEP2 over HTTPS

Event
XML

SDEE
HTTPS

Configuration
XML
RDEP
Cisco IDM HTTPS Sensor

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—2-5

In Cisco Intrusion Detection System (IDS) Sensor Software Version 4.x, management and
monitoring applications interface with the sensor, using the Remote Data Exchange Protocol
(RDEP) to send and receive IDS data via HTTPS. Both IDS events and control transactions are
considered IDS data. Control transactions can be diagnostic data from an application or session
logs, or configuration data sent to or from an application.

Cisco IPS Sensor Software Version 6.0 communicates events using the Security Device Event
Exchange (SDEE) protocol; however, it still uses RDEP version 2 (RDEP2) for communicating
configuration and IP log information.

SDEE is a standardized IPS communications protocol developed by Cisco for the IDS
Consortium at the International Computer Security Association (ICSA) Labs. Through SDEE,
Cisco IPS Sensor Software Version 6.0 delivers a flexible, standardized application
programming interface (API) to the IPS sensor, facilitating the integration of third-party
management and monitoring solutions with the Cisco IPS solution. This feature gives users a
choice of third-party solutions to monitor events generated by Cisco IPS sensors.

IPS data is represented in Extensible Markup Language (XML) format as XML documents.
The sensor stores user-configurable parameters in several XML files. RDEP2 can use either
HTTP or HTTPS to transmit XML documents between the sensor and external systems. The
industry standards HTTP and HTTPS provide a standardized interface for the exchange of
XML documents. RDEP2 does not specify the schemas for the XML documents exchanged in
RDEP2 messages. The Intrusion Detection Configuration (IDCONF) data format standard
defines the XML messages used for configuration.

The SDEE standard specifies both the format of events and the protocols for communicating
the events. SDEE supports multiple protocols for communicating events but currently specifies
an HTTP-based protocol that is very similar to RDEP.

© 2007 Cisco Systems, Inc. Installation of a Cisco IPS 4200 Series Sensor 2-49
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
SDEE is an enhancement of RDEP. It adds extensibility features that are needed for
communicating events generated by various types of security devices. The Cisco Intrusion
Detection Event Exchange specifies Cisco IPS extensions to SDEE. The extensions add
information to the event format. Therefore, some items in an alert are specified by SDEE, and
some are Cisco Intrusion Detection Event Exchange extensions.

Both SDEE and RDEP2 use a pull communication model for event messages. The pull
communication model allows the management console to pull alerts at its own pace. In Cisco
IPS Sensor Software Version 6.0, alerts remain on the sensor until the 30-MB limit is met.
When the limit is met, alarms are overwritten.

The figure illustrates the following:


„ Events being pulled from the sensor to the Cisco IDM management console
„ Configuration files being transmitted between the sensor and the Cisco IDM management
console

Note For more information on SDEE, go to


http://www.icsalabs.com/icsa/topic.php?tid=b2b4$52d6a7ef-1ea5803f$4c69-ff36f9b5.

2-50 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Cisco IDM System Requirements

The supported operating systems for Cisco IDM and their


corresponding supported browsers are:
ƒ Microsoft Windows 2000, Microsoft Windows XP
– Microsoft Internet Explorer 6.0 with Java Plug-in 1.5
– Netscape 7.1 with Java Plug-in 1.5
ƒ Sun SPARC Solaris 2.8 or 2.9
– Mozilla 1.7
ƒ Red Hat Linux 9.0 or Red Hat Enterprise Linux WS, version 3
running GNOME or KDE
– Mozilla 1.7

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—2-6

This table shows the system requirements for Cisco IDM.

Browser Table

Operating System Browser System Requirements

Microsoft Windows 2000 or „ Microsoft Internet Explorer „ Pentium III or equivalent


Microsoft Windows XP 6.0 with Java Plug-in 1.5 running at 450 MHz or
higher
„ Netscape 7.1 with Java
Plug-in 1.5 „ 512-MB memory (minimum)

„ 1024 x 768
resolution and 256
colors (minimum)

Sun Scalable Processor Mozilla 1.7 „ 512-MB memory (minimum)


Architecture (SPARC) Solaris
2.8 or 2.9 „ 1024 x 768 resolution and
256 colors (minimum)

Red Hat Linux 9.0 or Red Hat Mozilla 1.7 „ 512-MB memory (minimum)
Enterprise Linux WS, version 3
running GNOME or K Desktop „ 1024 x 768 resolution and
Environment (KDE) 256 colors (minimum)

Cisco IDM runs in Java Plug-in, which by default allocates 64 MB of memory to Cisco IDM.
To ensure adequate memory for Cisco IDM, change the memory settings of Java Plug-in to 256
MB before using Cisco IDM. For detailed instructions on changing the Java Plug-in memory
size, refer to
http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_configuration_guide_chap
ter09186a0080618948.html#wp1048697.

© 2007 Cisco Systems, Inc. Installation of a Cisco IPS 4200 Series Sensor 2-51
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Note The list of supported web browsers and operating systems does not imply that other
browsers and operating systems will not work. Check Cisco.com for the latest list of
supported operating systems and browsers.

2-52 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Getting Started with the Cisco IDM
This topic explains how to log into and navigate the Cisco IDM.

Logging into the Cisco IDM

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—2-7

Complete these steps to log into the Cisco IDM:

Step 1 Open a web browser and enter the sensor IP address. The default address is
10.1.9.201. Change this address to reflect your network environment when you
initialize the sensor.
https://<sensor_ip_address>

When you direct your browser to Cisco IDM, the sensor presents you with its server certificate
to prove its identity. The server certificate fails because the sensor issues its own server
certificate. The sensor is its own CA, and the sensor is not already in the list of CAs trusted by
your browser. When you receive the Security Alert message from your browser, you have three
options:
„ Click No to disconnect from the site immediately.
„ Click Yes to accept the certificate for the remainder of the web browsing session.
„ Click View Certificate to view the certificate and add the issuer identified in the certificate
to the list of trusted CAs of the web browser and trust the sensor server certificate until it
expires.

© 2007 Cisco Systems, Inc. Installation of a Cisco IPS 4200 Series Sensor 2-53
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
The most convenient option is to permanently trust the issuer. However, before you add the
issuer, use out-of-band (OOB) methods to examine the fingerprint of the certificate. This step
prevents you from being victimized by an attacker posing as a sensor. Confirm that the
fingerprint of the certificate appearing in your web browser is the same as the one on your
sensor. You can view the certificate fingerprint of the sensor by using the show tls fingerprint
command in the command-line interface (CLI) privileged EXEC mode. See Installing and
Using the Cisco Intrusion Prevention System Device Manager Version 6.0 at
http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_configuration_guide_boo
k09186a00807a8a2a.html for instructions on validating the certificate fingerprint for your web
browser.

Step 2 Type your username and password at the prompt. The default username and
password are both “cisco.” You are prompted to change the password during sensor
initialization.

2-54 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Trusting the Sensor

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—2-8

If you accept the certificate for the remainder of the web browsing session and log in, you are
presented with another security warning window, informing you that the sensor asserts that the
content is safe. Click Yes to continue, click No to abort the session, or click Always to always
trust the sensor. If you choose Always, this warning is not presented the next time that you log
into the Cisco IDM on this sensor.

© 2007 Cisco Systems, Inc. Installation of a Cisco IPS 4200 Series Sensor 2-55
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Trusting Cisco

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—2-9

If you click Yes to continue, you are presented with another security warning window
informing you that Cisco asserts that the content is safe. Click Yes to continue, click No to
abort the session, or click Always to always trust Cisco. If you choose Always, this warning
does not appear the next time that you log into the Cisco IDM on this sensor.

If you change the hostname of the sensor, a new certificate is generated the next time that the
sensor is rebooted. The next time that your web browser connects to Cisco IDM, you will
receive the security warning dialog boxes and you will need to perform the certificate
fingerprint validation for Internet Explorer, Netscape, and Mozilla.

2-56 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Cisco IDM User Interface
Forward

Refresh

Back
Help

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—2-10

The Cisco IDM user interface consists of File and Help menus, Configuration and Monitoring
buttons, whose menus open in the left-hand table of contents (TOC) pane, and the
Configuration panel on the right-hand side of the page. These four right-hand buttons appear
next to the Configuration and Monitoring buttons:
„ Back: Takes you back to the page you previously viewed
„ Forward: Returns you to the page that you were viewing when you clicked the Back
button
„ Refresh: Loads the current configuration from the sensor
„ Help: Opens online help in a new window

To configure the sensor, click Configuration and use the TOC in the left-hand pane to choose
the component that you want to configure. To monitor the sensor, click Monitoring and use the
TOC in the left-hand pane to choose the component that you want to monitor.

New configurations do not take effect until you click Apply on the panel you are configuring.
Click Reset to discard current changes and return settings to their previous state for that panel.

© 2007 Cisco Systems, Inc. Installation of a Cisco IPS 4200 Series Sensor 2-57
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Online Cisco IDM Help

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—2-11

The Cisco IDM provides online documentation to assist in the configuration of the sensor. To
access online help, choose Help from the Cisco IDM toolbar. The Cisco IDM help content
displays in a new window.

2-58 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Configuring Network Settings

Hostname

IP Address

Network
Mask
Network
Default
Route

Remote
Access

Reset
Web
Server
Settings

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—2-12

You must initialize the sensor by using the CLI setup command before you can use
Configuration > Sensor Setup in the Cisco IDM to further configure the sensor. After you
initialize the sensor, you will be able to communicate with the Cisco IDM, and the network and
communication parameter values will appear on the Network panel. If you must change these
parameters, you can do so from the Network panel, which you can access as follows: choose
Configuration > Sensor Setup > Network. The following fields and check boxes are available
on the Network panel.
„ Hostname: This is the name of the sensor. The hostname can be a string of one to 64
characters that matches the pattern ^[A-Za-z0-9_/-]+$. The default is “sensor.” You receive
an error message if the name contains a space or exceeds 64 alphanumeric characters.
„ IP Address: This is the IP address of the sensor. The default is 10.1.9.201.
„ Network Mask: This is the mask corresponding to the IP address. The default is
255.255.255.0.
„ Default Route: This is the default gateway address. The default is 10.1.9.1.
„ Enable TLS/SSL: This enables TLS and SSL in the web server. The default is enabled.
„ Web Server Port: This is the TCP port used by the web server. The default is 443 for
HTTPS. You receive an error message if you enter a value out of the range of 1 to 65535.
„ Enable Telnet: This enables or disables Telnet for remote access. Telnet is not a secure
access service and, therefore, is disabled by default. However, Secure Shell (SSH) is
always running on the sensor and is a secure service.

If you want to undo your changes, click Reset. This action refreshes the panel by replacing any
edits that you made with the previous value. Click Apply to apply your changes and save the
revised configuration.

Note Changing the network settings can disrupt your connection to the sensor and force you to
reconnect.

© 2007 Cisco Systems, Inc. Installation of a Cisco IPS 4200 Series Sensor 2-59
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
How to Configure SSH
This topic explains SSH communications and how to configure them.

SSH Communications

ƒ The client key (SSH authorized key) enables the client to connect
without password authentication.
ƒ The server key (SSH host key) is used by the sensor to prove its
identity to the client.

CLI

SSH

SSH SSH
Client Server

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—2-13

SSH is one method that you can use to connect to the CLI in the sensor. SSH provides strong
authentication and secure communications over channels that are not secure. SSH provides
protection from the following:
„ IP spoofing
„ IP source routing
„ Domain Name System (DNS) spoofing
„ Interception of plaintext passwords and other data by intermediate hosts
„ Listening to authentication data and spoofed server connections

Note SSH never sends passwords in plaintext.

Here are ways that you can configure the sensor to use SSH-secured communications:
„ Define SSH authorized keys: SSH can authenticate hosts by using passwords or Rivest,
Shamir, and Adleman (RSA) public keys. You can use the Cisco IDM to define public keys
used by clients to log into the sensor with RSA authentication. These are the public keys of
SSH clients permitted access to the sensor.

2-60 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
„ Generate an SSH host key for the sensor: The sensor uses its SSH host key to prove its
identity to connecting SSH clients. When connecting to the sensor, the SSH client uses the
host key of the sensor to ensure that it is connecting to the sensor rather than a device
impersonating the sensor to capture your password when you log in. The sensor generates
an SSH host key the first time that it starts up. However, you might want to generate a new
key to prevent SSH connections from certain clients.
„ Define SSH known host keys: The sensor uses SSH known host keys when using SSH to
log into a blocking device. Blocking is discussed in the “Configuring Blocking“ lesson in
the “Advanced Cisco IPS Configuration” module.

© 2007 Cisco Systems, Inc. Installation of a Cisco IPS 4200 Series Sensor 2-61
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Sensor SSH Host Key

Sensor
Key

Generate
Key

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—2-14

To display the SSH host key of the sensor, choose Configuration > Sensor Setup > SSH >
Sensor Key. The Sensor Key panel displays the sensor SSH host key. To generate a new sensor
SSH host key, complete these steps:
Step 1 Click Generate Key. A dialog box appears with this warning:
Generating a new SSH host key requires you to update the known
hosts tables on remote systems with the new key so that future
connections succeed. Do you want to continue?

Caution The new key replaces the existing key, which requires you to update the known hosts tables
on remote systems with the new host key so that future connections succeed. You can
update the known hosts tables on remote systems from the Known Host Keys panel.

Step 2 Click OK to continue. A new host key is generated, and the old host key is deleted.
You are prompted to reboot the sensor.

Step 3 Reboot the sensor.

2-62 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
How to Reboot and Shut Down the Sensor
This topic explains how to use the Cisco IDM to reboot and shut down the sensor.

Rebooting the Sensor

Reboot
Sensor Reboot
Sensor

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—2-15

Complete these steps to reboot the sensor:

Step 1 Choose Configuration > Reboot. The Reboot Sensor panel is displayed.

Step 2 Click Reboot Sensor. The Reboot Sensor dialog box is displayed.

Step 3 Click OK to shut down and restart the sensor. The sensor applications shut down,
and the sensor reboots. After the reboot, you must log back in.

There is a 30-second delay during which users who are logged into the CLI are notified that the
sensor applications are going to shut down.

© 2007 Cisco Systems, Inc. Installation of a Cisco IPS 4200 Series Sensor 2-63
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Shutting Down the Sensor

Shut Down
Sensor

Shut Down
Sensor

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—2-16

Shutting down the sensor shuts down the IPS applications and puts the sensor in a state in
which it is safe to power it off. Complete these steps to shut down the sensor:

Step 1 Choose Configuration > Shut Down Sensor. The Shut Down Sensor panel is
displayed.

Step 2 Click Shut Down Sensor. The Shut Down Sensor dialog box appears.

Step 3 Click OK. When you click OK, the sensor applications shut down, and any open
connections to the sensor are closed.

There is a 30-second delay during which users who are logged into the CLI are notified that the
sensor applications are going to shut down.

2-64 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Summary
This topic summarizes the key points that were discussed in this lesson.

Summary

ƒ The Cisco IDM is a web-based Java application that enables you


to configure and manage your sensor.
ƒ You can access the web server for the Cisco IDM via Internet
Explorer, Netscape, or Mozilla web browsers.
ƒ You can use the Cisco IDM to configure and manage both TLS
certificates and SSH keys. SSH can be used to securely connect
to the sensor CLI.
ƒ You can use the Cisco IDM to reboot the sensor.

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—2-17

© 2007 Cisco Systems, Inc. Installation of a Cisco IPS 4200 Series Sensor 2-65
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
2-66 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Lesson 3

Configuring Basic Sensor


Settings

Overview
This lesson will instruct you in completing the basic setup of a Cisco Intrusion Prevention
System (IPS) sensor using the Cisco IPS Device Manager (IDM). At the conclusion of this
lesson, a very basic configuration will be in place, and the sensor will be generating alarms.

Objectives
Upon completing this lesson, you will be able to use the Cisco IDM to configure basic sensor
settings. This ability includes being able to meet these objectives:
„ Configure hosts that are authorized to administer the sensor
„ Configure the time settings of a Cisco IPS sensor
„ Configure certificates of a Cisco IPS sensor
„ Configure user accounts
„ Describe the different roles that a sensor interface can play
„ Configure the interfaces of a Cisco IPS sensor in promiscuous and inline mode
„ Describe and configure software and hardware bypass
„ Explain how to view events from the Cisco IDM

The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
How to Configure Allowed Hosts
This topic explains how to add, edit, and delete allowed hosts.

Configuring Allowed Hosts


Configuration

Sensor
Add
Setup

Allowed
Hosts

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—2-2

The setup command interactive dialog prompts you to permit hosts or networks to access the
sensor. If you do not permit hosts or networks, no hosts are able to communicate with your
sensor. In Cisco IPS Sensor Software Version 6.0, all inbound packets on the command and
control interface are denied except for the following:
„ Packets originating from addresses on the access list
„ Packets originating from a Network Time Protocol (NTP) server
„ Packets on established connections

After using the setup command to initialize the sensor and permit a management host to access
it, you can use the Cisco IDM to permit additional hosts or networks to access the sensor. This
process creates an access list and is referred to as creating allowed hosts.

Complete these steps to specify hosts and networks that have permission to access your sensor:
Step 1 Click Configuration and choose Sensor Setup > Allowed Hosts. The Allowed
Hosts panel is displayed.

Step 2 Click Add to add a host or network to the list. The Add Allowed Host window
opens. You can add up to 512 allowed hosts.

2-68 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Configuring Allowed Hosts (Cont.)

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—2-3

Step 3 Enter the IP address of the host or network in the IP Address field. You receive an
error message if the IP address is already included as part of an existing list entry.

Step 4 If you are adding a host as an allowed host, choose 255.255.255.255 from the
Network Mask drop-down menu. If you are adding a network, choose the mask that
corresponds to the network IP address from the Network Mask drop-down menu.
You receive an error message if the network mask does not match the IP address.
Step 5 Click OK. The new host or network appears in the allowed hosts list on the Allowed
Hosts panel.

© 2007 Cisco Systems, Inc. Installation of a Cisco IPS 4200 Series Sensor 2-69
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
How to Set the Time
This topic explains how to set the time for sensor appliances.

Time Considerations

ƒ The sensor must have a reliable time source so that events


display correct time stamps. Otherwise, you cannot correctly
analyze the logs after an attack.
ƒ For sensor appliances, you can set the time in two ways:
– Manually
– By using NTP (recommended)
ƒ For the Cisco Catalyst 6500 Series IDSM-2, the time setting must
be configured from a parent device or NTP. Manually setting the
time is not allowed.
ƒ For AIP-SSM-10 and AIP-SSM-20, the time setting must be
provided by the Cisco ASA adaptive security appliance or NTP.
Manually setting the time is not allowed.

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—2-4

The sensor requires a reliable time source. All events must have the correct Coordinated
Universal Time (UTC) and local time stamp. Otherwise, you cannot correctly analyze the logs
after an attack. For sensor appliances, there are two ways to set the time:
„ Use the clock set command from the Cisco IDM command-line interface (CLI) to
manually set the time
„ Use NTP

It is recommended that you configure your sensor to get its time from an NTP time
synchronization source. If you use NTP, you will need the NTP server IP address, the NTP key
ID, and the NTP key value. You can set up NTP on the appliance during initialization, or you
can configure NTP on the Time panel in the Cisco IDM.

Note The Cisco Catalyst 6500 Series Intrusion Detection System Services Module 2 (IDSM-2)
and the Cisco Adaptive Security Appliance Advanced Inspection and Prevention Security
Services Module 10 and 20 (Cisco ASA AIP-SSM-10 and Cisco ASA AIP-SSM-20) must
obtain their time from the switch or firewall in which they are installed, or from an NTP
server.

2-70 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
The sensor does not allow you to save a bad NTP configuration because the ntpdate utility of
the sensor tests the NTP authentication keys when you attempt to apply an NTP configuration.
If the ntpdate utility produces an error, MainApp reruns ntpdate with a debug option.
MainApp then parses the debug output and returns a meaningful error such as one of the
following:
„ Authentication failed—invalid NTP key value or ID
„ Cannot connect to NTP server or NTP server is not running
„ Sensor command and control interface is not activated

After configuring NTP, you can use the show statistics host command to confirm your NTP
configuration and see if the sensor is synchronized with the NTP server. It can take a few
minutes for the sensor to synchronize with the NTP server. The example shows output of the
show statistics host command:
sensor# show statistics host
. . .
NTP Statistics
remote refid st t when poll reach delay offset jitter
11.22.33.44 CHU_AUDIO(1) 8 u 36 64 1 0.536 0.069 0.001
LOCAL(0) 73.78.73.84 5 l 35 64 1 0.000 0.000 0.001
ind assID status conf reach auth condition last_event cnt
1 10372 f014 yes yes ok reject reachable 1
2 10373 9014 yes yes none reject reachable 1
status = Not Synchronized

After a few minutes, the output should show the status synchronized as seen in the following
output:
sensor# show statistics host
...
NTP Statistics
remote refid st t when poll reach delay offset jitter
11.22.33.44 CHU_AUDIO(1) 8 u 22 64 377 0.518 7.975 33.465
LOCAL(0) 73.78.73.84 5 l 22 64 377 0.000 0.000 0.001
ind assID status conf reach auth condition last_event cnt
1 10372 f624 yes yes ok sys.peer reachable 2
2 10373 9024 yes yes none reject reachable 2
status = Synchronized

The show clock command displays the system clock. The system clock indicates whether the
time is authoritative or believed to be accurate. If the system clock has been set by NTP, the
time is believed to be accurate. In the following output, the asterisk indicates that the time is not
authoritative:
sensor# show clock
*12:19:22 CST Sat Dec 04 2004

© 2007 Cisco Systems, Inc. Installation of a Cisco IPS 4200 Series Sensor 2-71
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Configuring Time Settings

Time

Standard
Time Zone
Time

NTP Summertime
Server

Apply Time to
Apply Reset
Sensor

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—2-5

You can use the Time panel to configure the date, time, time zone, and summertime—or
daylight saving time (DST)—settings. You can also use the Time panel to specify whether the
sensor uses an NTP server for its time source. Complete these steps to configure time on the
sensor:

Step 1 Click Configuration and choose Sensor Setup > Time. The Time panel is
displayed.
Step 2 Under Time, use the Date drop-down menus to choose the current month, day, and
year. Date indicates the current date on the sensor. The default is January 1, 1970.
You receive an error message if the day value is out of range for the month.

Note The Date and Time fields are disabled if the sensor does not support these fields, or if you
have configured NTP settings on the sensor.

Step 3 Under Time, enter the current time in the Time fields in the format hh:mm:ss. Time
indicates the current time on the sensor. The default is 00:00:00. You receive an
error message if the hours, minutes, or seconds are out of range.

Caution If you accidentally specify the incorrect time, stored events will have the wrong time stamp.

Step 4 Under Standard Time Zone, complete these substeps:


1. Choose a time zone from the Zone Name drop-down menu or create one of your
own. This time zone displays when summertime hours are not in effect. The
default is UTC. You receive an error message if the name exceeds 2047
alphanumeric characters or contains <, &, “, or ‘.

2. In the UTC Offset field, enter the offset from UTC in minutes. The default is 0.
If you choose a predefined time zone name, this field is automatically populated.

2-72 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Step 5 If you want to configure the sensor to use an NTP server as its time source, complete
these substeps by entering the required information under NTP Server:
1. Enter the IP address of the NTP server in the IP Address field.

2. Enter the key of the NTP server in the Key field.

3. Enter the key ID of the NTP server in the Key ID field. This is a value from 1 to
65535, used to authenticate with the NTP server. You receive an error message
if the key ID is out of range.

Note If you define an NTP server, an NTP server sets the time on the sensor. The CLI clock set
command will produce an error, but time zone and DST parameters are valid.

Step 6 If you want to configure summertime settings, check the Enable Summertime
check box and then click Configure Summertime. By default, the Enable
Summertime check box is not checked and the Configure Summertime button is
disabled.

© 2007 Cisco Systems, Inc. Installation of a Cisco IPS 4200 Series Sensor 2-73
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Configuring Time Settings (Cont.)

Summer
Zone Name

Offset

Start Time

End Time
Summertime
Duration

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—2-6

If you choose Enable Summertime and then click Configure Summertime in the Time panel,
the Configure Summertime window opens. To continue configuring summertime settings,
complete these steps:
Step 7 Choose a Summer Zone Name from the drop-down menu, or enter one that you have
created. This name displays when DST is in effect. You receive an error message if
the name exceeds 2047 alphanumeric characters or contains <, &, “, or ‘. The default
Summer Zone Name is UTC.

Step 8 In the Offset field, enter the number of minutes to add during summertime. The
default is 0. If you choose a predefined summer zone name, this field is
automatically populated.

Step 9 In the Start Time field, enter the time at which you want to begin applying
summertime settings. The value is hh:mm. You receive an error message if the hours
or minutes are out of range.

Step 10 In the End Time field, enter the time at which you want to stop using summertime
settings. The value is hh:mm. You receive an error message if the hours or minutes
are out of range.

Step 11 Complete these substeps by using the Summertime Duration radio buttons and drop-
down menus:
1. Choose one of these radio buttons:

„ Recurring: Summertime settings occur on specified days each year.


„ Date: Summertime settings start and end on specific dates.
2. Use the Start and End drop-down menus to choose the start and end days. If you
chose the Recurring radio button, the default is the first Sunday in April and the
last Sunday in October. If you chose the Date radio button, the default is January
1 for the start and end time.

2-74 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Step 12 Click OK. The Time panel becomes active.

Note If you want to undo your changes, click Reset. Reset refreshes the panel by replacing any
edits you made with the previously configured value.

Step 13 Click Apply to save your settings. This action applies changes to all fields on the
Time panel except the date and time. If you changed the time and date settings, you
must also click Apply Time to Sensor to save the time and date settings on the
sensor.

If you set the time incorrectly when you first configure the options in the time page, your stored
events will have the incorrect time because they are stamped with the time that the event was
created. The Event Store time stamp is always based on UTC. If, during the original sensor
setup, you set the time incorrectly by specifying 8:00 p.m. rather than 8:00 a.m., when you do
correct the error, the corrected time will be set backward. New events could have times older
than old events.

For example, if, during the initial setup, you configure the sensor as central time with
summertime enabled and the local time is 8:04 p.m., the time is displayed as 20:04:37 Central
Daylight Time (CDT) and has an offset from UTC of minus 5 hours (01:04:37 UTC) the next
day. A week later at 9:00 a.m., you discover the error: the clock shows 21:00:23 CDT. You
then change the time to 9:00 a.m., and now the clock shows 09:01:33 CDT. Because the offset
from UTC has not changed, it requires that the UTC time now be 14:01:33 UTC, which creates
the time-stamp problem.
To ensure the integrity of the time stamp on the event records, you must clear the event archive
of the older events by using the clear events command from the CLI.

© 2007 Cisco Systems, Inc. Installation of a Cisco IPS 4200 Series Sensor 2-75
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
How to Configure Certificates
This topic explains how to display and generate a server certificate and how to configure
trusted hosts.

Server Certificate

Certificates

Server
Certificate

Generate
Certificate

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—2-7

The sensor generates a server certificate when it first starts. The Server Certificate panel in
Cisco IDM displays the self-signed X.509 certificate. You can generate a new self-signed
X.509 server certificate from this panel. To display the server certificate of the sensor, click
Configuration and choose Sensor Setup > Certificates > Server Certificate. The server
certificate displays in the Server Certificate panel.

To generate a new certificate, complete these steps:

Step 1 Click the Generate Certificate button within the Server Certificate panel. A dialog
box containing this warning is displayed:
Generating a new server certificate requires you to verify the
new fingerprint the next time you connect or when you add the
sensor as a trusted host. Do you want to continue?

Caution Write down the new fingerprint. You will need it later to verify what displays in your web
browser when you connect, or when you are adding the sensor as a trusted host.

Step 2 Click OK to continue. A new server certificate is generated, and the old server
certificate is deleted.

Note The IP address of the sensor is included in its server certificate. If you change the IP
address of the sensor, you must generate a new server certificate.

2-76 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Trusted Hosts

Trusted Add
Hosts

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—2-8

The Trusted Hosts panel lists all of the trusted host certificates. You can add entries to the list,
or delete them, but you cannot edit them.

Complete these steps to add trusted hosts:


Step 1 Click Configuration and choose Sensor Setup > Certificates > Trusted Hosts.
The Trusted Hosts panel is displayed.

Step 2 Click Add to add a trusted host to the list. The Add Trusted Host window opens.

Step 3 Enter the IP address of the trusted host you are adding in the IP Address field.

Step 4 (Optional) Use the Port field to specify the port number where the trusted host
certificate can be obtained.
Step 5 Click OK. The Cisco IDM retrieves the certificate from the host whose IP address
you entered. The new trusted host appears in the trusted hosts list within the Trusted
Hosts panel.
Verify that the fingerprint is correct by comparing the displayed values with values you obtain
via a secure connection to the trusted host. If you find any discrepancies in the values, delete
the trusted host immediately.

© 2007 Cisco Systems, Inc. Installation of a Cisco IPS 4200 Series Sensor 2-77
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
How to Configure User Accounts
This topic explains user accounts and how to configure them.

User Accounts

ƒ Users access a sensor by logging into a user account.


ƒ Multiple user accounts can be created on a sensor.
ƒ Each user account is associated with a role that determines the
privileges of the user.
ƒ The following roles can be assigned to an account:
– Administrator
– Operator
– Viewer
– Service

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—2-9

You must log into a user account to access a sensor. You can create and remove users from the
sensor. Each user is associated with a role that controls what that user can and cannot modify
on the sensor. You can assign these roles to an account:
„ Administrator: This user role has the highest level of privileges. Users with the
administrator role have unrestricted view access and can perform these functions:
— Adding and deleting users and modifying passwords
— Assigning physical monitoring interfaces to a virtual sensor
— Generating new SSH host keys and server certificates
— Tuning signatures
— Managing blocking devices
— Modifying sensor address configuration
— Enabling and disabling physical interfaces
— Modifying the list of hosts allowed to connect to the sensor
„ Operator: This user role has the second highest level of privileges. Users with the operator
role can view all configuration and events and perform these functions:
— Tuning signatures
— Managing blocking devices
— Changing their own user passwords

2-78 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
„ Viewer: This user role has the lowest level of privileges. Users with the viewer role can
view configuration and events; however, they cannot modify any configuration data except
their own passwords.
„ Service: This is a special role that allows the user to log into a native operating system
shell.

Note The Cisco IDM permits only one user to log in at a time.

© 2007 Cisco Systems, Inc. Installation of a Cisco IPS 4200 Series Sensor 2-79
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
The Service Account

ƒ The service account is a special account that enables root


access.
ƒ The Cisco IPS sensor allows only one service account.
ƒ It is not created by default.
ƒ It should be created for troubleshooting.

Caution!
Do not make modifications to the
sensor through the service account
except under the direction of the TAC.

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—2-10

The service role is a special one that allows the Cisco Technical Assistance Center (TAC) to
log into a native operating system shell for troubleshooting purposes. The service role is
intended to support troubleshooting only and is not intended to support configuration.

The sensor allows only one user account to have the service role. By default, the service
account does not exist on a sensor; you must create it, and you should create it for the TAC to
use during troubleshooting. Only a user with administrator privileges can create and edit the
service account.

The user with the service role cannot log into the Cisco IDM and does not have direct access to
the CLI. At the CLI login prompt, the user with the service role is logged directly into a bash
shell. Root access to the sensor is possible only if you log into the service account and use the
su command to access the root account. When the password of the service account is set or
reset, the password of the root account is automatically set to the same password. This enables
the service account user to use the su command to access the root using the same password.
When the service account is removed, the password of the root account is locked.

Do not make modifications to the sensor through the service account except under the direction
of the TAC. Modifications to the sensor via the service account are considered unauthorized
modifications, are not supported, and require the sensor to be reimaged to guarantee proper
operation.

2-80 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Creating User Accounts

Add

Users

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—2-11

Complete these steps to create a user account:

Step 1 Click Configuration and choose Sensor Setup > Users. The Users panel is
displayed.
Step 2 Click Add. The Add User window opens.

Step 3 Enter a username in the Username field. A valid username is a string of one to 64
characters long. It must begin with an alphanumeric character. The remainder of the
string can be any character except a space.

Step 4 Choose one of these options from the User Role drop-down menu:
„ Administrator
„ Operator
„ Viewer
„ Service

Step 5 Enter the password for the user in the Password field. A valid password is 6 to 32
characters long. All characters except a space and a question mark (?) are allowed.

Step 6 Enter the password again in the Confirm Password field.

Step 7 Click OK. The Users panel becomes active.

© 2007 Cisco Systems, Inc. Installation of a Cisco IPS 4200 Series Sensor 2-81
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Creating User Accounts (Cont.)
Role

Status

Edit

Delete

Apply Reset

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—2-12

When you click OK in the Add User window, the new user account is displayed in the Users
panel. The Role column displays the role of the user, and the Status column displays the
account status, such as active, expired, or locked.
Step 8 Click Apply to apply your changes and save the revised configuration.

To delete an existing account from the user list, choose the account and click Delete. To edit an
existing user account, choose the account from the users list and click Edit. The Edit User
dialog box appears, enabling you to change the user role and password. To change the
password, you must first choose Change the Password to access the sensor, which is available
only in the Edit User window.

Note If you want to undo your changes, click Reset. Reset refreshes the panel by replacing any
edits that you made with the previously configured value.

2-82 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Defining Interface Roles
This topic describes the different roles in which a sensor interface can function.

Sensor Interface Overview

ƒ There is only one command and control interface per Cisco IPS
sensor.
ƒ Interfaces are named according to their maximum speed and
location.
ƒ You can configure up to nine monitoring interfaces, depending on the
type of sensor.
ƒ Multiple monitoring interfaces allow the following:
– Simultaneous protection of multiple network subnets
– Inline sensing mode
ƒ Interfaces can function in one of three roles:
– Command and control
– Monitoring
– Alternate TCP reset

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—2-13

Each sensor has only one command and control interface, but you can configure up to nine
monitoring interfaces, depending on the type of sensor that you have. Multiple interfaces enable
simultaneous protection of multiple network subnets.

By default, all monitoring interfaces are disabled. You must enable the monitoring interfaces
for the sensor to monitor your networks. You do not need to enable all interfaces. Enable only
those interfaces that you want to use. In addition to enabling the interfaces, you must assign
them to the default virtual sensor.

© 2007 Cisco Systems, Inc. Installation of a Cisco IPS 4200 Series Sensor 2-83
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Command and Control Interface

ƒ The command and control


interface has an IP address.
ƒ This interface is permanently
enabled and used for configuring
the sensor.
ƒ The command and control
interface is permanently mapped
to a physical interface, which
differs depending on the sensor
model.
ƒ The command and control
interface cannot be used as a
monitoring or alternate TCP reset
interface.

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—2-14

Command and Control Interface


The command and control interface has an IP address, and you use it to configure the sensor.
This interface receives security and status events from the sensor and queries the sensor for
statistics.

The command and control interface is permanently enabled, and is permanently mapped to a
specific physical interface. To which interface it permanently maps depends on the specific
model of the Cisco IPS sensor. You cannot use the command and control interface as a
monitoring interface or an alternate TCP reset interface.

This table shows which physical interface a command and control interface is mapped to, based
on the Cisco IPS sensor model.

Command and Control Interface Mapped to Physical Interface

Cisco Sensor Command and Control Interface

Cisco IDS 4215 FastEthernet0/0


Sensor

Cisco IDS 4235 GigabitEthernet0/1


Sensor

Cisco IDS 4250 GigabitEthernet0/1


XL Sensor

Cisco IPS 4240 Management0/0


Sensor

Cisco IPS 4255 Management0/0


Sensor

Cisco IPS 4260 Management0/0


Sensor

2-84 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Cisco Sensor Command and Control Interface

Cisco ASA AIP- GigabitEthernet0/0


SSM-10

Cisco ASA AIP- GigabitEthernet0/0


SSM-20

Cisco Catalyst GigabitEthernet0/2


6500 Series
IDSM-2

© 2007 Cisco Systems, Inc. Installation of a Cisco IPS 4200 Series Sensor 2-85
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Monitoring Interfaces

ƒ Monitoring interfaces are used by the sensor to analyze traffic for


security violations.
ƒ Monitoring interfaces can operate in one of four modes:
– Promiscuous mode
– Inline interface mode
– Inline VLAN pair mode
– VLAN group mode

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—2-15

Monitoring Interfaces
The sensor uses monitoring interfaces to analyze traffic for security violations. A sensor has
one or more monitoring interfaces depending on the sensor. Monitoring interfaces can operate
individually in promiscuous mode, or you can pair them to create inline interfaces for inline
monitoring mode.

Note On appliances, all monitoring interfaces are disabled by default. You must enable them to
use them. On modules, the monitoring interfaces are permanently enabled.

Some appliances support optional Peripheral Component Interconnect (PCI) interface cards that
add monitoring interfaces to the sensor. You must insert or remove these optional cards while
the sensor is powered off. The sensor detects the addition or removal of a supported interface
card.

If you remove an optional PCI card, some of the interface configuration, such as speed, duplex,
description string, enabled or disabled state of the interface, and any inline interface pairings, is
deleted. These settings are restored to their default settings when the card is reinstalled.
However, the assignment of promiscuous and inline interfaces to the Analysis Engine is not
deleted from the Analysis Engine configuration. Instead, this configuration is ignored until
those cards are reinserted and you re-create the inline interface pairs.

2-86 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Promiscuous Mode
Packets

Monitoring Monitoring
Interface Interface

Copies of Copies of
Packets Packets
Cisco IPS Command and
4215 Sensor Control Interface

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—2-16

You can allow the monitoring interfaces to operate in promiscuous mode, as shown in the
figure, or you can pair the monitoring interfaces into logical interfaces called “inline pairs” for
inline sensor operation. When operating in promiscuous mode, monitoring interfaces do not
have IP addresses assigned to them and are therefore invisible to attackers. This behavior
enables the sensor to monitor the data stream without letting attackers know that they are being
watched.

In promiscuous mode, packets do not flow through the sensor. The sensor analyzes a copy of
the monitored traffic rather then the actual forwarded packet. The advantage of operating in
promiscuous mode is that the sensor does not affect the packet flow. There are no performance
or reliability issues with the forwarded traffic. The disadvantage of operating in promiscuous
mode, however, is that the sensor cannot stop malicious traffic from reaching its intended
target. The response actions implemented by promiscuous sensors are post-event responses and
sometimes require assistance from other networking devices, such as routers and firewalls, to
respond to an attack. A sensor operating in promiscuous mode cannot prevent attacks but can
react to them.

If your sensor has three or more monitoring interfaces, you can also combine inline and
promiscuous mode. With four or more interfaces, you can have two separate inline feeds. The
combinations are flexible. The only rule is that inline mode requires a pair of interfaces.

If the same traffic enters the sensor on multiple interfaces, you may have trouble. The sensor
may generate duplicate alerts for non-TCP traffic. For TCP traffic, you can receive many 13xx
alerts or TCP stream collisions resulting in no alert.

© 2007 Cisco Systems, Inc. Installation of a Cisco IPS 4200 Series Sensor 2-87
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Inline Interface Mode

Monitoring Monitoring
Interface Interface

Cisco 4200 Command and


Series Sensor Control Interface

Packets

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—2-17

Operating a sensor in inline mode puts the sensor directly into the traffic flow and enables it to
prevent attacks by dropping malicious traffic before it reaches the intended target. With the
sensor operating in inline mode, as shown in the figure, all packets entering or leaving the
network must pass through the sensor.

You can install the sensor inline between two network devices, as shown in the figure. The
network devices could include routers, switches, or firewalls. If you install the sensor between
two switches, you might want to check to see if spanning tree is running and which, if any,
ports it is blocking. When you install the sensor between two switches that are connected by a
crossover cable, the switch ports that connect the two switches remain in a forwarding state
until the sensor starts up inline. When the sensor goes inline, spanning tree blocks the direct
cable crossover and sends packets through the sensor.

For a sensor to operate in inline mode, you must configure two monitoring interfaces as a pair.
The inline port pair operates in a transparent Layer 2 repeater mode in which packets entering
one interface of the port pair are transmitted out the other interface of the port pair, unless a
defined signature action results in a packet being dropped. The inline interfaces are transparent
and do not have IP addresses.

Note The Cisco ASA AIP-SSM does not need an inline pair for monitoring. You need only to add
the physical interface to the virtual sensor.

2-88 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
An inline sensor not only processes information on Layer 3 and Layer 4 but also analyzes the
contents and payload of the packets for more sophisticated, embedded Layer 3 to Layer 7
attacks. This deeper analysis enables the system to identify and prevent attacks that would
normally pass through a traditional firewall device.
The following are the only restrictions on interfaces in an inline pair:
„ The command and control interface cannot be part of an inline pair.
„ An interface cannot be paired with itself.
„ An interface can belong to only one pair.

This table shows the interfaces listed by Cisco IPS sensor model that can be part of an inline
pair.

Inline Interface Support

Cisco Sensor Added PCI Card Interfaces Supporting Inline Interfaces Not
Supporting Inline

Cisco IPS 4215 None All


Sensor

Cisco IPS 4215 4FE FastEthernet0/1, FastEthernet0/0


Sensor FastEthernet1/0,
FastEthernet1/1,

FastEthernet1/2,
FastEthernet1/3

Cisco IPS 4240 GigabitEthernet0/0, Management0/0


Sensor GigabitEthernet0/1

GigabitEthernet0/2,
GigabitEthernet0/3

Cisco IPS 4255 GigabitEthernet0/0, Management0/0


Sensor GigabitEthernet0/1

GigabitEthernet0/2,
GigabitEthernet0/3

Cisco IPS 4260 None All


Sensor

Cisco IPS 4260 TX (GE) GigabitEthernet1/0, GigabitEthernet0/0


Sensor GigabitEthernet1/1
GigabitEthernet0/1
GigabitEthernet1/2,
GigabitEthernet1/3

Cisco IPS 4260 TX + TX GigabitEthernet1/0, GigabitEthernet0/0


Sensor GigabitEthernet1/1
GigabitEthernet0/1
GigabitEthernet1/2,
GigabitEthernet1/3

GigabitEthernet2/0,
GigabitEthernet2/1

GigabitEthernet2/2,
GigabitEthernet2/3

Cisco IPS 4260 SX GigabitEthernet1/0, GigabitEthernet0/0


Sensor GigabitEthernet1/1
GigabitEthernet0/1

© 2007 Cisco Systems, Inc. Installation of a Cisco IPS 4200 Series Sensor 2-89
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Cisco Sensor Added PCI Card Interfaces Supporting Inline Interfaces Not
Supporting Inline

Cisco IPS 4260 SX + SX GigabitEthernet1/0, GigabitEthernet0/0


Sensor GigabitEthernet1/1
GigabitEthernet0/1
GigabitEthernet2/0,
GigabitEthernet2/1

2-90 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Inline VLAN Pair Mode
10.0.10.12
ƒ Known as “inline-on-a-stick”
ƒ Supported on all Cisco
sensor products except
the AIP-SSM-10 and
AIP-SSM-20 VLAN 10
IPS VLAN 10
ƒ Functions as an 802.1Q Appliance
trunk, bridging Gig 0/2 VLAN 11
traffic between VLANs VLAN 11

ƒ Supports up to 255 VLAN


pairs per interface

10.0.10.112

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—2-18

You can associate VLANS in pairs on a physical interface. This configuration is known as
“inline-on-a-stick.” Packets received on one of the paired VLANS are analyzed and then
forwarded to the other VLAN in the pair. Inline VLAN pairs are supported on all sensors that
are compatible with Cisco IPS Sensor Software Version 6.0 except AIP-SSM-10 and AIP-
SSM-20.

Inline VLAN pair mode is an active monitoring mode where a monitoring interface acts as an
IEEE 802.1Q trunk port, and the sensor performs VLAN bridging between pairs of VLANs on
the trunk. The sensor inspects the traffic that it receives on each VLAN in each pair, and can
either forward the packets on the other VLAN in the pair, or drop the packet if an intrusion
attempt is detected.

You can configure a Cisco IPS sensor to simultaneously bridge up to 255 VLAN pairs on each
monitoring interface. The sensor replaces the VLAN ID field in the 802.1Q header of each
received packet with the ID of the egress VLAN to which the sensor forwards the packet. The
sensor drops all packets received on any VLANs that are not assigned to inline VLAN pairs.

Note Inline VLAN pairs are supported on Cisco IPS Sensor Software Version 5.1 or higher.

© 2007 Cisco Systems, Inc. Installation of a Cisco IPS 4200 Series Sensor 2-91
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
VLAN Group Mode

ƒ You can divide each physical interface into VLAN group


subinterfaces.
ƒ A VLAN group consists of a group of VLANs on interfaces.
ƒ Each VLAN group subinterface is identified using a number
between 1 and 255.
ƒ VLANs can only belong to one subinterface.
ƒ An unassigned VLAN group is maintained that contains all VLANs
not specifically assigned to another VLAN group.
ƒ Interfaces that are part of inline VLAN pairs cannot be used for
VLAN groups.

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—2-19

You can divide each physical interface or inline interface into VLAN group subinterfaces,
where each subinterface consists of a group of VLANs on that interface. The Analysis Engine
supports multiple virtual sensors, each of which can monitor one or more of these
subinterfaces. This feature lets you apply multiple policies to the same sensor. The advantage
of this feature is that it allows you to use a sensor with only a few interfaces as if it had many
interfaces.

Note You cannot divide physical interfaces that are in inline VLAN pairs (on-a-stick mode) into
VLAN groups.

VLAN group subinterfaces associate a set of VLANs with a physical or inline interface. No
VLAN can be a member of more than one VLAN group subinterface. Each VLAN group
subinterface is identified by a number between 1 and 255.

Subinterface 0 is a reserved subinterface number used to represent the entire nonvirtualized


physical or logical interface. You cannot create, delete, or modify subinterface 0, and no
statistics are reported for it. An unassigned VLAN group is maintained that contains all VLANs
that are not specifically assigned to another VLAN group. You cannot directly specify the
VLANs that are in the unassigned group. When a VLAN is added to or deleted from another
VLAN group subinterface, the unassigned group is updated.

Packets in the native VLAN of an 802.1Q trunk do not normally have 802.1Q encapsulation
headers to identify the VLAN number to which the packets belong. A default VLAN variable is
associated with each physical interface, and you should set this variable to the VLAN number
of the native VLAN or to 0. The value 0 indicates that the native VLAN is either unknown or
that you do not care if it is specified. If the default VLAN setting is 0, the following occurs:
„ Any alerts triggered by packets without 802.1Q encapsulation have a VLAN value of 0
reported in the alert.

2-92 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
„ Non 802.1Q-encapsulated traffic is associated with the unassigned VLAN group, and it is
not possible to assign the native VLAN to any other VLAN group.

Note You can configure a port on a switch as either an access port or a trunk port. On an access
port, all traffic is in a single VLAN called the access VLAN. On a trunk port, multiple VLANs
can be carried over the port, and each packet has a special header attached called the
802.1Q header that contains the VLAN ID (VID). This header is commonly referred as the
VLAN tag. However, an 802.1Q trunk port has a special VLAN called the native VLAN.
Packets in the native VLAN do not have the 802.1Q headers attached. The Cisco Catalyst
6500 Series IDSM-2 can read the 802.1Q headers for all nonnative traffic to determine the
VID for that packet. However, the Cisco Catalyst 6500 Series IDSM-2 does not know which
VLAN is configured as the native VLAN for the port, so it does not know in which VLAN the
native packets are. Therefore, you must tell the Cisco Catalyst 6500 Series IDSM-2 which
VLAN is the native VLAN for that port. Then the Cisco Catalyst 6500 Series IDSM-2 treats
any untagged packets as if they were tagged with the native VID.

© 2007 Cisco Systems, Inc. Installation of a Cisco IPS 4200 Series Sensor 2-93
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
VLAN Group Mode (Cont.)

VS1
vlan-group x
vlan-group x vlan-group x
VLANs 10, 11, 12 VLANs 10, 11, 12
sub-if x sub-if x

vlan-group y vlan-group y
VLANs VLANs 20, 21, 22 VLANs 20, 21, 22 VLANs
10, 11, 12 10, 11, 12
20, 21, 22 sub-if y sub-if y 20, 21, 22

VS2
vlan-group y

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—2-20

Because a VLAN group of an inline pair does not translate the VID, as is the case with the
inline-on-a-stick, an inline paired interface must exist between two switches to use VLAN
groups on a logical interface.

In the example, the two ports on the Cisco IPS sensor are configured as trunk ports so they can
carry multiple VLANs. In this configuration, the sensor bridges multiple VLANs between the
two switches. Because multiple VLANs are carried over the inline interface pair, the VLANs
can be divided into groups (VLAN groups), and each group can be assigned to a virtual sensor.

2-94 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Alternate TCP Reset Interfaces

ƒ The command and control interface cannot serve as the alternate


TCP reset interface for a monitoring interface.
ƒ You can assign the same physical interface as an alternate TCP
reset interface for multiple monitoring interfaces.
ƒ A physical interface can serve as both a monitoring interface and
an alternate TCP reset interface.
ƒ Because Cisco Intrusion Detection System Network Module and
Cisco ASA AIP-SSM only have one monitoring interface, you
cannot configure a TCP reset interface on these products.
ƒ Because of hardware limitations on the Cisco Catalyst switch,
both of the Cisco Catalyst 6500 Series IDSM-2 monitoring
interfaces are permanently configured to use System0/1 as the
TCP reset interface.

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—2-21

TCP Reset Interfaces


You can configure sensors to send TCP reset packets to try to reset a network connection
between an attacker host and its intended target host. In some installations when the interface is
operating in promiscuous mode, the sensor may not be able to send the TCP reset packets over
the same monitoring interface on which the attack was detected. In such cases, you can
associate the monitoring interface with an alternate TCP reset interface, and any TCP resets that
would otherwise be sent on the monitoring interface when it is operating in promiscuous mode
are instead sent out on the associated alternate TCP reset interface.

If a monitoring interface is associated with an alternate TCP reset interface, that association
applies when the sensor is configured for promiscuous mode but is ignored when the
monitoring interface is configured for inline mode. With the exception of the Cisco Catalyst
6500 Series IDSM-2, any monitoring interface can serve as the alternate TCP reset interface for
another monitoring interface. The alternate TCP reset interface on the Cisco Catalyst 6500
Series IDSM-2 is fixed because of hardware limitations.

© 2007 Cisco Systems, Inc. Installation of a Cisco IPS 4200 Series Sensor 2-95
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
How to Configure the Interfaces
This topic explains how to set up the sensor interfaces.

Enabling the Interfaces

Select
All

Edit

Interfaces Enable

Disable

Apply Reset

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—2-22

Complete these steps to enable monitoring interfaces:

Step 1 Click Configuration and choose Interface Configuration > Interfaces. The
Interfaces panel displays a list of the existing physical interfaces on your sensor and
their associated settings. The sensor automatically detects the interfaces and
populates the interfaces list on the Interfaces panel.
Step 2 Choose the interface and click Enable.

Step 3 If you plan to have your sensor do inline monitoring, enable at least two interfaces.

Note If you want to undo your changes, click Reset. Reset refreshes the panel by replacing any
edits that you made with the previously configured value.

Step 4 Click Apply to apply your changes and save the revised configuration.

You can use the Select All button to select all of the interfaces simultaneously. To disable an
interface, click the Disable button. To edit values associated with the interface, choose the
interface and click Edit. The Edit Interface window opens.

2-96 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Editing the Interfaces

Enabled

Duplex

Speed

Select
Interface

Use
Alternate
TCP Reset
Interface

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—2-23

If you choose an interface from the Interfaces panel and click Edit, the Edit Interface window
opens. The name of the interface is displayed to the right of the Interface Name label. From the
Edit Interface window, you can change these values associated with the selected interface:
„ Description: This is a description of the interface. Enter a description of the interface in the
Description field.
„ Enabled: This is the state of the interface. Click the Yes radio button to enable the
interface or click the No radio button to disable it.
„ Duplex: This is the duplex setting of the interface. Use the Duplex drop-down menu to
choose one of these options:
— Auto: Sets the interface to autonegotiate duplex
— Full: Sets the interface to full duplex
— Half: Sets the interface to half duplex
„ Speed: This is the speed setting of the interface. Use the Speed drop-down menu to choose
one of these options:
— Auto: Sets the interface to autonegotiate speed
— 10 MB: Sets the interface to 10 MB (for TX interfaces only)
— 100 MB: Sets the interface to 100 MB (for TX interfaces only)
— 1000: Sets the interface to 1 GB (for gigabyte interfaces only)
„ Default VLAN: Set this variable to the VLAN number of the native VLAN or to 0. If the
default VLAN setting is 0, the following occurs:
— Any alerts triggered by packets without 802.1Q encapsulation have a VLAN value
of 0 reported in the alert.
— Non-802.1Q encapsulated traffic is associated with the unassigned VLAN group,
and it is not possible to assign the native VLAN to any other VLAN group

© 2007 Cisco Systems, Inc. Installation of a Cisco IPS 4200 Series Sensor 2-97
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
„ Use Alternate TCP Reset Interface: This is an option to have the sensor send TCP resets
on an alternate interface when this interface is used for promiscuous monitoring and the
reset action is triggered by the firing of a signature. Check the check box to enable this
option.
„ Select Interface: This is the interface to be used as the alternate TCP reset interface. Use
the drop-down menu to choose an interface. On all platforms other than the Cisco Catalyst
6500 Series IDSM-2, you can choose any interface, except the interface that you are editing
or the command and control interface, as the alternate TCP reset interface.

The Edit Interface window also displays the media type of the selected interface. The media
type will be any of these:
„ TX: Copper media
„ SX: Fiber media
„ XL: Network accelerator card
„ Backplane interface: An internal interface that connects a monitoring module to the
backplane of the parent chassis

When you click OK in the Edit Interface window, the Interfaces panel becomes active and
displays your changes.

2-98 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Assigning Promiscuous Interfaces to the
Virtual Sensor

Analysis Edit
Engine

Virtual
Sensor

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—2-24

Current Cisco IPS sensors are able to receive data inputs from one or many monitored data
streams. For example, a single sensor with multiple monitoring interfaces can monitor traffic
from in front of the firewall, from behind the firewall, or from both locations concurrently. A
single sensor policy or configuration is applied to all of the monitored data streams.

With Cisco IPS Sensor Software Version 6.0, you can apply policies that are appropriate to,
and tuned to, each of the monitored segments. You can do this using virtual sensors. Virtual
sensors can monitor multiple segments and apply a different policy or configuration for each
virtual sensor within a single physical sensor. For the sensor to monitor your network, you must
enable the interfaces and you must assign the interfaces to the appropriate virtual sensor.

Note A virtual sensor is defined as a logical grouping of monitoring interfaces and the
configuration policy for the signature engines and alarm filters that apply to them.

You can assign interfaces to a virtual sensor, and you can change the description of a virtual
sensor, but you cannot change the name of vs0. Complete these steps to assign an interface to a
virtual sensor:

Step 1 Click Configuration and choose Analysis Engine > Virtual Sensor. The Virtual
Sensor panel is displayed.

Step 2 Click Edit. The Edit Virtual Sensor window opens.

© 2007 Cisco Systems, Inc. Installation of a Cisco IPS 4200 Series Sensor 2-99
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Assigning Promiscuous Interfaces to the
Virtual Sensor (Cont.)

Assigned
Interfaces
(or Pairs)

Available Remove
Interfaces
(or Pairs)

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—2-25

Step 3 The available interfaces or interface pairs that you can assign to the virtual sensor
are displayed. Choose the interface from the Details list.

Step 4 Click Assign. If you want to remove an interface or interface pair from this list, click
Remove.

Step 5 (Optional) Enter a new description for the default virtual sensor in the Description
field.
Step 6 Click OK. The Edit Virtual Sensor window closes, and the Virtual Sensor panel
displays the interface or interface pair that you added.

Step 7 Click Apply in the Virtual Sensor panel to apply your changes.

2-100 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Creating Interface Pairs

Add

Interface
Pairs

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—2-26

To use your sensor for inline intrusion prevention, you must configure an interface pair.
Configure an interface pair by completing these steps:

Step 1 Click Configuration and choose Interface Configuration > Interface Pairs. The
Interface Pairs panel is displayed.

Step 2 Click Add. The Add Interface Pair window opens.

© 2007 Cisco Systems, Inc. Installation of a Cisco IPS 4200 Series Sensor 2-101
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Creating Interface Pairs (Cont.)

Interface
Pair Name

Select Two
Interfaces

Description

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—2-27

Step 3 Enter a name in the Interface Pair Name field.

Step 4 From the Select Two Interfaces list, choose the first interface and then hold down
the Shift key while you choose the second interface.
Step 5 (Optional) Add a description of the interface pair in the Description field.

Step 6 Click OK.

2-102 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Assigning Interface Pairs to the
Virtual Sensor

Analysis
Engine

Virtual
Sensor

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—2-28

You assign interface pairs to the virtual sensor. Complete these steps to assign an interface to
the virtual sensor:

Step 1 Click Configuration and choose Analysis Engine > Virtual Sensor. The Virtual
Sensor panel is displayed.

Step 2 Click Edit. The Edit Virtual Sensor window opens.

© 2007 Cisco Systems, Inc. Installation of a Cisco IPS 4200 Series Sensor 2-103
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Assigning Interface Pairs to the
Virtual Sensor (Cont.)

Assigned
Interfaces
(or Pairs)

Remove
Available
Interfaces
(or Pairs)

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—2-29

Step 3 Choose the interface pair from the Details list, which displays the available
interfaces or interface pairs that you can assign to the virtual sensor.

Step 4 Click Assign. If you want to remove an interface or interface pair from this list, click
Remove.

Step 5 (Optional) Enter a new description for the default virtual sensor in the Description
field.
Step 6 Click OK. The Edit Virtual Sensor window closes, and the Virtual Sensor panel
displays the interface or interface pair that you added.

Note If you want to undo your changes, click Reset.

Step 7 Click Apply to apply your changes and save the revised configuration.

Note To delete an interface pair, select it and click Delete.

You can use the Select All button to select all of the interfaces simultaneously. To edit an
interface pair, select it and click Edit. The Edit Interface Pair window opens. This window
enables you to change the name, choose a new interface pair, or edit the description.

2-104 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Configuring Traffic Flow Notification

Interface Missed
Configuration Packets
Threshold

Notification
Interval

Interface Idle
Threshold
Traffic Flow
Notifications Apply Reset

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—2-30

You can configure the sensor to monitor the flow of packets across an interface and send a
notification if that flow changes (starts or stops) during a specified interval. You can configure
the missed packet threshold within a specific notification interval and the interface idle delay
before a status event is reported. Complete these steps to configure traffic flow notification:

Step 1 Click Configuration and choose Interface Configuration > Traffic Flow
Notifications. The Traffic Flow Notifications panel is displayed.
Step 2 In the Missed Packets Threshold field, enter the percent of packets that must be
missed during a specified time before a notification is sent.

Step 3 In the Notification Interval field, enter the number of seconds during which you
want the sensor to check for the percentage of missed packets.

Step 4 In the Interface Idle Threshold field, enter the number of seconds that an interface
must be idle and not receiving packets before a notification is sent.

Note If you want to undo your changes, click Reset. Reset refreshes the panel by replacing any
edits that you made with the previously configured value.

Step 5 Click Apply to apply your changes and save the revised configuration.

© 2007 Cisco Systems, Inc. Installation of a Cisco IPS 4200 Series Sensor 2-105
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
How to Configure Software and Hardware Bypass
Mode
This topic explains software and hardware bypass mode and how to configure it.

Software Bypass

The software bypass feature ensures that packets continue


to flow through the sensor if the sensor is stalled or if an
application crashes. Some major characteristics of software
bypass are:
ƒ It applies only to inline paired interfaces.
ƒ It causes traffic inspection to cease without impacting network traffic.
ƒ It can be used for the following purposes:
– Troubleshooting
– To ensure that traffic continues to flow during sensor upgrades
– As a failover mechanism
ƒ It can be configured to automatically start and stop.

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—2-31

Cisco IPS Sensor Software Version 6.0 contains a software bypass mechanism. Bypass enables
you to put the sensor in a mode that ensures that packets continue to flow through the sensor
even if the sensor software fails. When bypass is enabled, all processing subsystems are
bypassed and traffic is allowed to flow between the inline port pairs directly. Traffic inspection
ceases, but your network traffic is not impacted. You can configure your sensor to
automatically enable the bypass mechanism when it detects a software failure.

Note Traffic inspection ceases if the sensor application is stalled or crashes. Therefore, network
traffic is not impacted.

In addition to serving as a soft failover mechanism, bypass is useful for troubleshooting and
ensuring that traffic continues to flow during sensor upgrades. As long as the sensor is powered
up and the Linux operating system is functioning, the bypass mechanism works.

Note Bypass mode is meant to be used only with inline paired interfaces. For sensors running in
promiscuous mode, bypass mode should be set to Off.

2-106 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Configuring Software Bypass Modes

Interface
Configuration

Bypass
Bypass
Apply Reset
Mode

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—2-32

Complete these steps to configure software bypass:

Step 1 Click Configuration and choose Interface Configuration > Bypass. The Bypass
panel is displayed.
Step 2 Choose one of these modes from the Bypass Mode drop-down menu:
„ Auto (bypass inspection when the Analysis Engine is stopped): Traffic flows
through the sensor for inspection unless the sensor is down. If the sensor is down,
traffic bypasses the sensor and is saved until the sensor is running again. The
sensor then inspects the traffic. Auto mode, which is the default setting, is useful
to ensure that traffic is still flowing while the sensor is being upgraded.
„ Off (always inspect inline traffic): This mode disables bypass mode. Traffic
always flows through the sensor for inspection. If the sensor is down, traffic stops
flowing.
„ On (never inspect inline traffic): This mode causes traffic to bypass inspection.
When you choose the On mode, the sensor acts like a bridge. The On mode is
useful in situations in which you are experiencing network difficulties, and you
are unsure if the sensor or another device is causing the problem. You can put the
sensor into On mode, perform network troubleshooting, and then change the
bypass mode to Auto or Off so that the sensor begins inspecting packets again. If
your network difficulty disappears when the sensor is in bypass On mode, check
your sensor configuration.

Caution Security risks accompany use of the On mode. When the bypass mode is On, traffic is never
inspected; therefore, the sensor cannot prevent malicious attacks.

Step 3 Click Apply to apply your changes and save the revised configuration.

© 2007 Cisco Systems, Inc. Installation of a Cisco IPS 4200 Series Sensor 2-107
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
The sensor reports changes to the software bypass feature and these interface configuration
events as status events:
„ Link up or down
„ Traffic start or stop
„ Missed packet percentage threshold exceeded

2-108 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Hardware Bypass

ƒ The Cisco IPS 4260 Sensor


supports a 4-port Gigabit
Ethernet card with hardware
bypass.
ƒ Hardware bypass is only
supported between ports 0 and
1 and between ports 2 and 3.
ƒ Ports 0 and 1 and ports 2 and 3
must be configured as inline
pairs.
ƒ Hardware bypass complements
software bypass.

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—2-33

The following configuration restrictions apply to hardware bypass:


„ The 4-port Gigabit Ethernet bypass card is supported only on the Cisco IPS 4260 Sensor.
„ This 4-port Gigabit Ethernet bypass card supports hardware bypass only between ports 0
and 1 and between ports 2 and 3.
„ Fail-open hardware bypass only works on inline interfaces (interface pairs), not on inline
VLAN pairs.
„ Fail-open hardware bypass is available on an inline interface if all of the following
conditions are met:
— Both of the physical interfaces support hardware bypass.
— Both of the physical interfaces are on the same interface card.
— The two physical interfaces are associated in hardware as a bypass pair.
— The speed and duplex settings are identical on the physical interfaces.
— Both of the interfaces are administratively enabled.
„ Autonegotiation must be set on the medium dependent interface crossover (MDIX) switch
ports connected to a Cisco IPS 4260 Sensor.

You must configure both the sensor ports and the switch ports for autonegotiation of speed and
duplex settings for hardware bypass to work. The switch ports must support MDIX, which
automatically reverses the transmit and receive lines if necessary to correct any cabling
problems. The sensor is only guaranteed to operate correctly with the switch if both of them are
configured for identical speed and duplex.

Note To test failover, set the bypass mode to On or Auto, create one or more inline interfaces,
power down the sensor, and verify that traffic still flows through the inline path.

© 2007 Cisco Systems, Inc. Installation of a Cisco IPS 4200 Series Sensor 2-109
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Viewing Events in the Cisco IDM
This topic describes how to view the events triggered by signatures that are enabled.

Viewing Events in the Cisco IDM

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—2-34

Follow these steps to use Cisco IDM to view events generated by the sensor:
Step 1 Click the Monitoring button.

Step 2 Choose Events in the left-hand column.

Step 3 Complete the filter choices in the Events pane. You can choose to view events based
on things such as event severity, types of events, number of events per page, and
time consideration.

Step 4 Click the View button.

2-110 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Summary
This topic summarizes the key points that were discussed in this lesson.

Summary

ƒ Users access a sensor by logging into user accounts that you create on the
sensor. User accounts have roles that determine the privilege of the user on
the sensor.
ƒ You can manually configure the time on the sensor, or you can configure the
sensor to use an NTP server.
ƒ The sensor generates a server certificate when it is first started. You can use
the Cisco IDM to add trusted hosts.
ƒ Use the service account only under the direction of the Cisco TAC for
troubleshooting.
ƒ All sensors have only one command and control interface. Several sensor
models can have multiple monitoring interfaces.
ƒ For a sensor to operate in inline mode, you must configure two monitoring
interfaces as a pair.
ƒ The software bypass feature ensures that packets continue to flow through
the sensor even if the Analysis Engine ceases to function.
ƒ To more effectively view events generated by the sensor, you can filter the
events by severity, type, and time range.
© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—2-35

© 2007 Cisco Systems, Inc. Installation of a Cisco IPS 4200 Series Sensor 2-111
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Module Summary
This topic summarizes the key points that were discussed in this module.

Module Summary

ƒ You can access the CLI by attaching a console cable, or through


a Telnet or SSH session across the network. The sensor is
bootstrapped using the setup command.
ƒ Cisco IDM is a web-based Java application that enables you to
configure and manage your sensor. Cisco IDM can be accessed
via Internet Explorer, Netscape, or Mozilla.
ƒ You can use the Cisco IDM to configure the time settings,
certificates, user accounts, and interfaces of a Cisco IPS sensor.

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—2-1

A network sensor can be configured using the command-line interface (CLI) and the Cisco
Intrusion Prevention System (IPS) Device Manager (IDM). It is usually best to do most of the
configuration using the Cisco IDM. The CLI is best utilized for running setup, maintenance,
and troubleshooting.

References
For additional information, refer to these resources:
„ ICSA Labs. http://www.icsalabs.com/icsa/topic.php?tid=b2b4$52d6a7ef-1ea5803f$4c69-
ff36f9b5.
„ Cisco Systems, Inc. Installing and Using Cisco Intrusion Prevention System Device
Manager 6.0: Getting Started.
http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_configuration_guide_
chapter09186a0080618948.html#wp1048697.
„ Cisco Systems, Inc. Installing and Using Cisco Intrusion Prevention System Device
Manager 6.0.
http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_configuration_guide_
book09186a00807a8a2a.html.

2-112 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Module 3

Cisco IPS Signatures

Overview
This module introduces how to locate and configure the built-in signatures in the Cisco
Intrusion Prevention System (IPS) sensor products. You will also learn how to find individual
signatures, and classes of signatures, and then enable or disable them. In addition, you will
learn how to configure the actions that you want the sensor to take upon the firing of the
signature.

Module Objectives
Upon completing this module, you will be able to use the Cisco IPS Device Manager (IDM) to
configure built-in signatures to meet the requirements of a given security policy. This ability
includes being able to meet these objectives:
„ Use the Cisco IDM to locate and configure built-in signatures and view events
„ Describe the functions of signature engines and their parameters
„ Use the Cisco IDM to tune and customize signatures to meet the requirements of a given
security policy

The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
3-2 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Lesson 1

Configuring Cisco IPS


Signatures and Alerts

Overview
This lesson introduces the location and configuration of the built-in signatures in the Cisco
Intrusion Prevention System (IPS) sensor products. You will be able to find individual
signatures and classes of signatures, and then enable or disable them. You will also learn how
to configure the actions that you would like the sensor to take.

Objectives
Upon completing this lesson, you will be able to use the Cisco IPS Device Manager (IDM) to
configure built-in signatures to meet the requirements of a given security policy. This ability
includes being able to meet these objectives:
„ Describe the different types, features, and actions of signatures
„ Locate information about specific signatures and describe the Cisco Intrusion Prevention
Alert Center
„ Enable, disable, and assign actions to signatures
„ Configure additional settings for denying and blocking actions

The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Cisco IPS Signatures
This topic highlights the features and capabilities of Cisco IPS signatures.

Signature Types

A Cisco IPS signature is a set of rules that your sensor


uses to detect typical intrusive activity. The sensor
supports three types of signatures:
ƒ Default signatures: Known attack signatures that are included in
the sensor software
ƒ Tuned signatures: Built-in signatures that you modify
ƒ Custom signatures: New signatures that you create

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—3-2

A signature is a set of rules that your sensor uses to detect typical intrusive activity, such as
denial of service (DoS) attacks. As sensors scan network packets, they use signatures to detect
known attacks and respond with actions that you define. The sensor compares its signatures
with network activity. When a match is found, the sensor can generate an alert event and store
it in the Event Store. The alert events, as well as other events, can be retrieved from the Event
Store by web-based clients.

Note By default, the sensor generates an alert when a signature matches network traffic. You can
disable alert generation for any signature.

A signature must be enabled to monitor network traffic. The most critical signatures are
enabled by default.

Cisco IPS Sensor Software Version 6.0 contains more than 1500 built-in default signatures.
You cannot rename or delete signatures from the list of built-in signatures, but you can retire
signatures that are old or no longer applicable from the sensing engine. Retiring signatures
conserves sensor memory and enhances performance. If you retire a signature, that signature is
removed from the engine but remains in the signature configuration list. You can later activate
retired signatures, but doing so requires the sensor to rebuild its configurations. This rebuild
can be time consuming and can cause a delay in the processing of traffic.

You can also modify built-in signatures by adjusting their parameters. These modified built-in
signatures are called tuned signatures. In addition, you can create signatures, which are called
custom signatures. Custom signature IDs begin at 60,000.

3-4 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Some signatures have subsignatures, meaning that the signature is divided into subcategories.
When you configure a subsignature, changes made to the parameters of one subsignature apply
only to that subsignature. For example, if you edit signature 3050 subsignature 1, the change
applies only to subsignature 1 and not to signature 3050 subsignature 2, signature 3050
subsignature 3, and signature 3050 subsignature 4.

Note The current list of signatures can be found at


http://tools.cisco.com/MySDN/Intelligence/allSignatures.x. (This requires a Cisco.com login.)

© 2007 Cisco Systems, Inc. Cisco IPS Signatures 3-5


The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Signature Features

ƒ Response actions
ƒ Alert summarization
ƒ Threshold configuration
ƒ Anti-evasive techniques
ƒ Fidelity ratings
ƒ Application firewall
ƒ SNMP support
ƒ IPv6 support
ƒ A blend of detection technologies
ƒ Regular expression string pattern matching

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—3-3

The Cisco IPS signatures have the following features and capabilities.
„ Response actions: These enable the sensor to take an action when the signature is
triggered.
„ Alert summarization: This enables the sensor to group various alerts into a single alert,
thereby decreasing the number of alerts that the sensor sends to the Event Store when a
signature is triggered.
„ Threshold configuration: This enables a signature to be tuned to perform optimally in a
network.
„ Anti-evasive techniques: These enable a signature to defeat evasive techniques used by an
attacker.
„ Fidelity rating: This is a numerical rating of how prone the signature is to false alarms.
„ Application firewall: This provides Layer 4 to Layer 7 packet inspection to prevent
malicious attacks related to HTTP and FTP.
„ Simple Network Management Protocol (SNMP) support: This enables the sensor to
send SNMP traps triggered by IPS alert, status, or error events.
„ IP version 6 (IPv6) support: This enables signatures to analyze IP version 4 (IPv4)
encapsulated in IPv6 to the same extent as IPv4 traffic is analyzed.

Note Cisco IPS Sensor Software Version 6.0 allows IPv6 traffic to pass unobstructed with no
analysis.

3-6 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
„ Use of a blend of the following technologies:
— Simple pattern matching: This looks for a character string in a single packet. For
example, the signature might look for the string “badger.”
— Stateful pattern matching: This enables string reconstruction. For example, a
Telnet session in which “bad” and “ger” were sent in two separate packets would
match the string “badger.”
— Heuristic analysis: This uses some form of algorithmic logic to determine if an alert
should be generated. Heuristic analysis usually involves some form of statistical
analysis. It is typically used to detect reconnaissance attempts, such as slow scans
that attempt to evade sensor detection. A good example of a signature based on
heuristic analysis is one used to detect a port sweep. The signature looks for the
presence of a threshold number of unique ports being accessed on a particular
machine. You can further restrict the signature to look only for a certain type of
packet or a certain source address. Signatures of this type require some threshold
manipulations to make them conform to the utilization patterns on the network that
they are monitoring.
— Protocol decode analysis: This looks for deviations from a standard protocol, as
defined by the RFC.
— Anomaly analysis: This looks for network traffic that deviates from the traffic that
it normally detects on the network. The biggest problem with this methodology is
defining “normal” traffic. There are several types of anomaly analysis. Cisco
signatures use the following:
„ Protocol anomalies: An example of a protocol anomaly would be an
unexpected value in a field of a protocol. This method is closely related to the
protocol decode method. In some instances, the lines blur between
methodologies.
„ Statistical anomalies: An example of a statistical anomaly would be a
significant difference in the current rate of traffic arrival as compared to a
historical reference. This methodology detects traffic floods, such as User
Datagram Protocol (UDP), TCP, or Internet Control Message Protocol (ICMP)
floods.
„ Regular expression string pattern matching: This capability enables the creation of
string patterns using regular expressions. These string patterns are used by the pattern
matching technologies.

© 2007 Cisco Systems, Inc. Cisco IPS Signatures 3-7


The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Signature Actions

Cisco IPS signatures can take one or all of the following


actions when triggered:
ƒ Drop malicious packets, including the trigger packet, before they
reach their targets (for inline sensors only)
ƒ Produce an alert or an alert that includes an encoded dump of the
trigger packet
ƒ Log IP packets that contain the attacker address, the victim
address, or both
ƒ Initiate the blocking of a connection or a specific host address
ƒ Send a request to the notification application component of the
sensor to perform SNMP notification
ƒ Terminate the TCP session between the source of an attack and
the target host

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—3-4

You can configure the sensor to respond to malicious activity by configuring a signature to take
a response action when it matches network traffic.

Some of the actions that a sensor can take when a signature is triggered are specific to inline
IPS. The capability to drop packets as a response action is the essence of an inline solution. For
a sensor operating in inline mode, you can configure deny actions that drop packets, including
the packet that triggers the signature, before they reach their intended target. You can configure
signatures to take the following actions, whether your sensor is running in inline mode,
promiscuous mode, or both:
„ Produce an alert or an alert that includes an encoded dump of the trigger packet
„ Log IP packets that contain the attacker address, the victim address, or both
„ Initiate the blocking of a connection or a specific host address
„ Send a request to the notification application component of the sensor to perform SNMP
notification
„ Terminate the TCP session between the source of an attack and the target host

The notification application is a sensor service that enables the sensor to send notification of
sensor alerts and system errors to an SNMP network management system (NMS). These SNMP
notifications are called traps. In addition to enabling the sending of traps, the notification
application enables an NMS to obtain basic health information from the sensor. SNMP is used
by many network administrators to monitor and configure network devices. The SNMP support
available in Cisco IPS Sensor Software Version 6.0 and higher enables these administrators to
consolidate data into a single console.

The notification application runs as a thread within MainApp and uses the Net-SNMP agent, a
public domain SNMP agent, to collect and store information about the sensor, translate the
information into a form that is compatible with SNMP, and deliver it to an NMS via SNMP.
Although the Net-SNMP agent currently supports SNMP version 3 (SNMPv3), the notification
application currently does not.

3-8 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Regular Expressions Syntax

Features of the regular expressions syntax:


ƒ Enables you to configure the sensor to detect textual patterns in
the traffic it analyzes
ƒ Allows you to describe simple and complex textual patterns
ƒ Consists of special characters such as the following:
– ()
–|
– [abc]

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—3-5

Regular expressions constitute a powerful and flexible notational language that allows you to
describe text. In the context of pattern matching, regular expressions allow a succinct
description of almost any arbitrary pattern.

Regular expressions are used for string matching. Regular expressions are strings that contain a
mix of plaintext and special characters to indicate what kind of matching to do. For example, if
you want the sensor to look for a numeric digit, use the regular expression [0-9]. The brackets
indicate that the character being compared should match any one of the characters enclosed
within the brackets. The dash (-) between 0 and 9 indicates that it is a range from 0 to 9.
Therefore, this regular expression matches any digit from 0 to 9.

© 2007 Cisco Systems, Inc. Cisco IPS Signatures 3-9


The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Regular Expression Metacharacters
Symbol Meaning
? Repeat 0 or 1 times
* Repeat 0 or more times
+ Repeat 1 or more times
{x} Repeat exactly X times
. Any one character except \n or \t
[abc] Any character listed
[^abc] Any character not listed
[a-z] Any character listed inclusively in range
() Used to limit the scope of other metacharacters
^ The position at the start of the line
\char Literal character match, including metacharacters
char Matches character literally, not including metacharacters
| OR of two regular expressions
\n Line feed
\t Tab
© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—3-6

To have the sensor search for a specific special character, you must use a backslash before the
special character. For example, the single-character regular expression \* matches a single
asterisk.

The regular expressions defined in this section are similar to a subset of the Portable Operating
System Interface (POSIX) extended regular expression definitions. In particular, [..], [==], and
[::] expressions are not supported. Escaped expressions representing single characters are
supported. The following table lists the Cisco IPS regular expressions syntax.

Regular Expression Syntax

Character Description

^ This is the beginning of the string. The expression ^A will match an "A" only at
the beginning of the string.

^ This is immediately following the left bracket ([) and excludes the remaining
characters within brackets from matching the target string. The expression [^0-9]
indicates that the target character should not be a digit.

$ This matches the end of the string. The expression abc$ matches the substring
abc only if it is at the end of the string.

| This allows the expression on either side to match the target string. The
expression a|b matches "a" as well as "b."

. This matches any character.

* This indicates that the character to the left of the asterisk in the expression
should match zero or more times.

+ This is similar to the asterisk (*) but there must be at least one match of the
character to the left of the plus sign (+) in the expression.

? This matches the character to its left zero or one time.

3-10 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Character Description

() This affects the order of pattern evaluation and serves as a tagged expression
that can be used when replacing the matched substring with another expression.

[] This encloses a set of characters and indicates that any of the enclosed
characters can match the target character.

\ This allows for specifying a character that would otherwise be interpreted as


special.

\xHH represents the character whose value is the same as the value
represented by (HH) hexadecimal digits [0-9A-Fa-f]. The value must not be zero.

BEL is the same as \x07; BS is \x08; FF is \x0C; LF is \x0A; CR is \x0D; TAB is


\x09; and VT is \x0B.

For any other character `c', `\c' is the same as `c' except that it is never
interpreted as special.

The following provides examples of the special characters:


„ a* matches any number of occurrences of the letter “a,” including none.
„ a+ requires that at least one letter “a” be in the string to be matched.
„ ba?b matches the string bb or bab.
„ \** matches any number of asterisks (*).

To use multipliers with multiple-character patterns, you enclose the pattern in parentheses.

(ab)* matches any number of the multiple-character string ab.

([A-Za-z][0-9])+ matches one or more instances of alphanumeric pairs but not none. An empty
string is not a match. The order for matches using multipliers (*, +, or ?) is to put the longest
construct first. Nested constructs are matched from outside to inside. Concatenated constructs
are matched beginning at the left side of the construct. Thus, the regular expression matches
A9b3 but not 9Ab3 because the letters are specified before the numbers.

You can also use parentheses around a single- or multiple-character pattern to instruct the
software to remember a pattern for use elsewhere in the regular expression. To create a regular
expression that recalls a previous pattern, you use parentheses to indicate memory of a specific
pattern and a backslash (\) followed by a digit to reuse the remembered pattern. The digit
specifies the occurrence of a parenthesis in the regular expression pattern. If you have more
than one remembered pattern in your regular expression, then \1 indicates the first remembered
pattern, and \2 indicates the second remembered pattern, and so on.

The regular expression a(.)bc(.)\1\2 uses parentheses for recall. It matches an “a” followed by
any character, followed by “bc” followed by any character, followed by the first any character
again, followed by the second any character again. For example, the regular expression can
match aZbcTZT. The software remembers that the first character is “Z” and the second
character is “T” and then uses “Z” and “T” again later in the regular expression.

© 2007 Cisco Systems, Inc. Cisco IPS Signatures 3-11


The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Examples of Regular Expression
Patterns

To Match Regular Expression

Hacker or hacker [Hh]acker

Either hot or cold hot|cold

Hacker using any case [hH][aA][cC][kK][eE][rR]

Either hot or cold using


[hH][oO][tT]|[cC][oO][lL][dD]
any case

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—3-7

The following table shows examples of regular expression patterns:

Regular Expression Pattern Examples

To Match Regular Expression

Hacker Hacker

Hacker or hacker [Hh]acker

Variations of bananas, banananas, banananananas Ba(na)+s

Either hot or cold hot|cold

Either moon or soon (m|s)oon

3-12 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Signature Engines

ƒ A signature engine is a component of the sensor that supports a


category of signatures.
ƒ Each Cisco IPS signature is controlled by a signature engine
designed to inspect a specific type of traffic.
ƒ Each engine has a set of legal parameters that have allowable
ranges or sets of values.
ƒ Configurable engine parameters enable you to tune signatures to
work optimally in your network and to create new signatures
unique to your network environment.

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—3-8

A signature engine is a component of the sensor that supports a category of signatures. Each
Cisco IPS signature is created and controlled by a signature engine specifically designed for the
type of traffic being monitored. For example, the string TCP engine searches TCP packets for
string patterns. It controls such signatures as the following:
„ Signature 3118, rwhoisd format string, which triggers upon detecting an soa command sent
to a rwhois server with a large argument
„ Signature 3138, Bagle.C virus email attachment, which fires when a pattern matching the C
variant of the Bagle virus in an e-mail attachment is detected

An engine is composed of a parser and an inspector. Each engine has a set of legal parameters
that have allowable ranges or sets of values. These configurable engine parameters enable you
to tune signatures to work optimally in your network and to create new signatures unique to
your network environment.

© 2007 Cisco Systems, Inc. Cisco IPS Signatures 3-13


The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Alerts

ƒ By default, the sensor generates an alert when an enabled signature is


triggered.
ƒ The default setting that generates an alert can be disabled.
ƒ Alerts are stored in the Event Store of the sensor.
ƒ External monitoring applications can pull alerts from the sensor via SDEE.
ƒ Monitoring applications can collect alerts on an as-needed basis.
ƒ Multiple hosts can collect alerts simultaneously.
ƒ Alerts can have any one of the following security levels:
– Informational
– Low
– Medium
– High
ƒ The severity level of the alert is derived from the severity level of the
signature causing the alert.

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—3-9

By default, the sensor generates an alert when an enabled signature is triggered. Generating an
alert, however, is a configurable signature action that can be disabled. Alerts are stored in the
sensor Event Store. The Cisco IDM can pull alerts from the sensor via the Security Device
Event Exchange (SDEE). This capability allows a host or hosts to collect alerts on an as-needed
basis.

SDEE specifies two types of event requests for external monitoring applications such as Cisco
IDM interfacing with the sensor:
„ Query: Retrieve events that are in the Event Store at the time the query request is issued
„ Subscription: Establish a live feed

Note Multiple hosts can perform queries and subscribe to the live event feed simultaneously.

Every alert has a severity level that is derived from the severity level of the signature causing
the alert. Therefore, an alert, and a signature, can have one of the following security levels:
„ Informational
„ Low
„ Medium
„ High

3-14 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Alert Format

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—3-10

At times, you may need to look at an alert via the command-line interface (CLI) show events
command. In the output of this command, you can distinguish an alert from other types of
events by its first field, evIdsAlert. The format of an alert as it appears in the CLI conforms to
the Cisco Intrusion Detection Event Exchange standards. SDEE is a general-purpose standard
for the messaging of security events. SDEE, along with the Cisco Intrusion Detection Event
Exchange, specifies the format of event messages.

Note The Cisco Intrusion Detection Event Exchange extends the SDEE and adds IPS-specific
elements that are used in Cisco IPS Sensor Software Version 6.0 alerts.

The following is an example of a Cisco IPS Sensor Software Version 6.0 alert from signature
2004, ICMP Echo Req:

evIdsAlert: eventId=1104949863483006238 severity=informational


vendor=Cisco
originator:
hostId: sensor1
appName: sensorApp
appInstanceId: 375
time: 2006/12/27 14:15:38 2006/12/27 06:15:38 GMT-08:00
signature: description=ICMP Echo Req id=2004 version=S1
subsigId: 0
marsCategory: Info/AllSession
interfaceGroup: vs0
vlan: 0

© 2007 Cisco Systems, Inc. Cisco IPS Signatures 3-15


The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
participants:
attacker:
addr: locality=OUT 10.0.1.12
target:
addr: locality=OUT 172.26.26.50
os: idSource=unknown relevance=relevant type=unknown
riskRatingValue: attackRelevanceRating=relevant
targetValueRating=medium 35
threatRatingValue: 35
interface fe0/1
protocol icmp

The information in Cisco IPS alerts is labeled intuitively. For example, the signature:
description and eventID fields obviously contain the name and identification number of the
signature. The following list provides additional details and information on some of the less
intuitive fields, listed as they will appear on your screen:
„ vendor: This is always Cisco for Cisco products. This field is included in SDEE format
because vendors other than Cisco use SDEE.
„ originator: This contains the following subfields that provide information on the originator
of the alert:
— hostId: Name of the sensor that originated the alert
— appName: Name of the application that originated the alert
— appInstanceId: Numerical value that uniquely identifies this instance of the
application that originated the alert
„ marsCategory: This is the category of event to be used by Cisco Security Monitoring,
Analysis, and Response System (MARS).
„ interfaceGroup: This is the name of the interface group that received the traffic.
„ vlan: This is the VLAN number associated with packets involved in the activity that
triggered the alert. If this field is omitted or the value is 0, no VLAN information is
available.
„ participants: This contains the following subfields providing information about hosts that
participated in the attack, either as attackers or targets:
— attacker: Host or hosts involved in attacking each of the target hosts
„ addr: locality: This is the IP address of the attacker and where this address is
located. The locality subfield is a string that indicates the relative location of the
attacker address within the network topology. It indicates, for example, whether
the host is within the protected network, the demilitarized zone (DMZ), or the
external (unprotected) network. The locality subfield displays a single locality
per address. If the address matches many localities, the most specific match is
displayed. For example, if the address matches both IN and DMZ1, DMZ1 is
displayed.

3-16 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Note Locality names such as IN and DMZ1 come from event variables that you define. You can
create event variables and then use those variables in event action filters. Event variables
enable you to use the same value within multiple filters.

— target: Host or hosts that are the target of an attack by each of the attackers
„ addr: locality: This is the IP address of the target host and where this address is
located. The locality subfield is a string that indicates the relative location of the
target address within the network topology. It indicates, for example, whether
the host is within the protected network, the DMZ, or the external (unprotected)
network. The locality subfield displays a single locality per address. If the
address matches many localities, the most specific match is displayed. For
example, if the address matches both IN and DMZ1, DMZ1 is displayed.
„ os: This is the operating system of the target host.

Note Base 64 is a method of encoding arbitrary data as plain ASCII text.

„ riskRatingValue: This is the value that represents the calculated risk associated with the
detected activity. The risk value is calculated using multiple factors and has a range
between 0 and 100 (inclusive), where 0 represents the lowest risk and 100 the greatest risk.
„ threatRatingValue: This is the value that represents the calculated threat associated with
the detected activity. The threat value is calculated using multiple factors and has a range
between 0 and 100 (inclusive), where 0 represents the lowest threat and 100 the greatest
threat.
„ interface: This provides traffic source information. The Interface field holds a simple value
such as fe1_0.
„ protocol: This is the network protocol wherein the malicious content was discovered.

© 2007 Cisco Systems, Inc. Cisco IPS Signatures 3-17


The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
How to Locate Signature Information
This topic explains how to locate information about specific signatures and describes the Cisco
Intrusion Prevention Alert Center.

The Cisco Security Center


Active
Threats
Intel
Reports
Search IPS
Signatures

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—3-11

Up-to-the-minute signature and attack information is available at the Cisco Security Center,
which provides information on emerging threats and quick access to the latest signatures. The
Intelligence Reports section of the Cisco Security Center contains information about new
malicious Internet activity. It provides the names of the most recent threats along with the date,
severity level, and status of each threat, and a link to other sources of information about the
various threats.

Note The Cisco Security Center can be found at http://www.cisco.com/security.

3-18 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Signature Details Software
Download Center

Signature
Name
Release
Version
Signature Release
ID Date

Description
Alarm
Severity
Benign
Triggers

Related
Threats
© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—3-12

The figure shows an example of the Signature Details page that displays when you click the
name of a related signature from the Cisco Security Center page. A typical page contains the
following information fields about a signature:
„ Signature Name: The name of the signature
„ Signature ID: A unique identification number for the signature
„ Alarm Severity: The default alarm severity level assigned to the signature
„ Release Version: The signature update in which the signature was released
„ Release Date: The date on which the signature update was released
„ Signature Description: A concise description of the signature
„ Benign Triggers: An explanation of any false positives that may appear to be exploits, but
are actually normal network activity
„ Related Security Reports: Links to intelligence reports that offer additional insight
regarding the vulnerability and its consequences

Note A valid Cisco.com account is required to view the threat details.

© 2007 Cisco Systems, Inc. Cisco IPS Signatures 3-19


The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Vulnerability Alert Details

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—3-13

If you click on the name of one of the latest or active threats listed in the Example Recent
IntelliShield Alerts section of the Cisco Security Center main page, you are taken to a page that
provides more information about the threat:
„ The date the threat was discovered
„ A concise description
„ The damage that the threat can impose
„ A description of what can be done to protect systems from the threat
„ A list of operating systems that can be affected by the threat and links to patches for each
operating system
„ A list of software that can be affected by the threat

3-20 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
How to Configure Basic Signatures
This topic explains how to enable, disable, retire, activate, and assign actions to signatures.

Signature Configuration Tasks

Basic signature configuration includes the following:


ƒ Enabling or disabling the signature
ƒ Assigning the signature action

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—3-14

By default, the Cisco IPS signatures are configured to meet the needs of most average
deployments. The most critical signatures are enabled to provide you immediately with a
certain level of security. Depending on your security policy and the location of your sensor or
sensors, you can choose to enable specific signatures that are disabled by default, tune certain
signatures, or even create custom signatures. Before modifying any signature settings or
creating new signatures, study the built-in signatures and their default settings and consider the
following:
„ Network protocols: Consider the network protocol of the traffic to be examined. For
example, if you are concerned with Enhanced Interior Gateway Routing Protocol (EIGRP)
packets, you might want to examine the configurable parameters of signatures that examine
IP packets and are triggered by the contents of a single packet.
„ Target address: Consider the target of any anticipated attack. For example, if you are
concerned with an excessive number of packets being sent to a specific network, you might
want to examine the configurable parameters of signatures that detect an excessive volume
of packets sent to a network.
„ Target port: Consider the anticipated target ports of the attack. For example, if you are
concerned with connections to a specific UDP port or a range of UDP ports, you might
want to examine the configurable parameters of signatures that detect those connections.
„ Type of attack: Consider any anticipated type of attack. For example, if you anticipate
DoS attacks, you might want to examine the signatures that are commonly used to detect
DoS attacks. If you anticipate reconnaissance attacks, you might want to examine the
signatures that are commonly used to detect network reconnaissance attacks.
„ Payload inspection: Consider the need to inspect the payload of a packet for a string
pattern. For example, if you must detect a string pattern in a TCP packet, you might want to

© 2007 Cisco Systems, Inc. Cisco IPS Signatures 3-21


The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
examine the configurable parameters of signatures that are designed to detect a string
pattern in a TCP packet.

After determining the needs of your specific deployment and familiarizing yourself with the
built-in signatures and their default settings, you can begin to modify signature settings as
needed. All signatures have the following two basic configurable parameters:
„ Enable: Enables or disables the signature
„ Action: Assigns the action to take if the signature is triggered

Note You must be an administrator or operator to add, clone, enable, disable, edit, or delete
signatures.

3-22 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Accessing the Signature
Configuration Page

Configuration Select By

Signature
Configuration

Signature
Definitions

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—3-15

You can access signatures of interest in a variety of ways from the Cisco IDM. To begin, click
Configuration, choose Signature Definitions, and then click the Signature Configuration
tab to access the Signature Configuration panel. By default, the Signature Configuration panel
displays signatures listed by signature ID number. You can use the Select By drop-down menu
to display signatures in different ways, such as the types of attack they detect, or the services
that they inspect. When you change your selection in the Select By drop-down menu, the Select
Criteria drop-down menu changes to correspond to your selection.

For example, if you are searching for a UDP flood signature, choose DoS from the Select By
drop-down menu. The Select Criteria drop-down menu becomes a Select Type drop-down
menu. You can then choose UDP Floods from the Select Type drop-down menu. The Signature
Configuration panel refreshes and displays only those signatures that match your sorting
criteria.

Cisco IPS Sensor Software Version 6.x greatly increases the choices available in searching for
signatures. From the Select By drop-down menu, you can choose one of the following:
„ Active Signatures: Displays all individual signatures that have not been retired, listed in
ascending numerical order by signature ID number
„ Sig ID: Displays signatures by signature ID number
„ Sig Name: Displays signatures by signature name
„ Enabled: Displays all signatures that are enabled, or in other words, actively running on
the sensor
„ Severity: Displays signatures based on their severity level
„ Fidelity Rating: Allows you to define a fidelity rating range of numbers, and then displays
only those signatures within that fidelity range
„ Base RR: Similar to fidelity rating, allows you to define a range of numbers and then
displays only those signatures within that range

© 2007 Cisco Systems, Inc. Cisco IPS Signatures 3-23


The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
„ Action: Displays signatures grouped by assigned signature actions
„ Type: Displays signatures based on type such as tuned, custom, or default
„ Engine: Displays signatures grouped by engine
„ Adware/Spyware: Displays signatures designed to address adware and spyware issues
„ Attack: Displays signatures grouped by attack types
„ DDOS: Displays distributed denial of service (DDoS) signatures
„ DOS: Displays DoS signatures
„ Email: Enables you to display e-mail signatures by protocol such as Internet Message
Access Protocol (IMAP) or Simple Mail Transfer Protocol (SMTP)
„ Instant Messaging: Displays instant messaging (IM) signatures by IM application
„ L2/L3/L4 Protocol: Enables you to display signatures grouped by network protocol type
including Address Resolution Protocol (ARP), IP fragment, IPv6, and others
„ Network Services: Displays signatures based on network service protocols such as DHCP
or Border Gateway Protocol (BGP)
„ OS: Enables you to display signatures grouped by operating system type
„ Other Services: Displays signatures based on application layer services such as FTP,
HTTP, NetBIOS/Server Message Block (SMB), and others
„ P2P: Displays signatures based on different peer-to-peer file sharing applications
„ Reconnaissance: Enables the display of signatures such as ping sweeps and different types
of port scans
„ Releases: Enables you to display signatures grouped by signature update release
„ Viruses/Worms/Trojans: Displays signatures based on malware defined as these three
types
„ Web Server: Enables you to display signatures based on specific web servers
„ Active & Retired Signatures: Enables you to display all signatures known to the sensor,
whether active or not

A signature can be in multiple groups. For example, web signatures would be found in the
Other Services group and in the Web Server group. Editing a signature in one group affects it in
all groups. The last edit that you make is the one that is applied.

3-24 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Locating Signatures by Sig ID

Enter Sig ID

Find

Select By

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—3-16

The figure shows the Signature Configuration panel as it appears when Sig ID is chosen from
the Select By drop-down menu. The Select Criteria drop-down menu becomes an Enter Sig ID
field that enables you to enter the signature ID of the signature that you are trying to locate.
When the Enter Sig ID field is displayed, it is accompanied by a Find button. Click Find to
locate the signature of the signature ID that you entered. The following parameters of the
signature are displayed in the Signature Configuration panel:
„ SigID: This identifies the number assigned to the signature.
„ Subsig ID: This identifies the number assigned to the subsignature. Usually this is 0.
„ Name: This identifies the name assigned to the signature.
„ Enabled: This identifies whether the signature is enabled. A signature must be enabled for
the sensor to protect against the traffic specified by the signature.
„ Severity: This identifies the severity level that the signature will report: High,
Informational, Low, and Medium.
„ Fidelity Rating: This identifies the weight associated with how well this signature might
perform in the absence of specific knowledge of the target.
„ Base RR: This displays the base risk rating value of each signature. Cisco IDM
automatically calculates the base risk rating by multiplying the Fidelity Rating and the
Severity factor and dividing them by 100 (Fidelity Rating x Severity factor /100).
— The Severity factor has the following values:
„ Severity factor = 100 if the signature severity level is High.
„ Severity factor = 75 if signature severity level is Medium.
„ Severity factor = 50 if signature severity level is Low.
„ Severity factor = 25 if signature severity level is Informational.
„ Action: This identifies the actions that the sensor will take when this signature fires.

© 2007 Cisco Systems, Inc. Cisco IPS Signatures 3-25


The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
„ Type: This identifies whether this signature is a default (built-in), tuned, or custom
signature.
„ Engine: This identifies the engine that parses and inspects the traffic specified by this
signature.
„ Retired: This identifies whether the signature is retired.

Caution A retired signature is removed from the signature engine. You can activate a retired
signature to place it back in the signature engine.

Note These parameters are displayed for all signatures that you display in the Signature
Configuration panel, regardless of how you display them.

3-26 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Locating Signatures by Service

Select By
Select Service

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—3-17

The figure shows the Signature Configuration panel when Other Services is selected from the
Select By drop-down menu. The Select Criteria drop-down menu becomes a Select Service
drop-down menu that enables you to choose a network service. In the figure, NETBIOS/SMB
is selected, so the Signature Configuration panel displays a list of signatures that inspect
NetBIOS and SMBs.

© 2007 Cisco Systems, Inc. Cisco IPS Signatures 3-27


The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Locating Signatures by OS
Select By

Select OS

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—3-18

Often it is desirable to enable or disable an entire group of signatures based on the operating
system criteria. Perhaps there are no IBM Advanced Interactive eXecutive (AIX) servers in
your environment and, as a noise reduction strategy; you choose to disable all AIX signatures.
In this case, you would want to locate all AIX signatures and disable them as a group.

Step 1 Click Configuration, choose Signature Definitions, and click the Signature
Configuration tab. The Signature Configuration panel is displayed.
Step 2 In the Select By drop-down box choose OS.

Step 3 From the Select Criteria drop-down box, choose the operating system in which you
are interested.

3-28 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Enabling and Disabling Signatures

Select
All

Enable

Disable

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—3-19

Complete the following steps to enable a signature:

Step 1 Click Configuration, choose Signature Definitions, and click the Signature
Configuration tab. The Signature Configuration panel is displayed.
Step 2 Locate the signature that you want to enable.

Step 3 Look at the Enabled column to determine the status of the signature. A signature that
is currently enabled has the value Yes in this column.
Step 4 If the signature is currently disabled, choose the signature and click Enable.

Step 5 Click Apply to apply your changes and save the revised configuration.

To disable a signature that is currently enabled, choose the signature and click Disable. You
can enable or disable all signatures in a group by clicking Select All before clicking the Enable
or Disable button.

© 2007 Cisco Systems, Inc. Cisco IPS Signatures 3-29


The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Configuring Signature Actions

Actions

Restore
Defaults

Reset

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—3-20

Complete the following steps to configure signature actions:

Step 1 Click Configuration, choose Signature Definitions, and click the Signature
Configuration tab. The Signature Configuration panel is displayed.
Step 2 Locate the signature or signatures to which you want to assign actions.

Step 3 Choose the signature or signatures.

Step 4 Click Actions. The Assign Actions window opens.

Note The Restore Defaults button returns all parameters for the selected signature to the default
settings. The Reset button refreshes the panel by replacing any edits that you have made
with the previously configured value.

3-30 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Configuring Signature Actions (Cont.)

Select
All
Action
List Select
None

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—3-21

Step 5 Check the check boxes for the actions that you want to assign to the signature. A
check mark indicates that the action is assigned to the selected signature. No check
mark indicates that the action is not assigned to any of the selected signatures. A
gray check mark indicates that the action is assigned to some of the selected
signatures. You can choose one or more of the following actions from the on-screen
list:
„ Deny Attacker Inline: This action terminates the current packet and future
packets from this attacker address for a specified period of time. The sensor
maintains a list of the attackers currently being denied by the system. You can
remove entries from the list or wait for the timer to expire. The timer is a sliding
timer for each entry. Therefore, if attacker A is currently being denied but issues
another attack, the timer for attacker A is reset, and attacker A remains in the
denied attacker list until the timer expires. If the denied attacker list is at
capacity and cannot add a new entry, the packet is still denied.

Note This action is the most severe of the deny actions. It denies current and future packets from
a single attacker address.

„ Deny Attacker Service Pair Inline: This action terminates the current packet
and future packets from the attacker address victim port pair for a specified
period of time.
„ Deny Attacker Victim Pair Inline: This action terminates the current packet
and future packets from the attacker and victim address pair for a specified
period of time.
„ Deny Connection Inline: This action terminates the current packet and future
packets on this TCP flow.
„ Deny Packet Inline: This action terminates the packet.

© 2007 Cisco Systems, Inc. Cisco IPS Signatures 3-31


The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Note The deny actions are for inline sensors only.

„ Log Attacker Packets: This action starts IP logging on packets that contain the attacker
address and sends an alert. This action causes an alert to be written to the Event Store, even
if the Produce Alert action is not selected.
„ Log Pair Packets: This action starts IP logging on packets that contain the attacker and
victim address pair. This action causes an alert to be written to the Event Store, even if the
Produce Alert action is not selected.
„ Log Victim Packets: This action starts IP logging on packets that contain the victim
address and sends an alert. This action causes an alert to be written to the Event Store, even
if the Produce Alert action is not selected.
„ Produce Alert: This action writes the event to the Event Store as an alert.
„ Produce Verbose Alert: This action includes an encoded dump of the offending packet in
the alert. This action causes an alert to be written to the Event Store, even if the Produce
Alert action is not selected.
„ Request Block Connection: This action sends a request to a blocking device to block this
connection.
„ Request Block Host: This action sends a request to a blocking device to block this attacker
host.
„ Request SNMP Trap: This action sends a request to the Notification Application
component of the sensor to perform SNMP notification. This action causes an alert to be
written to the Event Store, even if Produce Alert is not selected.
„ Reset TCP Connection: This action sends TCP resets to hijack and terminate the TCP
flow.

The Reset TCP Connection action can be used in conjunction with the deny packet and deny
flow actions. However, deny packet and deny flow actions do not automatically cause TCP
reset actions to occur.

Note If you want to assign all actions to the selected signatures, click Select All. If you want to
remove all actions from the selected signatures, click Select None.

Step 6 Click OK to close the Assign Actions window. The Signature Configuration panel
displays the actions that you selected in the Action column for the signature that you
configured.

Step 7 Click OK to apply your changes.

3-32 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Special Considerations for Signature Actions
This topic provides additional information for, denying and blocking actions.

Configuring General Settings for


Signature Actions General
Settings
Configuration

Event
Action Deny Attacker
Rules Duration

Block
Action
Duration

Maximum
Denied
Attackers

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—3-22

From the General Settings panel, you can configure how long you want to deny attackers, the
maximum number of denied attackers, and how long you want blocks to last. To access the
General Settings panel, click Configuration, choose Event Action Rules, and click the
General Settings tab.

When you have completed your configuration, click Apply to apply your changes to the sensor,
or click Reset to replace any edits that you made with the previously configured value.

© 2007 Cisco Systems, Inc. Cisco IPS Signatures 3-33


The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Managing Denied Attackers
Monitoring

Denied
Attackers

Clear List

Refresh

Reset All Hit


Counts

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—3-23

The Denied Attackers panel displays the IP addresses of all the attackers that have been denied
and the hit count for each denied attacker. You can reset the hit count for all IP addresses or
clear the list of denied attackers. To access the Denied Attackers panel, click Monitoring and
choose Denied Attackers. Click Refresh to refresh the list and use the following buttons as
needed:
„ Reset All Hit Counts: Clears the hit count for the denied attackers
„ Clear List: Clears the entire list of denied attackers

Note Rebooting the sensor deactivates the denied attacker list.

3-34 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Summary
This topic summarizes the key points that were discussed in this lesson.

Summary

ƒ A signature is a set of rules that your sensor uses to detect typical


intrusive activity. Cisco IPS Sensor Software Version 6.0 has over
1500 signatures.
ƒ Information about signatures can be found at the Cisco Intrusion
Prevention Alert Center.
ƒ Signatures can be configured to drop traffic, log traffic, request
blocking by another network device, terminate the session using
TCP resets, send an SNMP trap, or simply record an alert in the
Event Store. You must be an administrator or operator to add,
clone, enable, disable, edit, or delete signatures.
ƒ You can configure how long you want to deny attackers, the
maximum number of denied attackers, and how long you want
blocks to last.

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—3-24

© 2007 Cisco Systems, Inc. Cisco IPS Signatures 3-35


The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
3-36 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Lesson 2

Examining the Signature


Engines

Overview
This lesson introduces the engine architecture found in the Cisco Intrusion Prevention System
(IPS) 4200 Series Sensors running Cisco IPS Sensor Software Version 6.0. This lesson will
introduce each category of engine and briefly define each engine.

Objectives
Upon completing this lesson, you will be able to describe the functions of signature engines and
their parameters. This ability includes being able to meet these objectives:
„ Describe the different signature engines used by the sensor
„ Describe the configuration parameters common to all signature engines
„ Describe the ATOMIC signature engines
„ Describe the FLOOD signature engines
„ Describe the SERVICE signature engines, including the new TNS and SMB advanced
signature engines
„ Describe the STRING signature engines
„ Describe the SWEEP signature engines
„ Describe the TROJAN signature engines
„ Describe the TRAFFIC signature engines
„ Describe the AIC signature engines
„ Describe the STATE signature engine
„ Describe the META signature engine
„ Describe the NORMALIZER engine

The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Introducing Cisco IPS Signature Engines
This topic introduces the signature engines used by sensors.

Signature Engine Overview

ƒ A signature engine is a component of the sensor that supports a


category of signatures.
ƒ The Cisco IPS signature engines allow you to tune built-in
signatures and create new signatures unique to your network
environment.

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—3-2

Each Cisco IPS signature is created by a signature engine specifically designed for the type of
traffic being monitored. A signature engine is a component of the sensor that supports a
category of signatures. An engine is composed of a parser and an inspector. Each engine has a
set of legal parameters that have allowable ranges or sets of values. Cisco IPS signature engines
enable network security administrators to tune and create signatures unique to their network
environment.

3-38 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Engine Usage
Engine
Usage
Category

ATOMIC Used for single-packet inspection

FLOOD Used to detect attempts to cause a DoS

META Used to perform event correlation on the sensor

NORMALIZER Used to detect ambiguities and abnormalities in the traffic stream

SERVICE Used when Layer 5, 6, and 7 services require protocol analysis

Used for state-based and regular expression-based pattern


STATE
inspection and alarming functionality for TCP streams

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—3-3

Here are some of the general categories of Cisco IPS signature engines:
„ ATOMIC: Used to perform per-packet inspection (The ATOMIC engines support
signatures that trigger on the analysis of a single packet.)
„ FLOOD: Used to detect attempts to cause a denial of service (DoS)
„ META: Used to perform event correlation on the sensor
„ NORMALIZER: Used to detect ambiguities and abnormalities in the traffic stream
„ SERVICE: Used when services with Layers 5, 6, and 7 require protocol analysis
„ STATE: Used for state-based and regular expression-based pattern inspection and
alarming functionality for TCP streams

© 2007 Cisco Systems, Inc. Cisco IPS Signatures 3-39


The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Engine Usage (Cont.)

Engine
Usage
Category
Used for regular expression-based pattern inspection and alarm
STRING
functionality for multiple transport protocols

SWEEP Used to detect network reconnaissance

TRAFFIC Used to detect traffic irregularities

TROJAN Used to inspect nonstandard protocols

AIC Used for deep-packet inspection of FTP and HTTP traffic

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—3-4

„ STRING: Used for regular expression-based pattern inspection and alarm functionality for
multiple transport protocols, including TCP, User Datagram Protocol (UDP), and Internet
Control Message Protocol (ICMP)
„ SWEEP: Used to detect network reconnaissance
„ TRAFFIC: Identifies traffic irregularities
„ TROJAN: Used to detect BackOrifice Trojan horse traffic and Tribe Flood Network 2000
(TFN2K), Trojan, or distributed denial of service (DDoS) traffic
„ Alarm Interface Controller (AIC): Used for deep-packet inspection of FTP and HTTP
traffic

3-40 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Common Signature Engine Parameters
This topic describes the configuration parameters that are common to all signature engines.

Engine Parameters

ƒ An engine parameter is a name and value pair.


ƒ The parameter name is defined by its engine.
ƒ Parameter values have limits that are defined by the engine.
ƒ The parameter name is constant across all signatures in a
particular engine, but the value can be different for the various
signatures in an engine group.
ƒ Some parameters are common to all engines while others are
engine-specific.

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—3-5

Signature engines use their parameters to provide the configuration of signatures. An engine
parameter is a name and value pair. The name is defined by each engine, and the value has
limits that are defined by the engine so that only values falling within a particular range are
valid. The parameter name is constant across all signatures in a particular engine, but the value
can be different for the various signatures in an engine group.

Some parameters are common across all engines, and others are specialized for a specific
engine. The engine-specific parameters apply only to the signatures within a specific engine.
Engine-specific parameters are explained in the next topics of this lesson.

Note Although all signatures have the EventAction parameter, you can select only actions that
make sense for that engine.

© 2007 Cisco Systems, Inc. Cisco IPS Signatures 3-41


The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Common Parameters
Signature ID

SubSignature ID Sig
Description Signature
Name
Alert Severity
Alert Notes
Sig Fidelity
Rating
User
Promiscuous Comments
Delta ID
Alert
Engine Traits

Event Counter
Release
Event Count

Event Count
Key

Specify
Alert
Interval

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—3-6

Signature engines enable you to configure signatures by modifying their parameters. Some
parameters are common across all engines, and others are specialized for a specific engine. The
Cisco IPS Device Manager (IDM) Edit Signatures window displays all the common parameters
and the parameters specific to the engine that controls the selected signature.

This table lists the common signature parameters.

Common Signature Parameters

Common Signature Value Description


Parameters

Signature ID „ 1000–59000: range for This is the numeric value assigned to the
default signatures signature.

„ 60000–65000: range for


custom signatures

SubSignature ID „ 0–255 This is used with the Signature ID to create a


unique numerical identifier for a signature.

Alert Severity „ High This is the severity of the alert reported in the
alarm.
„ Medium

„ Low

„ Informational

Sig Fidelity Rating „ 0-100 This is a weight associated with how well this
signature might perform in the absence of
specific knowledge of the target. The Sig
Fidelity Rating is one of the factors used in
calculating the Risk Rating. Each built-in
signature has a default value assigned by the
engineer who wrote the signature.

3-42 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Common Signature Value Description
Parameters

Promiscuous Delta 0-30 This is the value used to determine the


seriousness of an alert. This value is
deducted from the Risk Rating value when
the sensor is in promiscuous mode. You
should not change this parameter. Most of
the built-in signatures have a Promiscuous
Delta value of 0. Only a few of them have
another value. The Promiscuous Delta should
be set to 0 for most custom signatures as
well.

Sig Description When expanded, this displays the parameters


that help you distinguish this signature from
other signatures.

Signature Name <string> This is the alphanumeric name assigned to


the signature.

Alert Notes <string> This corresponds to sig-string-info in the


command-line interface (CLI). Alert Notes
enables you to define extra information to be
included in the alarm message.

User Comments <string> This corresponds to sig-comment in the CLI.


The User Comments parameter is not
reported in alerts and does not affect
processing.

Alert Traits 0–65535 Used to further categorize a signature. You


can create your own grouping strategy to
augment the traditional fields in the alert.
Alert Traits is limited to 16 user-configurable
bits, meaning that 0-65535 is a valid value.
The bits above 16 are reserved for use by
IPS internals.

Release <string> This is the signature release in which this


signature became available.

Vulnerable OS List This allows an administrator to configure a list


of vulnerable operating systems.

Mars Category This contains the list of the Cisco Security


Monitoring, Analysis, and Response System
(MARS) attack categories associated with the
signature.

Engine When expanded, this displays the engine-


specific parameters for the signature. The
engine-specific parameters apply only to the
signatures within the engine.

Event Counter When expanded, this displays the parameters


that determine whether the signature fires.
The Event Counter parameters enable you to
configure how the sensor counts events. For
example, you can specify that you only want
the signature to fire if the activity it detects
happens five times for the same address set
within a specified period of time.

© 2007 Cisco Systems, Inc. Cisco IPS Signatures 3-43


The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Common Signature Value Description
Parameters

Event Count 1-65535 This corresponds to the Cisco Intrusion


Detection System (IDS) Sensor Software
Version 4.x MinHits parameter. The Event
Count enables you to prevent the signature
from firing until the number of specified
events is seen during the specified alert
interval on the specified Event Count Key.
The default value is one.

Event Count Key „ Attacker address This is used for counting multiple firings of the
signature. This key influences signature firing
„ Attacker address and by specifying the address sets on which the
victim port Event Count parameter is based.
„ Attacker and victim
addresses

„ Attacker and victim


addresses and ports
„ Victim address

Specify Alert Interval 2–1000 This corresponds to the Cisco IPS Sensor
Software Version 5.x Alarm Interval
parameter. Alert interval is a modifier that
adds a sliding window time limit for the Event
Count to be met. This is the number of
seconds during which the Event Count must
be met if the signature is to fire.

3-44 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Common Parameters (Cont.)

Alert
Frequency Summary
Mode

Summary
Key

Specify Global
Summary
Threshold
Status

Enabled
Summary
Interval
Retired

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—3-7

Common Signature Value Description


Parameters

Alert Frequency When expanded, this displays the parameters


for configuring how often the sensor sends an
alert to the Event Store when the signature is
firing. The Alert Frequency parameters
enable you to control the number of alarms
generated by a specific signature. By
correctly configuring Alert Frequency
parameters, you can reduce the ability of an
attacker to consume resources on your
sensor by flooding it with attacks. Alarm
reduction also reduces the amount of data
that you must analyze.

Summary Mode „ Fire Once: Sends the first Corresponds to the Cisco IPS Sensor
alert and then deletes the Software Version 5.x AlarmThrottle
inspector parameter. The summary mode is a
technique used to limit alarm firings. The
„ Fire All: Sends all alerts remaining configurable Alert Frequency
parameters vary depending on the summary
„ Summarize: Sends an mode that you choose.
interval summary alert

„ Global Summarize:
Sends a global summary
alert

© 2007 Cisco Systems, Inc. Cisco IPS Signatures 3-45


The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Common Signature Value Description
Parameters

Summary Key „ Attacker address This is the storage type on which to


summarize this signature. The Summary Key
„ Attacker address and identifies the address set to use for counting
victim port events for event summarization. For example,
if you want the sensor to count events based
„ Attacker and victim on whether they are from the same attacker,
addresses choose Attacker address as the Summary
„ Attacker and victim Key.
addresses and ports

„ Victim address

Specify Global 0–65535 This is the number of alerts that must be fired
Summary Threshold by this signature before the signature
switches to summarization mode.

Global Summary 1–65535 This is the number of events required to


Threshold automatically change the summary mode to
Global Summarize. When the alert rate
exceeds this threshold within the summary
interval, the sensor changes from sending a
summary alert to sending a global summary
alert. When the rate during the interval drops
below this threshold, the sensor reverts to its
configured summary mode behavior. A global
summary counts the signature firings on all of
the attacker IP addresses and ports and all of
the victim IP addresses and ports.

Summary Interval 1–65535 This defines the period of time used to control
alarm summarization.

Status When expanded, this displays parameters for


enabling, disabling, retiring, or activating the
signature.

Enabled „ Yes: Enables the This is used to enable or disable a signature.


signature
„ No: Disables the
signature

Retired „ Yes: Retires the signature This is used to disable aged signatures.

„ No: Activates the


signature

3-46 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Key Terminology

ƒ A = source address
ƒ a = source port
ƒ B = destination address
ƒ b = destination port
ƒ x = does not matter

AxBx = The source and destination


addresses matter, but the source and
destination ports do not.

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—3-8

In addition to the common Event Count Key and Summary Key parameters previously
described, Cisco IPS Sensor Software Version 6.0 uses two engine-specific keys. The following
are the four Cisco IPS Sensor Software Version 6.0 key parameters:
„ Event Count Key: This is the key in which multiple firings of the signature are counted.
The event Count Key should be less specific or more general than the Storage Key.
„ Summary Key: This is the address set to use for counting events for event summarization.
„ Storage Key: This is the key in which internal state data for the signature itself is stored.
You can configure this parameter for the signatures controlled by the ATOMIC Address
Resolution Protocol (ARP) and SWEEP engines. For example, the Storage Key Axxb could
be used for service sweeps in which an attacker is sweeping port 80 across multiple hosts.
The attacker port and the victim address are not examined, but the victim port is examined.
For most engines, the Storage Key is determined by the engine itself or by the engine and
one or more of the other parameters, such as Protocol.
„ Meta Key: This is the storage type specific to meta signatures.

The Key parameters use A, a, B, and b to designate a source address, source port, destination
address, and destination port, respectively. This terminology uses x as a wildcard. If x occupies
the position of A, a, B, or b in the sequence AaBb, the value of that position is unimportant.
The following are valid values:
„ Axxx: Attacker address only
„ AxBx: Attacker and victim addresses
„ Axxb: Attacker address and victim port
„ xxBx: Victim address only
„ AaBb: Attacker and victim addresses and ports

© 2007 Cisco Systems, Inc. Cisco IPS Signatures 3-47


The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Note The bulleted list shows the key terminology as it appears in the CLI and the Cisco IDM,
respectively. The designators A, a, B, b, and x are not used to configure these parameters
from the Cisco IDM.

3-48 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Summary Modes

You can use the Summary Mode common parameter to


control the number of alarms generated by a specific
signature. The Summary Mode parameter can have one
of the following values:
ƒ Fire Once
ƒ Fire All
ƒ Summarize
ƒ Global Summarize

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—3-9

The Summary Mode parameter controls the number of alarms generated by a specific signature.
By correctly configuring this parameter, you can reduce the ability of an attacker to consume
resources on your sensor by flooding it with attacks. Alert reduction also reduces the amount of
data that administrators must analyze. The summary mode can have one of the following
values.
„ Fire Once: This triggers a single alarm for each unique entry based on the Summary Key
parameter settings.
„ Fire All: This triggers an alarm for all activity that matches the signature characteristics.
This is effectively the opposite of the Fire Once option and can generate a considerably
larger number of alarms during an attack.
„ Summarize: This consolidates alarms for the address set specified in the Summary Key
parameter. The Summarize mode limits the number of alarms generated and makes it
difficult for an attacker to consume resources on the sensor or overwhelm the administrator
with alerts. This mode also reveals how many times an activity that matches the
characteristics of a signature was observed during a specific period of time. The first
instance of intrusive activity triggers a normal alert. Subsequently, other instances of the
same activity—duplicate alerts—are counted until the end of the summary interval for the
signature. When the length of time specified by the Summary Interval parameter has
elapsed, a summary alarm is sent to the Event Store, indicating the number of alarms that
occurred during the summary interval.
„ Global Summarize: This consolidates alarms for all address combinations. The Global
Summarize mode specifies that you want the sensor to send an alert the first time that a
signature fires on an address set and then send only a global summary alert that includes a
summary of all the alerts for all address sets over a given time interval.

Besides the basic alarm firing options, signatures can also take advantage of two alarm
summarization modes. Like Fire Once, the Summarize and Global Summarize modes limit the
number of alarms generated and make it difficult for an attacker to consume resources on the
sensor or overwhelm the administrator with noise.

© 2007 Cisco Systems, Inc. Cisco IPS Signatures 3-49


The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
However, a network security administer using these alarm summarization modes receives
information on the number of times that the activity that matches the characteristics of a
signature was observed during a specific period of time. When Summarize mode is being used,
the first instance of intrusive activity triggers a normal alarm. Then, other instances are counted
until the end of the summary interval. When the length of time specified elapses, a summary
alarm is sent to the Event Store, indicating the number of alarms that occurred during the
summary interval.

Both alarm summarization modes operate in essentially the same way, except that Global
Summarize mode consolidates the alarms for all address combinations, whereas the Summarize
mode consolidates alarms only for the address set specified in the Summary Key parameter.

3-50 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Threshold Parameters and Automatic
Alarm Summarization

Automatic alert summarization enables a signature to change alert


modes automatically based on the number of alerts detected within the
Summary Interval parameter.

Summary Interval

Summary Mode Summary Threshold Global Summary Threshold

Global
Fire All Summarize
Summarize

Summarize Global
Summarize

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—3-10

Setting the Summary Threshold and Global Summary Threshold parameters enables a signature
to use variable alert summarization. To take advantage of variable alert summarization, you
must configure the signature to use the Fire All or Summarize mode. When traffic causes the
signature to fire, the Cisco IPS generates the alerts according to the original Summary Mode
setting. If the number of alerts for the signature exceeds the value configured for the Summary
Threshold parameter during a summary interval, the signature automatically switches to the
next-higher alert mode, a mode generating fewer alerts. If the number of alerts for the signature
exceeds the global summary threshold during the same summary interval, the signature
switches to Global Summarize, if not already at this level, because this is the maximum level of
alert consolidation. At the end of the summary interval, the signature reverts to its original
configured summary mode.

For example, if the signature starts with an original summary mode of Fire All, an alert is
generated every time the signature is triggered. If the number of alerts for the signature exceeds
the Summary Threshold parameter setting during a summary interval, the signature
automatically switches to Summarize mode. Finally, if the number of alerts exceeds the Global
Summary Threshold parameter during the same summary interval, the signature automatically
switches to Global Summarize mode. At the end of the summary interval, the signature reverts
to the Fire All mode.

The variable alert mode gives you the flexibility of having signatures fire an alert on every
instance of a signature but reducing the number of alerts generated when that number begins to
significantly affect the resources of the sensor and the ability of the network security
administrator to analyze the alerts being generated. This is an example of variable alert mode:
SIG ID 60000
Summary Mode: Fire All
Summary Threshold: 150
Global Summary Threshold: 300
Summary Interval: 60

© 2007 Cisco Systems, Inc. Cisco IPS Signatures 3-51


The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Traffic1: 100 alerts in 60 seconds
Result: 100 regular alerts
Traffic2: 160 alerts in 60 seconds
Result: 150 regular alerts and 1 Summary alert with count 160
Traffic3: 320 alerts in 60 seconds
Result: 150 regular alerts and 1 Global Summary alert with
count 320

Note The example assumes that all alerts are on the same address set.

3-52 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
ATOMIC Signature Engines
This topic discusses the ATOMIC signature engines and their configuration parameters.

ATOMIC Signature Engines

Engine Name Engine Description

ATOMIC ARP Examines ARP packets

ATOMIC IP Examines ICMP, IP, TCP, and UDP packets

ATOMIC IPv6 Detects IOS vulnerabilities from malformed IPv6 packets

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—3-11

ATOMIC signature engines support signatures that are triggered by the contents of a single
packet. Because the ATOMIC signature engines examine single packets, they do not need to
maintain a state. Therefore, they do not store any persistent data across multiple data packets.

The following are ATOMIC signature engines:


„ ATOMIC ARP: This engine is used to examine basic Layer 2 packets. This engine can
also be used for more advanced detection of the ARP spoof tools dsniff and ettercap.
„ ATOMIC IP: This engine is used to examine IP packets.
„ ATOMIC IP version 6 (IPv6): This engine detects Cisco IOS Software vulnerabilities that
are stimulated by malformed IPv6 traffic.

© 2007 Cisco Systems, Inc. Cisco IPS Signatures 3-53


The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
FLOOD Signature Engines
This topic discusses the FLOOD signature engines and their specific configuration parameters.

FLOOD Signature Engines

Engine Name Engine Description

Looks for an excessive number of packets sent to a network


FLOOD.NET
segment

Looks for an excessive number of ICMP or UDP packets sent


FLOOD.HOST
to a target host

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—3-12

The FLOOD signature engines detect attacks in which the attacker is directing a flood of traffic
to either a single host or the entire network. The FLOOD engines are commonly used to detect
DoS attacks. The following are the FLOOD signature engines:
„ FLOOD.NET: Used to examine an excessive number of packets sent to a network segment
„ FLOOD.HOST: Used to examine an excessive number of ICMP or UDP packets sent to a
target host

3-54 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
SERVICE Signature Engines
This topic discusses the SERVICE signature engines and their specific configuration
parameters.

SERVICE Signature Engines

Engine Name Engine Description


SERVICE DNS Examines TCP and UDP DNS packets

SERVICE FTP Examines FTP traffic

Emergency response engine that supplements the string


SERVICE Generic
and state engines
SERVICE H225 Examines the call signaling and setup in VoIP traffic

SERVICE HTTP Examines HTTP traffic for string-based pattern matching

SERVICE IDENT Examines TCP port 113 traffic

SERVICE MSRPC Examines Microsoft RPC traffic

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—3-13

The SERVICE signature engines analyze traffic at and above Layer 5 of the Open Systems
Interconnection (OSI) architectural model. This analysis provides protocol decoding for
numerous network protocols such as Domain Name System (DNS), FTP, and HTTP.

The following are SERVICE signature engines:


„ SERVICE DNS: Examines TCP and UDP DNS packets
„ SERVICE FTP: Examines FTP traffic
„ SERVICE Generic: Emergency response engine that supplements the string and state
engines
„ SERVICE H225: Examines H.225 call signaling and call setup VoIP traffic
„ SERVICE HTTP: Examines HTTP traffic for string-based pattern matching
„ SERVICE IDENT: Examines TCP port 113 traffic
„ SERVICE MSRPC: Examines Microsoft Remote Procedure Call (RPC) traffic

© 2007 Cisco Systems, Inc. Cisco IPS Signatures 3-55


The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
SERVICE Signature Engines (Cont.)
Engine Name Engine Description

SERVICE MSSQL Examines traffic used by Microsoft SQL

SERVICE NTP Examines NTP traffic

SERVICE RPC Examines RPC traffic

SERVICE SMB Examines SMB traffic

SERVICE SNMP Examines SNMP traffic

SERVICE SSH Examines SSH traffic

SERVICE TNS Examines TNS traffic

SERVICE Generic
Generically analyzes network protocols
Advanced

SERVICE SMB
Inspects SMB and Microsoft RPC over SMB traffic
Advanced

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—3-14

„ SERVICE MSSQL: This engine examines traffic used by Microsoft Structured Query
Language (SQL).
„ SERVICE NTP: This engine examines Network Time Protocol (NTP) traffic.
„ SERVICE RPC: This engine examines remote procedure call (RPC) traffic.
„ SERVICE SMB: This engine examines Server Message Block (SMB) traffic.
„ SERVICE SNMP: This engine examines Simple Network Management Protocol (SNMP)
traffic.
„ SERVICE SSH: This engine examines Secure Shell (SSH) traffic.
„ SERVICE TNS: This engine examines Transparent Network Substrate (TNS) traffic. TNS
is an industry-standard database network protocol.
„ SERVICE Generic Advanced: This engine examines generic network protocol traffic.
„ SERVICE SMB Advanced: This engine examines Microsoft SMB and Microsoft RPC
over SMB traffic.

3-56 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
New Service Engines

ƒ The SERVICE SMB engine has been enhanced and is available


as the SERVICE SMB Advanced engine.
ƒ A new engine has been introduced called SERVICE TNS.
ƒ Writing signatures for these engines requires knowledge of the
Microsoft protocols.

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—3-15

Two new engines were added to the Cisco IPS Sensor Software Version 6.0: the SERVICE
SMB Advanced engine and the SERVICE TNS engine. TNS is a protocol used between
database clients and database servers. Both of these engines require an intimate knowledge of
the protocols that they inspect before writing signatures for them.

Both engines support regular expressions.

© 2007 Cisco Systems, Inc. Cisco IPS Signatures 3-57


The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
SERVICE SMB Advanced Engine

ƒ Inspects SMB and Microsoft RPC over SMB traffic


ƒ Includes regular expression support for SMB and RPC
over SMB traffic
ƒ Has state machine for SMB and Microsoft RPC over SMB
traffic
ƒ Added NetBIOS computer name and operating system
support

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—3-16

The SERVICE SMB Advanced engine processes Microsoft SMB and Microsoft RPC over
SMB packets. The SERVICE SMB Advanced engine uses the same decoding method for
connection-oriented Microsoft RPC as the SERVICE MSRPC engine, with the requirement that
the Microsoft RPC packet must be over the SMB protocol. The SERVICE SMB Advanced
engine supports Microsoft RPC over SMB on TCP ports 139 and 445.

3-58 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
SERVICE TNS Engine

ƒ TNS is an industry-standard database network protocol.


ƒ TNS allows for database applications to communicate with other
database applications over networks running different protocols.
ƒ The SERVICE TNS engine has support for regular expression
matching.

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—3-17

The SERVICE TNS engine inspects the TNS protocol. TNS provides database applications
with a single common interface to all industry-standard network protocols. With TNS,
applications can connect to other database applications across networks with different
protocols. The default TNS listener port is TCP 1521. TNS also supports the redirecting of
frames, where a client is redirected to another host or to another TCP port or to both. To
support the redirecting of packets, the TNS engine listens on all TCP ports and has a quick TNS
frame header validation routine to ignore non-TNS streams.

© 2007 Cisco Systems, Inc. Cisco IPS Signatures 3-59


The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
STRING Signature Engines
This topic discusses the STRING signature engines and their specific configuration parameters.

String Signature Engines

Engine Name Engine Description

STRING ICMP Searches ICMP packets for a string pattern

STRING TCP Searches TCP packets for a string pattern

STRING UDP Searches UDP packets for a string pattern

Multi STRING Uses multiple string matches for one signature

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—3-18

The STRING signature engines support regular expression pattern matching and alarm
functionality for ICMP, UDP, and TCP. STRING signatures match patterns based on a stream
of packets, not a single atomic packet. Because network streams comprise more than one
packet, matches are made in context within the state of the stream. This type of signature
analysis considers the arrival order of packets in a TCP stream and handles pattern matching
across packet boundaries. The following are STRING signature engines:
„ STRING ICMP: Searches ICMP packets for a string pattern
„ STRING TCP: Searches TCP packets for a string pattern
„ STRING UDP: Searches UDP packets for a string pattern
„ Multi STRING: Searches multiple string patterns for one signature

3-60 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
SWEEP Signature Engines
This topic discusses the SWEEP signature engines and their specific configuration parameters.

SWEEP Signature Engines

Engine Name Engine Description

Detects a single source scanning multiple hosts or multiple


SWEEP
ports on one host

SWEEP Other TCP Detects odd sweeps and scans such as Queso sweep

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—3-19

The SWEEP signature engines detect attacks in which one system makes connections to
multiple hosts or multiple ports. The SWEEP engines are commonly used to detect network
reconnaissance. Here are two SWEEP signature engines:
„ SWEEP: Detects host sweeps, port sweeps, and service sweeps
„ SWEEP Other TCP: Detects odd sweeps and scans such as Insecure.Com Network
Mapper (Nmap) or Queso sweep.

© 2007 Cisco Systems, Inc. Cisco IPS Signatures 3-61


The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
SWEEP Engine

ƒ The SWEEP engine controls the following types of signatures:


– ICMP
– TCP
– UDP
ƒ Signatures controlled by the SWEEP engine detect the following
types of sweeps:
– Host sweeps
– Port sweeps
– Service sweeps

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—3-20

The sweep engine controls the following types of signatures:


„ ICMP signatures
„ TCP signatures
„ UDP signatures
These signatures detect the following types of sweeps:
„ Host sweep: A single host attempting to connect to multiple hosts
„ Port sweep: A single host attempting to connect to multiple ports on one host.
„ Service sweep: A single host attempting to access a given service on multiple hosts (A
service sweep counts unique target hosts on the same port.)

3-62 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
SWEEP Other TCP Engine

ƒ The SWEEP Other TCP signature engine supports signatures


that fire when a mixture of TCP packets that have different flags
set are detected on the network.
ƒ The SWEEP Other TCP engine does not do unique counting like
the SWEEP signature engine.

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—3-21

The SWEEP Other TCP signature engine supports signatures that trigger when a mixture of
TCP packets, with different flags set, is detected on the network. Examples of this type of
sweep are the Queso or Nmap sweeps that send odd TCP flag combinations and attempt to
fingerprint the operating system of the target machine. This engine does not do unique counting
like the other SWEEP signature engines.

The Nmap OS Fingerprint signature is an example of a SWEEP Other TCP signature. This
signature looks for a unique combination of TCP packets that the Nmap tool uses to fingerprint
a remote operating system. The TCP Flags parameter specifies the TCP flags that the signature
looks for. Each of the TCP flag combinations that you specify must be detected for the
signature to fire. Unlike other TCP-based engines, this engine does not have a mask parameter.
The signature looks for the flags specified in the TCP Flags parameter and ignores any other
TCP flags.

© 2007 Cisco Systems, Inc. Cisco IPS Signatures 3-63


The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
TROJAN Signature Engines
This topic describes TROJAN signature engines that handle specific rootkits and other Trojan
horse traffic.

TROJAN Signature Engines

Engine Name Engine Description

Examines UDP and TCP traffic for nonstandard BackOrifice


TROJAN BO2K
traffic

Examines UDP, TCP, or ICMP traffic for irregular traffic


TROJAN TFN2K
patterns and corrupted headers

TROJAN UDP Examines UDP traffic for Trojan attacks

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—3-22

Attackers can place backdoor Trojan programs on systems in your network to enable them to
operate from systems within your network. For example, when you download files from certain
sites on the Internet, you risk downloading files that contain Trojan programs. The Trojan
program can perform a variety of malicious acts, such as erasing your disk or enabling the
attacker to use your computer to commit DDoS attacks. The TROJAN engines detect Trojan
programs on your network.

The following are TROJAN signature engines:


„ TROJAN BO2K: Examines UDP and TCP traffic for nonstandard BackOrifice traffic
„ TROJAN TFN2K: Examines UDP, TCP, or ICMP traffic for irregular traffic patterns and
corrupted headers
„ TROJAN UDP: Examines UDP traffic for Trojan attacks

BackOrifice is the original Microsoft Windows backdoor Trojan attack that runs over UDP.
BackOrifice 2000 (BO2K) soon superseded it. BO2K supports UDP and TCP with basic
(exclusive OR [XOR]) encryption. The TROJAN UDP signature engine handles the UDP
modes of BackOrifice and BO2K. The TROJAN BO2K signature engine handles the TCP
modes.

3-64 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
TRAFFIC Signature Engines
This topic describes TRAFFIC signature engines that handle nonstandard protocol signatures.

TRAFFIC Signature Engines

Engine Name Engine Description

TRAFFIC ICMP Examines nonstandard protocols such as Loki

Examines UDP, TCP, and other traffic for worm-infested


TRAFFIC Anomaly
traffic

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—3-23

The TRAFFIC ICMP engine analyzes nonstandard protocols, such as TFN2K, Loki, and
DDoS. There are only two signatures that are based on the Loki protocol that have user-
configurable parameters.

TFN2K is the newer version of Tribal Flood Network (TFN). TFN2K is a DDoS agent that is
used to control coordinated attacks by infected computers (zombies) to target a single computer
(or domain) with bogus traffic floods from hundreds or thousands of unknown attacking hosts.
TFN2K sends randomized packet header information, but it has two discriminators that can be
used to define signatures. One is whether the Layer 3 checksum is incorrect, and the other is
whether the hexadecimal character 0x41 (‘A’) is found at the end of the payload. TFN2K can
run on any port and can communicate with ICMP, TCP, UDP, or a combination of these
protocols.

Loki is a type of backdoor Trojan attack. When the computer is infected, the malicious code
creates an ICMP tunnel that can be used to send small payload in ICMP replies, which can go
straight through a firewall if the firewall is not configured to block ICMP. The Loki signatures
look for an imbalance of ICMP echo requests to ICMP echo replies and simple ICMP code and
payload discriminators.

The DDoS category (excluding TFN2K) targets ICMP-based DDoS agents. The main tools
used here are TFN and Stacheldraht. They are similar in operation to TFN2K, but rely only on
ICMP and have fixed commands: integers and strings.

The TRAFFIC Anomaly engine is part of the anomaly detection feature that was added to the
Cisco IPS Sensor Software Version 6.0. It contains nine anomaly detection signatures covering
the three protocols TCP, UDP, and other. Each signature has two subsignatures, one for the

© 2007 Cisco Systems, Inc. Cisco IPS Signatures 3-65


The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
scanner and the other for the worm-infected host or a scanner under worm attack. When
anomaly detection discovers an anomaly, it triggers an alert for these signatures. All anomaly
detection signatures are enabled by default, and the alert severity for each one is set to high.

3-66 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
AIC Signature Engines
This topic describes the AIC engines and their engine-specific parameters.

AIC Signature Engines

Engine Name Engine Description

AIC FTP Used for FTP-specific policy enforcement

AIC HTTP Used for HTTP-specific policy enforcement

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—3-24

The AIC engines, AIC HTTP and AIC FTP, provide Layer 4 to Layer 7 packet inspection for
HTTP and FTP. By tuning the built-in AIC engine signatures, you can create granular policies
for HTTP and FTP.

The AIC engines can inspect HTTP traffic when it is received on AIC web ports. If traffic is
web traffic but is not received on a designated AIC web port, the SERVICE HTTP engine is
executed.

You can tune the signatures controlled by these engines; however, it is recommended that you
only enable them, change their severity level, and change the actions that they take when
triggered. The recommended action for the following signatures, which detect the more
dangerous activity, is Reset TCP Connection:
„ Signature 12694 (Chunked Transfer Encoding Error): Indicates that an error was found
while decoding the chunked encoding
„ Signature 12674 (Alarm on NonHTTP Traffic): Indicates that someone is possibly using
an application other than HTTP on port 80

© 2007 Cisco Systems, Inc. Cisco IPS Signatures 3-67


The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Enabling Application Policy Enforcement
Miscellaneous

Application
Configuration Policy

Signature
Definition: Enable Enable Max AIC Web
Sig0 HTTP FTP HTTP Ports
Requests

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—3-25

To use the AIC engines, you must first enable Application Policy enforcement. Application
Policy enforcement is disabled by default for both HTTP and FTP. If you enable Application
Policy enforcement for these protocols, the sensor checks to be sure that the traffic is compliant
with their respective RFCs.

Complete the following steps to enable Application Policy enforcement and configure its global
settings:
Step 1 Click the Configuration button.

Step 2 Expand Signature Definitions under Policies and choose sig0.

Step 3 Click the Miscellaneous tab.

Step 4 Expand the Application Policy option. The Application Policy Configuration
options are displayed.

Step 5 Click the Enable HTTP value and choose Yes from the drop-down menu to enable
Layer 4 to Layer 7 HTTP packet inspection.

Step 6 If you want to change the maximum number of outstanding HTTP requests per
connection, click the Max HTTP Requests value and enter a value from 1 to 16 in
the Max HTTP Requests field.

Step 7 If you want to modify the AIC ports, click the AIC Web Ports value and enter a
port number or range of port numbers. Valid values range from 0 to 65535. The
default port range appears as 80-80,3128-3128,8000-8000,8010-8010,8080-
8080,8888-8888,24326-24326.

Step 8 Click the Enable FTP value and choose Yes from the drop-down menu to enable
Layer 4 to Layer 7 FTP packet inspection.

Step 9 Click Apply to apply your changes to the sensor.

3-68 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Note The AIC HTTP engine is a superset of the SERVICE HTTP engine. If enabled, the AIC
HTTP engine handles the traditional SERVICE HTTP signatures.

© 2007 Cisco Systems, Inc. Cisco IPS Signatures 3-69


The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
AIC FTP Engine

ƒ Capabilities of the AIC FTP engine:


– Controls which recognized FTP commands are permitted into
the network
– Controls whether unrecognized FTP commands are permitted
into the network
ƒ The AIC FTP engine controls the following types of signatures:
– Define FTP command: Used to associate an action with a
specific FTP command
– Unrecognized FTP command: Used to have the sensor take
an action when it detects an FTP command that is not
recognized

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—3-26

The AIC FTP engine provides a way to inspect FTP traffic and control the commands being
executed. For example, this engine gives you the ability to choose which FTP commands from
a precompiled list are to be permitted into the network. It also enables you to have the sensor
take an action when it detects an FTP command that it does not recognize.

The AIC FTP engine controls the following types of signatures:


„ Unrecognized FTP command: This is used to have the sensor take an action when it
detects an FTP command that is not recognized. There is only one signature of this type,
signature 12900. Signature 12900 is disabled by default, and the default actions are
Produce Alert and Deny Connection Inline.
„ Define FTP command: This is used to associate an action with a specific FTP command.
Each FTP command signature applies to a specific FTP command. These signatures enable
you to choose which FTP commands are permitted into your network. The default actions
for the Define FTP command signatures are Produce Alert and Deny Connection Inline.
However, all FTP command signatures are disabled by default, and all FTP commands
defined in the RFC are permitted.

Signature 12900, Unrecognized FTP command, is an example of a signature controlled by the


AIC FTP engine. If you enable this signature and accept its default settings, the sensor
generates an alert and drops the connection when it detects an FTP command not specified in
the RFC. You can tune only the status and event action parameters for this signature.

3-70 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
AIC HTTP Engine Capabilities

ƒ Enforces RFC compliance


ƒ Authorizes and enforces HTTP request methods
ƒ Validates response messages
ƒ Enforces MIME types
ƒ Validates transfer encoding types
ƒ Controls content based on message content and type of data
being transferred
ƒ Enforces URI length
ƒ Enforces message size according to policy configured and the
header
ƒ Enforces tunneling, peer-to-peer, and instant messaging
applications

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—3-27

The AIC HTTP engine has these capabilities:


„ The AIC HTTP engine enforces RFC compliance.
„ The AIC HTTP engine enforces RFC compliance for HTTP methods to prevent attackers
from manipulating HTTP methods to disguise the insertion of malicious code. You can
permit or deny specific HTTP methods such as GET or POST methods to granularly
control HTTP transactions.
„ The AIC HTTP engine verifies that the content type passed in a response message is one of
those listed in the Accept field of the request message. If a violation is detected, the action
assigned to the signature is taken.
„ The AIC HTTP engine provides worm mitigation by enabling you to create policies that
deny certain Multipurpose Internet Mail Extensions (MIME) types, such as JPEG or
Moving Picture Experts Group (MPEG) Layer 3 (MP3) files, to enter the network. If a
worm is associated with that MIME type, it is not allowed into the network. The sensor
contains a list of predefined MIME types from which you can choose. You can also add
other MIME types. The AIC HTTP engine also verifies that the content type specified in
the header is the same as that being passed in the body of the message. For example, if the
MIME type is JPEG, the sensor can verify that the message body is indeed a JPEG
message. This ability can help prevent attacks in which malicious code is contained in a
non-JPEG attachment under a JPEG MIME-type header. If a discrepancy is found, the
action that you assign to the signature is executed.
„ The AIC HTTP engine controls which transfer encoding methods are permitted into the
network. The acceptable transfer encoding methods are deflate, compress, gzip, identity,
and chunked.
„ The AIC HTTP engine controls content based on message content and type of data being
transferred.
„ The AIC HTTP engine enforces Uniform Resource Identifier (URI) length.

© 2007 Cisco Systems, Inc. Cisco IPS Signatures 3-71


The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
„ The AIC HTTP engine enforces message size according to the configured policy and the
header.
„ The AIC HTTP engine provides granular control over HTTP sessions to prevent abuse of
the HTTP protocol. You can control applications that attempt to tunnel over specified ports,
such as instant messaging (IM) and tunneling applications such as GoToMyPC. For
example, users can easily disguise file-sharing applications such as Kazaa by tunneling the
traffic through port 80. These types of activities can be accurately identified and
subsequently stopped. Increased understanding of activity targeted at subverting corporate
security policy eventually results in worm mitigation and bandwidth preservation.

The AIC HTTP engine can inspect HTTP traffic on any port as long as it is specified in AIC
web ports. Inspection and policy checks for peer-to-peer and IM applications are possible as
long as these applications are running over HTTP.

3-72 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
AIC HTTP Signatures

The AIC HTTP engine controls the following types of


signatures:
ƒ Define web traffic policy: Used to specify whether traffic that is not
compliant to the HTTP RFC is allowed into the protected network
through web ports
ƒ Content type: Used for policies associated with MIME types
ƒ Message body pattern: Used to define patterns the sensor should
look for in an HTTP message
ƒ Request methods: Used to define policies associated with HTTP
request methods
ƒ Transfer encodings: Used to define policies associated with transfer
encoding methods
ƒ Max outstanding requests overrun: Used to have the sensor take an
action when the Max HTTP requests value is exceeded

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—3-28

The AIC HTTP engine controls these six types of signatures, with the signatures to which they
apply:
„ Define web traffic policy: This is used to specify whether traffic not compliant with the
HTTP RFC is allowed into the protected network through web ports. You can tune the
alarm on the Non-HTTP TRAFFIC signature, which is the only signature of this type. If
you enable HTTP Application Policy enforcement and this signature is disabled, all non-
HTTP-compliant traffic is allowed. By default, this signature is disabled. It cannot be added
or deleted, but the values associated with it can be modified.
„ Content type: This is used for policies associated with MIME types. You can create
custom content type signatures, or you can tune the following built-in content type
signatures:
— Content type signatures: These enable you to associate an action with a specific
MIME type. These signatures can take an action when one of the following events
occurs:
„ A specific MIME type, such as image or JPEG, is mentioned in a packet header.
„ Content verification fails. For example, the MIME type mentioned in the header is
not the same as the content of the data being passed in the body. A magic number is
used for content verification.
„ There is a message-size violation for a specified MIME type. For example, you can
configure a signature to fire if a JPEG image is larger than 20 KB.
— Recognized content type signature: This is used to specify MIME types that are
recognized by the sensor. The recognized content type signature contains a hard-
coded list of MIME types from which you can choose. By default, all mime types in
the list are recognized by the sensor. If the sensor detects a MIME type that is not
recognized, the action corresponding to this signature is taken. This signature is
enabled by default.

© 2007 Cisco Systems, Inc. Cisco IPS Signatures 3-73


The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Note For the recognized content type signature, you can use the Enforce Accept Content Types
parameter to tell the sensor to verify that the content type mentioned in the HTTP response
message is one of the MIME types specified in the Accept field in the corresponding HTTP
request message. This parameter is disabled by default.

„ Message body pattern: This is used to define patterns that the sensor should look for in an
HTTP message. You can create a custom signature of this type or you can modify the
Yahoo! Messenger signature, which is the only built-in signature of this type. The patterns
for message body pattern signatures are defined by using regular expressions. By default,
everything in an HTTP message body is allowed through the sensor. You can use the
message body pattern signature type to create custom signatures that fire when they detect
patterns that you specify.
„ Request methods: These are used to define policies associated with HTTP request
methods. You can create custom request method signatures, or you can tune the following
built-in request method signatures:
— Define request method signatures: These are used to have a signature take an
action when it detects a certain request method. The sensor contains a built-in
signature for each known RFC method.
— Request method not recognized signature: This is used to specify request methods
that are recognized by the sensor. The request method not recognized signature
contains a hard-coded list of request methods from which you can choose. By
default, all request methods in the list are recognized by the sensor. If the sensor
detects a request method that is not recognized, the action corresponding to this
signature is taken. This signature is enabled by default.
„ Transfer encodings: These are used to define policies associated with transfer-encoding
methods. You can create custom transfer encoding signatures, or you can tune the
following built-in transfer encoding signatures:
— Define transfer encoding signatures: These are used to have a signature take an
action when it detects a certain transfer encoding method. The sensor contains built-
in transfer encoding signatures, each of which is associated with a transfer encoding
method.
— Recognized transfer encoding signature: This is used to specify transfer encoding
methods that are recognized by the sensor. The recognized transfer encoding
signature contains a hard-coded list of transfer encoding methods from which you
can choose. By default, all transfer encoding methods in the list are recognized by
the sensor. If the sensor detects a transfer encoding method that is not recognized,
the action corresponding to this signature is taken. This signature is enabled by
default.
— Chunked transfer encoding error signature: This is used to specify what actions
are taken when a chunked encoding error is detected.
„ Max outstanding requests overrun: This is used to have the sensor take an action when
the Max HTTP Requests value is exceeded. The max outstanding requests overrun
signature is the only signature of this type.

Signature 12621, subsignature ID 0 (Content Type Image/gif Header Check) is an example of a


signature controlled by the AIC HTTP engine. This signature is one of several content type
signatures, each of which is associated with a content type such as GIF image, HTML text,
Portable Document Format (PDF) application, or MPEG video. The Content Type Image/gif

3-74 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Header Check signature is one of three content type image/gif signatures. Like the other content
type signatures, signature 12621 has the following subsignature IDs:
„ 0 (for no additional details): Use subsignature 0 to have the sensor look only for the
specified MIME type in the packet header.
„ 1 (for length): Use subsignature 1 to specify a size limitation for the MIME type named in
the signature. For example, if you want to specify a size limitation for a GIF image, use
signature 12621, subsignature 1, Content Type Image/gif Invalid Message Length.
„ 2 (for content verification): Use subsignature 2 if you want the sensor to take an action
when it detects a message in which the magic number found in the body does not match the
content type specified in the header.

The default settings for the following AIC HTTP parameters enable the Content Type
Image/gif Header Check signature to drop the connection and generate an alert when it detects
the GIF MIME type by examining the packet header:
„ Event Action: The default setting is Deny Connection Inline and Produce Alert. You can
choose any Cisco IPS Sensor Software Version 6.0 event action from the menu.
„ Signature Type: The default setting is Content Types. You can choose any signature type
from the drop-down menu. The rest of the parameter options vary depending on the
signature type that you choose.
„ Content Types: The default setting is Define Content Type. This parameter is displayed
only if you choose Content Types as the Signature Type. You can choose Define
Recognized Content Types from the drop-down menu or you can accept the default setting.
„ Name: The default setting is image/gif. The Name parameter specifies the content type for
which the signature is defined. It is displayed only if you choose Define Content Type as
the Content Type.
„ Content Type Details: The default setting is No Additional Details, which configures the
signature to look only for the specified MIME type in the packet header. This parameter is
displayed only if you choose Define Content Type as the Content Type.

© 2007 Cisco Systems, Inc. Cisco IPS Signatures 3-75


The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
STATE Signature Engine
This topic discusses the STATE signature engine and the specific configuration parameters.

STATE Signature Engine

ƒ Some protocols have different states. State machines provide


these states.
ƒ A state machine consists of:
– Starting state
– Transition states
– Ending state
ƒ Supported state machines
– Cisco login
– LPR format
– SMTP

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—3-29

Some protocols have different states. Searching for specific patterns at these various states
enables you to create robust signatures. State machines provide this capability. A state machine
consists of a starting state and a list of valid state transitions. It stores the state of something
and, at a given time, can operate on input to move from one state to another or cause an action
or output to take place. State machines are used to describe a specific event that causes an
output or alarm.

The STATE engine enables your sensor to perform inspection at the various states of a Cisco
login, a line printer remote (LPR) format string, or the Simple Mail Transfer Protocol (SMTP).
The following are examples of STATE engine parameters:
„ State Machine: This enables you to choose one of the following state machines and then
use the State Name parameter to specify the state required to trigger the signature. The
State Name parameter specifies the state that the state machine must be in for the signature
to begin the search.
— Cisco Login: This causes the signature to check for specific patterns at different
states in the Cisco login process. If you choose Cisco Login, you can choose one of
the following state names:
„ Cisco Device
„ Control C
„ Pass Prompt
„ Start

3-76 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
— LPR Format String: This causes the signature to inspect the LPR protocol. If you
choose LPR Format String, you can choose one of the following state names:
„ Abort
„ Format Char
„ Start
— SMTP: This causes the signature to check for specific patterns at different states in
the SMTP protocol. If you choose SMTP, you can choose one of the following state
names:
„ SMTP Commands
„ Abort
„ Mail Body
„ Mail Header
„ Start
„ Direction: This enables you to specify the direction of the traffic that triggers the signature:
— From Service: The signature fires on traffic originating from the specified service
port.
— To Service: The signature fires on traffic destined for the specified service port.
„ Service Ports: This enables you to specify a comma-separated list of ports or port ranges
where the target service may reside. Valid values range from 0 to 65535.

Note The STATE engine has a hidden configuration file used to define the state transitions. This
enables the IPS engineers to deliver new state definitions in signature updates.

The table lists the Cisco Login transitions.

Cisco Login Transitions

Regular Expression Required Next State Direction


String State

UserAccessVerification Start CiscoDevice FromService

CiscoSystemsConsole Start CiscoDevice FromService

password[:] CiscoDevice PassPrompt FromService

\x03 PassPrompt ControlC ToService

(enable) ControlC EnableBypass FromService

\x03[\x00-\xFF] ControlC PassPrompt ToService

© 2007 Cisco Systems, Inc. Cisco IPS Signatures 3-77


The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
This table lists the LPR Format transitions.

LPR Format Transitions

Regular Expression Required Next State Direction


String State

[1-9] Start Abort ToService

% Start FormatChar ToService

[\x0a\x0d] FormatChar Abort ToService

This table lists the Service SMTP transitions.

SMTP Transitions

Regular Expression Required State Next State Direction


String

[\r\n[250[] Start SmtpCommands FromService

220[ ][^\r\n[\x7f- Start SmtpCommands FromService


\xff]*SNMP

(HE|EH)LO Start SmtpCommands ToService

[\r\n](235|220.*TLS) Start Abort FromService

[\r\n](235|220.*TLS) SmtpCommands Abort FromService

[Dd][Aa][Tt][Aa]|[Bb][Dd][ SmtpCommands MailHeader ToService


Aa][Tt]

[\r\n]354 SmtpCommands MailHeader FromService

[\r\n][.][\r\n] MailHeader SmtpCommands ToService

[\r\n][2][0-9][0-9][ ] MailHeader SmtpCommands FromService

([\r][\n]|[\n][\r]){2} MailHeader MailBody ToService

[\r\n][.][\r\n] MailBody SmtpCommands ToService

[\r\n][2][0-9][0-9][ ] MailBody SmtpCommands FromService

3-78 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
META Signature Engine
This topic discusses the META signature engine and its specific configuration parameters.

The META Event Generator


Meta Reset Interval = 3 seconds

Signature 5081 Signature 5124 Signature 5114 Signature 3215 Signature 3216
cmd.exe Access IIS CGI Decode IIS Unicode Attack Dot Dot Execute Dot Dot Crash

Nimda

Signature 5081+5124+5114+3215+3216 = Nimda


If the five signatures fire within a 3 second interval, the meta signature, Nimda, fires.

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—3-30

The META engine provides event correlation on the sensor. Using the META engine can
dramatically reduce the number of alerts generated by a worm. Multifaceted attacks, such as
Nimda, exploit a number of different vulnerabilities and can trigger several different signatures,
thereby generating many alerts. The META engine enables you to disable the component
signatures of the worm, so that they do not generate alerts and receive only a Meta alert that
indicates that the worm is happening. By doing the correlation on the sensor itself rather than at
a management console, the sensor can take action immediately.

The META engine provides a method of combining signatures. For example, you can use it to
combine UDP and TCP port SWEEP signatures. The main difference between the META
engine and other signature engines is its input. Regular engines take packets as input, while the
META engine takes signature events as input.

The META engine contains built-in signatures, but you can also create your own meta
signatures. For example, if you notice before a buffer overflow that you see a number of hosts
that are pinged and a number of ports that are scanned, you can create a signature that fires if it
detects this activity.

The following are examples of META engine parameters:


„ Meta Reset Interval: This is the time period in seconds during which the component
events must occur if this signature is to fire. Valid values range from 0 to 3600.
„ Component List: This is the component signatures of this meta signature. For each
component signature, you can set a component count parameter to specify the number of
times that the component signature must fire for the meta signature to fire.

© 2007 Cisco Systems, Inc. Cisco IPS Signatures 3-79


The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
„ Component List in Order: This enables you to specify whether the component signatures
must fire in a specific order for the signature to fire.

3-80 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
NORMALIZER Engine
This topic discusses the NORMALIZER signature engine and its specific configuration
parameters.

NORMALIZER Engine

ƒ The NORMALIZER engine detects and corrects ambiguities and


abnormalities in traffic as packets flow through the data path.
ƒ The traffic that the NORMALIZER engine inspects is guaranteed
unambiguous because it is normalized before it is inspected.
ƒ The NORMALIZER engine performs such functions as:
– Properly sequencing packets in a TCP stream
– Reassembling fragmented IP packets

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—3-31

The NORMALIZER engine detects and corrects ambiguities and abnormalities in traffic as
packets flow through the data path. The result is that the NORMALIZER engine no longer
needs to consider potential ambiguities when analyzing the traffic. The traffic that the
NORMALIZER engine inspects is guaranteed unambiguous because it is normalized before it
is inspected.

Cisco IPS Sensor Software Version 6.0 contains an IP normalizer and a TCP normalizer. The
NORMALIZER engine provides the configuration interface for both normalizers. The TCP
normalizer performs such functions as properly sequencing packets in a TCP stream. The IP
normalizer performs such functions as reassembling fragmented IP packets.

Although you cannot use the NORMALIZER engine to create new signatures, you can tune all
of the signatures in the NORMALIZER engine. You can configure limits on system resource
use for any signature controlled by the engine. For example, you can configure the maximum
number of fragments that the sensor will attempt to track at the same time. The performance
impact of the normalizer functions depends upon the traffic sent to the NORMALIZER engine.
TCP sessions that are already in order take less time and impact performance less than TCP
sessions in which all the packets are out of order.

Note You cannot add custom signatures to the NORMALIZER engine. You can tune the existing
ones.

© 2007 Cisco Systems, Inc. Cisco IPS Signatures 3-81


The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
The NORMALIZER engine enables the sensor to effectively watch traffic and enforce policy
when faced with wildly varying IP fragmentation implementations. Intentional or unintentional
fragmentation of IP datagrams can serve to hide exploits, making them difficult or impossible
to detect. In addition, fragmentation can be used to attempt to circumvent an access control
policy such as those found on a firewall or router. Some of these attacks are described in RFC
1858, Security Considerations for IP Fragment Filtering, and RFC 3128, Protection Against a
Variant of the Tiny Fragment Attack. To further complicate matters, different operating systems
use different methods to queue and dispatch fragmented datagrams. If the sensor attempted to
check for all possible ways that an end host reassembles the datagrams, the overhead of
processing the fragmented traffic could be used as a method for a DoS attack against the sensor.
The NORMALIZER engine handles this problem by reassembling all fragmented datagrams
inline.

As fragmented datagrams enter the data path, the NORMALIZER engine queues and
reassembles them. It then inspects the completed datagrams. The result of this process is that
the sensor no longer needs to consider potential ambiguities in interpreting the datagram. The
datagram that the NORMALIZER engine inspects is guaranteed unambiguous because it is
reassembled before it is inspected. After inspecting the complete datagram, the sensor
refragments packets as necessary for them to continue down the data path.

Note The NORMALIZER engine uses signatures 1200 to 1399.

The Frag Overlap signature is an example of the signatures within the NORMALIZER engine
and how they can be configured. The Frag Overlap signature fires when the fragments queued
for a datagram overlap each other. This signature does not fire when a datagram fragment is an
exact duplicate of another. Exact duplicates are dropped in inline mode regardless of settings.
When the sensor is running in promiscuous mode, the reassembly is done following the method
set in the fragment reassembly mode system settings.

When the sensor is running inline, the Modify Packet Inline action can remove the overlapped
data from all but one fragment so there is no ambiguity about how the endpoint treats the
datagram. The Deny Connection Inline action has no effect on this signature. The Deny Packet
Inline action drops the packet and all associated fragments for the datagram.

The following are examples of NORMALIZER engine parameters:


„ Fragment Reassembly Timeout: This is the number of seconds within which all
fragments for a datagram must arrive. The signature fires if not all fragments for the
datagram arrive before the fragment reassembly timeout. The timer starts when the first
packet for the datagram arrives. Valid values range from 0 to 360.
„ Max Old ACK: This enables you to specify the maximum number of old
acknowledgments (ACKs). If the signature detects more than the specified number of old
ACKs, it assumes that it has detected a session hijack and fires. Valid values range from 0
to 65535.
„ SYN Flood Max Embryonic: The synchronize/start (SYN) Flood Max Embryonic
parameter enables you to specify a maximum number of embryonic connections. The
signature fires if it detects more than the specified number of embryonic connections. Valid
values range from 0 to 2147483647.

3-82 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Note Signatures in the NORMALIZER engine have an additional action available to them. This
action, Modify Packet Inline, scrubs the packet and corrects irregularities such as bad
checksum, out-of-range values, and other RFC violations.

© 2007 Cisco Systems, Inc. Cisco IPS Signatures 3-83


The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Summary
This topic summarizes the key points that were discussed in this lesson.

Summary

ƒ A signature engine is a component of the sensor that supports a


category of signatures. The Cisco IPS signature engines enable you
to tune built-in signatures and create new signatures.
ƒ Signature engines use their parameters to provide configuration of
signatures. Some parameters are common across all engines, such
as Signature ID, Alert Severity, and Sig Description. Other
parameters are unique to a specific engine.
ƒ ATOMIC signature engines support signatures that are triggered by
the contents of a single packet.
ƒ FLOOD signature engines detect attacks in which the attacker is
directing a flood of traffic to either a single host or the entire network.
ƒ The Cisco IPS Sensor Software Version 6.0 adds the SERVICE TNS
and SERVICE SMB Advanced engines.
ƒ STRING ICMP, STRING TCP, and STRING UDP are STRING
signature engines.
© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—3-32

Summary (Cont.)

ƒ The SWEEP engines are commonly used to detect network


reconnaissance. The SWEEP Other TCP signature engine supports
signatures that trigger when a mixture of TCP packets, with different
flags set, is detected on the network.
ƒ The TROJAN engines detect Trojan programs on your network.
ƒ The TRAFFIC ICMP engine analyzes nonstandard protocols.
ƒ You can tune the built-in AIC engine signatures to create granular
policies for HTTP and FTP.
ƒ State machines allow the Cisco IPS sensor to search for specific
patterns at various states within a protocol.
ƒ The META engine provides event correlation on the sensor and can
dramatically reduce the number of alerts generated by a worm.
ƒ The NORMALIZER engine properly sequences packets in a TCP
stream and reassembles fragmented IP packets.

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—3-33

3-84 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Lesson 3

Customizing Signatures

Overview
This lesson provides an overview of reducing noise, false positives, and false negatives by
creating custom signatures. Sometimes the strategy will be to customize existing signatures,
other times, to create new signatures.

Objectives
Upon completing this lesson, you will be able to use the Cisco Intrusion Prevention System
(IPS) Device Manager (IDM) to tune and customize signatures to meet the requirements of a
given security policy. This ability includes being able to meet these objectives:
„ Explain the need to tune signatures
„ Tune and create signatures to accomplish noise reduction
„ Tune and create signatures to accomplish false positive reduction
„ Tune and create signatures to accomplish false negative reduction
„ Tune and create signatures to focus a Cisco IPS sensor on the environment
„ Describe examples of different signature tuning scenarios
„ Design and create custom signatures
„ Describe examples of creating custom signatures

The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Tuning Signatures
This topic introduces signature tuning.

Tuning Signatures

ƒ Why tune signatures in a Cisco IPS sensor?


– To reduce background noise
– To reduce false positives
– To reduce false negatives
– To closely sync to the networks and systems it is watching
(policy-based IPS)
– To increase performance
ƒ Tuning is a complex art, where many compromises need to be
made in terms of performance, visibility, and correctness of the
Cisco IPS sensor output.

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—3-2

Tuning Cisco IPS sensors is important for various reasons. The default settings of the Cisco IPS
sensor could have all of the alerts turned on, which makes the sensor very noisy. Also, the most
“common” signatures for a “general” network setup may be turned on by default. The meaning
of “common” and “general” depends on the vendor. Signatures that are very important for one
type of organization, may not be important to a different type of organization.

You should tune the Cisco IPS sensor for the following reasons:
„ Many events may be completely irrelevant to the monitored network. If the Cisco IPS
sensor observes a series of Microsoft Internet Information Server (IIS)-based attacks on a
network of Apache servers, it would probably not interest the organization. This is of
course not true for attacks leaving the network of the organization. Those attacks can
indicate an infection.
„ You should tune the Cisco IPS sensor to filter out false positives. An Internet Control
Message Protocol (ICMP) packet usually does not signal an attack. An ICMP echo reply is
usually also quite harmless, unless its destination is a server, or if no ICMP traffic is
allowed to leave the network.
„ You should tune the Cisco IPS sensor if you want to reduce false negatives. Some
signatures that are important to the network setup of an organization may be turned off by
default or their threshold set too high.
„ It may be important to create custom signatures that fit the network setup. This is especially
true for policy-based and signature-based IPS.
„ If the network throughput is very high, and the traffic patterns are very chaotic and noisy,
the Cisco IPS sensor may not be able to handle the load. It may be important to turn off
certain unimportant, but noisy, events to increase the performance of the device.

3-86 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
„ You should tune the Cisco IPS sensor to reduce the level of background noise. This reason
is especially important for preventing operator denial of service (DoS) attacks. Receiving a
multitude of alerts may initially be exciting and fun to watch, but it will obscure important
events in a sea of unimportant data, or the operator will grow tired of sifting through
screens and screens of alerts. An organization can exclude many events from their
monitoring policy, because they almost never present a security-significant event.

© 2007 Cisco Systems, Inc. Cisco IPS Signatures 3-87


The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Noise Reduction
This topic describes noise reduction and how to tune and create signatures to reduce noise.

Noise Reduction

ƒ Default Cisco IPS sensor settings usually result in noisy output:


– Networks are noisy by nature.
– Noise overloads the operator.
ƒ Goal: Reduce noise in the Cisco IPS sensor output, without
causing false negatives in the process
ƒ Strategy: Filter out events that never, or extremely rarely, signal
an attack

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—3-3

If the default setting of the Cisco IPS sensor is to have all of the alerts turned on, this makes the
Cisco IPS sensor very noisy when it is connected to a chaotic and noisy network. One type of a
noisy, chaotic network is a demilitarized zone (DMZ) network, where the firewall does not
filter adequately. Alternatively, if the firewall filters too much, the IPS designer may decide to
connect the Cisco IPS sensor on the outside segment to detect all of the traffic coming from the
Internet service provider (ISP).

A high amount of noise can overload the network administrator, resulting in an administrator
DoS. The goal of the IPS designer is to reduce the amount of alerts by not filtering out
important events. The designer can achieve this goal by disabling some alerts all together or by
increasing the threshold for others.

3-88 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Noise Reduction Examples

The Cisco IPS sensor constantly triggers on NetBIOS


name resolution packets:
ƒ Reason: Windows clients attempt NetBIOS name resolution over
the Internet (benign).
ƒ Action: Ignore such packets, except if they are going to your
non-Windows servers.
The Cisco IPS sensor is set to trigger on echo-reply
packets (extremely noisy):
ƒ Reason: Pings from legitimate inside and outside clients
ƒ Action: Only monitor obviously unexpected events
(echo-replies to servers, nonexistent host, or network devices)

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—3-4

When you observe the Cisco IPS sensor alerts, you may observe many NetBIOS name
resolution alerts. These alerts occur because Microsoft web servers try to resolve a NetBIOS
name of the host that connects to them. NetBIOS name resolution queries for incoming
computer addresses, or a Port Address Translation (PAT) address of the firewall, are in most
cases benign, and are filtered out of the Cisco IPS sensor output as noise when they are directed
at client systems or non-Microsoft Windows servers.

Many IPS systems can be set to trigger alerts on ICMP echo-reply packets. ICMP echo-reply
packets are in many cases part of legitimate traffic, and indicate nothing more than connectivity
troubleshooting by inside and Internet users.

However, you should not turn off ICMP echo-reply alerts for the following devices:
„ Servers: Servers are rarely used for troubleshooting, and an echo-reply packet going to a
server might indicate some suspicious activity.
„ Nonexistent hosts: IP ranges that are legitimate on a network, but unused, should never
receive echo-reply packets. This would indicate suspicious activity.
„ Network devices: Even though network devices do have IP addresses for management
purposes, they do not usually receive ICMP echo requests, especially from the Internet.

If the monitored network is behind a firewall, it can filter out many events that are considered
noisy. It is important for the IPS operator, when tuning the Cisco IPS sensor for noise
reduction, to know the configuration of the firewall, or at least know the security policy that it
should enforce. Alerts that are considered unimportant and noisy in other environments, may
become very important, and should not trigger at all in filtered environment. Therefore, do not
disable such signatures in controlled and quiet environments.

© 2007 Cisco Systems, Inc. Cisco IPS Signatures 3-89


The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Noise Reduction Guidelines

Think about the following:


ƒ Unskilled operators will benefit most from noise reduction.
ƒ If you do not display a noisy event, you may still want to log it.
ƒ For every filtered event, build a list of real attacks that will no
longer be seen (and perhaps back it up with another signature).
ƒ Periodically rethink your strategy in light of new risks.
ƒ Try to modify the signature per host.

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—3-5

When configuring the Cisco IPS sensor for noise reduction, remember the following guidelines:
„ Noise reduction is very important if the IPS operator is not skilled. Instruct the operator that
the majority of the alerts are important, and further investigation is necessary.
„ If possible, when turning off the console display of alerts for noisy events, do not turn off
their detection. When researching an incident later, it is best to have as much information
available as possible.
„ If you disable an alert for a signature, ensure that the attacks that may be missed are
identified. For attacks that are important to catch, try to design a custom signature that is
not too noisy.
„ Periodically rethink the strategy in light of new attacks that may appear. Also, whenever
possible, take time to go through unfiltered logs to check if the noise that was filtered out is
just noise.

3-90 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
False Positive Reduction
This topic describes false positive alerts and how to tune and create signatures to reduce false
positives.

False Positive Reduction

ƒ Noise: This involves events that are almost always benign in any
situation.
ƒ False positives: These are events that are almost always
malicious, but have false triggers.
ƒ Example:
– Distinguishing between a smurf attack and HP OpenView
mapping a network
ƒ More careful filtering (if any) is required so that valuable
information is not lost.

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—3-6

False positive alerts differ from noise in one important detail; they are triggered by symptoms
that indicate attacks. However, sometimes legitimate activity can trigger such symptoms.

The following are examples of false positives:

„ A user with malicious intent may perform network mapping, or a network administrator
may have purchased a new management program, that maps the network when run for the
first time.
„ A specific but otherwise legitimate part of a mail header could be detected as a mail worm.
Such a mail header may also be a part of a nonmalicious mail message.
„ Directory traversal attacks on a web server contain a string “..”, but relative links may also
be a part of a legitimate web page. Such design enables the administrator to move certain
portions of the site to a new root directory without creating broken links.

When filtering out such alerts, be very careful. It may be safer to live with false positives than
to turn off such alerts.

© 2007 Cisco Systems, Inc. Cisco IPS Signatures 3-91


The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Strategies for False Positive Reduction

There are two main strategies to deal with false


positives:
ƒ Alert and signature filtering, where the resulting alert or
signature is (selectively) disabled
ƒ Signature tuning, where the triggering signature is altered and
tuned to the environment

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—3-7

Two actions are possible when tuning false positive alerts:


„ Selectively disable alerts (console output) for false positive signatures, or even entire
signatures.
„ Match the signature more precisely to the environment. For example, to detect the dot-dot
(“..”) HTTP attacks, define a STATE.HTTP signature that triggers on directory traversal
attempts, but not on the portion of the site where relative HTML links are used that have
caused false positives to fire.

3-92 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Tuning Signature Thresholds
and Contents

Tunable thresholds:
ƒ Number or rate of events to form a set:
– Increase the limits if exceeded too often
Tunable content:
ƒ Change the range of allowed parameters
(for example, exclude a destination port)
ƒ Modify string matching—tighten the pattern to lower matches
of legitimate data

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—3-8

Another way to tune alert triggering is to change the thresholds used inside a signature. For
example, if the signature considers five TCP synchronize/start (SYN) packets sent to five hosts
a TCP SYN scan, and these packets coincide with a normal usage pattern in a network, the
operator might want to change the threshold of 5 packets to a higher number, such as 20
packets. Therefore, increase the limits that are exceeded too soon, so that the Cisco IPS sensor
does not exclude legitimate behavior. However, ensure that a modified signature does not cause
false negatives, and try to tune the signature only for a single host.

Another method of trigger tuning is to tune the content of a signature—that is, the data on
which the signature triggers. For example, a web signature that triggers when a certain file is
accessed with certain malicious input parameters might simply trigger on matching the
filename in an HTTP session. This tuning triggers alerts for any access to that file. As the
signature is built using string matching, tighten the string-matching pattern to include the
known malicious input as a condition for the trigger.

© 2007 Cisco Systems, Inc. Cisco IPS Signatures 3-93


The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
False Positive Reduction Guidelines

When tuning a Cisco IPS sensor to reduce false positives


keep in mind the following:
ƒ Unskilled operators will benefit most from false positive reduction.
ƒ For every filtered event, build a list of real attacks that will no
longer be seen (and perhaps back it up with another signature).
ƒ Perform such tuning periodically—some applications will trigger
false alerts weekly, monthly, etc.
ƒ Try to modify the signature per host.

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—3-9

Consider the following guidelines when reducing the rate of false positives:
„ Unskilled or overworked operators gain the most from reducing the amount of unnecessary
alerts.
„ If you disable an alert for one signature, ensure that the attacks that may be missed are
identified. For specific attacks that the organization is interested in catching, build custom
signatures.
„ Perform tunings periodically—some applications will trigger false alerts weekly, monthly,
and so on.
„ Do not forget to re-evaluate the filters periodically—the administrator may need to turn
some alerts back on, when new attacks are invented.
„ Always try to apply the modified, more complex signature only to the relevant target (that
is, a host, a subnet, and so on). This preserves the performance of the Cisco IPS sensor,
because only the required hosts have their signatures tuned.

3-94 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
False Negative Reduction
This topic describes false negative alerts and how to tune and create signatures to reduce false
negatives.

False Negative Reduction

ƒ False negatives are alerts that should be triggered, but were not
due to thresholds or bad signatures.
ƒ False negatives are usually detected through a secondary means
(Cisco Security Agent, Cisco Security MARS, server and firewall
logs, etc.).
ƒ Sometimes false negatives are due to evasion.
ƒ Signature tuning is used to reduce them by:
– Altering the numeric thresholds of a signature
– Tuning the content of a signature
ƒ Create a custom signature to identify traffic that was missed.
ƒ Generally, these solutions increase false positives.

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—3-10

False negatives are alerts that should be triggered, but are not. Ideally, there should be no false
negatives. However, tuning may have turned off some alerts, or created thresholds that are too
high for the alert to trigger. If these things are creating false negatives, the IPS designer must
redefine these settings.

To catch false negatives, it is important to periodically check the Cisco IPS sensor logs and
search for all of the events that did not trigger the alerts. It is also important to check server
logs for strange events and correlate those to the Cisco IPS sensor logs to detect false negatives
that were lost due to IPS evasion techniques. Cisco Security Agent can be very useful in
catching false negatives. Some false negative alerts may happen because of IPS evasion.

You can tune the following to reduce the amount of false negative alerts:
„ Alter the numeric threshold of an alert.
„ Tune the content of a signature to detect events that were overlooked.

You can also create custom signatures that clearly define the malicious traffic. It is important
that you write any custom signatures to anticipate predictable variations that the attack may
take.

Note All of these actions can also increase the amount of false positive alerts.

© 2007 Cisco Systems, Inc. Cisco IPS Signatures 3-95


The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Tuning Signature Thresholds

Tunable thresholds:
ƒ Time boundaries when collecting a set of events:
– Useful for detecting slower scans, but limited in range
– Increase time, if enough resources are available
– Monitor resources afterward
ƒ Number or rate of events to form a set:
– Decrease the limits, if they are rarely exceeded
ƒ Try to modify the signature per host

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—3-11

You can do the following to lower the amount of false negatives:


„ Increase the time span that a Cisco IPS sensor uses to detect scans and sweeps. This
configuration is useful for detecting slower scans. If you change the settings of the sensor,
be aware that the changes can cause the sensor to consume more resources, and for a longer
time, so it is important to monitor resource utilization afterward.
„ If the number of correlated events that must happen is too high, try to lower the limit. For
example, if the Cisco IPS sensor triggers a network sweep for 15 hosts or more, and the
administrator is monitoring a network of 8 hosts, the Cisco IPS sensor will not detect a
network sweep.
„ When possible, try to modify the settings on a per-host basis. Always try to apply the
modified, more complex signature only to the relevant target (that is, a host, a subnet, and
so on). This preserves the performance of the Cisco IPS sensor, because only the required
hosts have their signatures tuned.

3-96 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Tuning Signature Contents

Tunable content:
ƒ Change the range of allowed parameters
(destination ports, etc.)
ƒ Modify string matching—adding other interpretations may
result in lower performance
ƒ Try to modify the signature per host

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—3-12

To combat false negatives, tune the signature content to describe the attack more generically;
that is, include all of the variations and mutations that the Cisco IPS sensor has missed so far.
This tuning can involve the following:
„ Change the range of allowed parameters for a signature—for example, look for a specific
string on more than one destination port in TCP sessions.
„ Add other possible representations of the attack data to the pattern, if string matching uses
regular expressions.
„ Always try to apply the modified, more complex signature only to the relevant target (that
is, a host, a subnet, and so on). Doing so preserves the performance of the Cisco IPS sensor,
because only the required hosts have their signatures tuned.

Note A very complex regular expression can lower the performance of the Cisco IPS sensor.

© 2007 Cisco Systems, Inc. Cisco IPS Signatures 3-97


The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Combating Evasion

ƒ Enable all available anti-evasion measures


ƒ Detect conditions that should not occur normally:
– Fragmentation overlaps and fragmentation database timeouts
– TCP stream or sequence overlaps
– Sensor running out of memory
– Unexpected dropping packets on sensor

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—3-13

When server or firewall logs report strange events, but the Cisco IPS sensor logs do not, the
reason is usually IPS evasion. In such an event, it is important to check these things:
„ The anti-evasion settings of the sensor
„ The resources on the sensor and system logs (It may be possible that some type of DoS
attack on the sensor itself was performed.)
„ The network topology and routing configurations, to eliminate possible external causes for
detection failure

Additionally, consider increasing the IP packet and TCP stream reassembly timeouts, if you
suspect continuous evasion.

3-98 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
False Negative Reduction Guidelines

When tuning a Cisco IPS sensor to reduce false


negatives:
ƒ Use Cisco Security MARS, Cisco Security Agent data, or host and
firewall logs to see which signatures did not fire.
ƒ Tune signature thresholds.
ƒ Tune signature content.
ƒ Employ maximum anti-evasion measures and evasion detection.

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—3-14

To detect and tune false negatives, follow these guidelines:


„ Periodically check the Cisco Security Agent, firewall, and host logs. Correlate the data with
the Cisco IPS sensor logs to see if the sensor did not detect any. Cisco Security Monitoring,
Analysis, and Response System (MARS) is a useful tool to accomplish this correlation.

Note Correlation is much more accurate when all system clocks are synchronized. If possible, use
the same, trusted, Network Time Protocol (NTP) source for all of the network devices and
servers.

„ Tune signature thresholds for events that the Cisco IPS sensor did not detect. Lower the
restrictions on the signature. For example, specify that fewer packets are required to detect
a sweep, or increase the timeout if resources permit.
„ Tune signature content according to the actual events.
„ Employ maximum anti-evasion measures. Increase IP packet and TCP stream reassembly
timeouts. Turn on deobfuscation for signatures that require it. While some evasion
techniques might be successful, the IPS analyst must be able to detect evasion attempts to
further investigate such an event. Some Cisco IPS sensor alerts can help indicate evasion
attempts, such as overlapping fragments, fragment timeouts, and dropped packets, or are
even dedicated to catch evasion attempts. Cisco IPS Sensor Software Version 6.0 catches
attempts with special characters, such as a carriage return in the URL.

© 2007 Cisco Systems, Inc. Cisco IPS Signatures 3-99


The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Focusing Cisco IPS Sensors
This topic describes what it means to focus a Cisco IPS sensor, and discusses how to focus the
sensor.

Focusing Cisco IPS Sensor to the


Environment

To reliably detect successful attacks, the Cisco IPS


sensor should estimate how the end system will interpret
network traffic:
ƒ Fragment reassembly: Different IP stacks reassemble fragments
in different ways.
ƒ Obfuscation: Different deobfuscation techniques are required for
different applications (IIS).
ƒ Operating system-specific low-level attacks: Certain systems can
be compromised with legitimate traffic (Microsoft TCP URG, HP-
UX unreachables).
ƒ Operating system-specific application attacks: Focus on attacks
that are relevant to the host and might be successful.

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—3-15

It is important for the operator to be familiar with the environment, and to tune the Cisco IPS
sensor to match the behavior of the environment as best as possible.

To be able to focus the Cisco IPS sensor, you must be aware of the following:
„ Fragment reassembly: Some TCP/IP stacks reassemble fragmented IP packets and TCP
streams. In this case, the new data overwrites the data that is already in the buffer. Other
TCP/IP stacks fill in only the blank spaces in the buffer with the new data; in effect older
data “overwrites” newer data.
„ Obfuscation: Different deobfuscation techniques are possible with different applications.
The Cisco IPS sensor should be able to decode any data to detect attacks, such as Unicode
encoding on IIS.
„ Operating system-specific low-level attacks: Due to errors in implementation, legitimate
traffic may compromise certain systems. For example:
— Microsoft Windows NT 4.0 used to crash with a Blue Screen of Death (BSOD) upon
receiving a TCP packet with the urgent (URG) bit set in the header.
— An early version of Hewlett-Packard UNIX (HP-UX) would drop all active
connections with a certain host upon receiving an ICMP destination unreachable
packet for that host. Of course, such packets can be spoofed.

Note Ensure that the focus is on the application attacks that are important for the observed
system. Attacks against the Apache web server are meaningless on a system with IIS
installed.

3-100 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Focusing Cisco IPS Sensor Guidelines

When you focus a Cisco IPS sensor to an environment:


ƒ Always tune fragmentation settings:
– What if multiple different systems are watched?
– Tune to obtain maximum coverage depending on the policy.
ƒ Turn on deobfuscation for relevant events only
(i.e., critical IIS attacks).
ƒ Turn on usually noisy low-level events for specific vulnerable or
valuable hosts.

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—3-16

The goal of tuning the Cisco IPS sensor to the environment is to gain maximum coverage while
not overloading the system. In mixed environments, this may mean covering as many hosts as
possible, while risking some IPS evasion for the remaining minority. Because of this, it is
recommended that you do the following:
„ Always tune fragmentation settings. This is a systemwide setting and applies to all
monitored traffic. For the reassembly algorithms, use the reassembly setting that covers the
majority of hosts, or at least use the setting that covers the most important systems that the
Cisco IPS sensor is protecting.
„ Turn on deobfuscation only for relevant triggers. Turning on deobfuscation for attacks that
can be detected without deobfuscation would needlessly consume valuable system
resources. Deobfuscation inside the HTTP protocol is turned on for all HTTP signatures by
default, and it uses the Microsoft IIS dialect, for example, the Cisco IPS sensor interprets
obfuscated data as the Microsoft IIS would.
„ Turn on alerts for noisy events only for the most vulnerable of valuable hosts.

© 2007 Cisco Systems, Inc. Cisco IPS Signatures 3-101


The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Windows Guidelines

The recommended general tuning settings for watching


Windows server operating systems are:
ƒ IP reassembly: ReassembleMode = NT
ƒ All IIS signatures enabled
ƒ Enable specific RPC/NBT signatures (NULL access, guest
access, password guessing)
ƒ Enable general RPC/NBT signatures depending on role of server
(not on a fileserver)
ƒ Deobfuscation on by default using IIS dialect

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—3-17

Use the following settings for a Cisco IPS sensor that is set to monitor mainly Microsoft
Windows systems:
„ IP reassembly = NT:

Recommended values for most common operating systems are as follows:

— Solaris for SunOS and Solaris: Time order, always overwrite previous data
— NT for Windows NT, 2000 and 2003: Reverse Time order, always overwrite
previous data
— Linux for Linux: Reverse Sequence order, Pre-Order Insert
— BSD for FreeBSD or OpenBSD: Reverse Sequence order, Post-Order Insert
„ Enable all IIS signatures, if running an IIS web server.
„ Specific Windows/NetBIOS signatures with higher level of risk:
— Windows Null Account Name
— NetBIOS out-of-band (OOB) Data
— Windows guest login
— Windows Password File Access
— Windows Registry Access
„ Enable general Windows/NetBIOS signatures, depending on the role of the server.
Enabling all Server Message Block (SMB) signatures may not be suitable for a file (SMB)
server, where user mistakes are common and some alerts (for example, failed file server
login), would trigger too often to be analyzed by the IPS analyst.
„ Deobfuscation inside the HTTP protocol is turned on for all HTTP signatures by default,
and it uses the Microsoft IIS dialect; for example, the Cisco IPS sensor interprets
obfuscated data as the Microsoft IIS would.

3-102 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Solaris Guidelines

Recommended general tuning settings for watching


Solaris servers are:
ƒ IP reassembly: ReassembleMode = Solaris
ƒ Enable specific UNIX RPC signatures
ƒ Enable specific r-services signatures
ƒ Watch general r-services
(depending on legitimate use of r-services)
ƒ Enable general RPC/NFS signatures depending on role of server
(not on a fileserver)

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—3-18

Use the following settings for a Cisco IPS sensor that is set to monitor mostly Solaris systems:
„ Set IP reassembly mode = Solaris.
„ Enable UNIX Remote Procedure Call (RPC) signatures.
„ Enable UNIX remote services (r-services) signatures:
— Enable the rlogin signatures.
— Create policy-based connection signatures for other r-services such as remote shell
(RSH), remote execution (rexec), and so on.
„ Enable general RPC/Network File System (NFS) signatures, depending on the role of the
server. (Note that NFS may use User Datagram Protocol (UDP) or TCP. Enabling all NFS
signatures may not be suitable for a NFS server, where user mistakes are common and
some alerts, for example, failed file server logins, would trigger too often to be analyzed by
the IPS analyst).

© 2007 Cisco Systems, Inc. Cisco IPS Signatures 3-103


The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Linux Guidelines

Recommended general tuning settings for watching Linux


servers are:
ƒ IP reassembly: ReassembleMode = Linux
ƒ Enable specific UNIX RPC signatures
ƒ Enable specific r-services signatures
ƒ Watch general r-services
(depending on legitimate use of r-services)
ƒ Enable general RPC/NFS signatures depending on role of server
(not on a fileserver)

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—3-19

Use the following settings for a Cisco IPS Sensor set to monitor mostly Linux systems:
„ Set IP reassembly Mode = Linux.
„ Enable UNIX RPC signatures.
„ Enable UNIX r-services signatures:
— Rlogin signatures
— Create policy-based connection signatures for other r-services such as RSH, rexec,
and so on
„ Enable general RPC/NFS signatures, depending on the role of the server. (Note that NFS
may use UDP or TCP. Enabling all NFS signatures may not be suitable for a NFS server,
where user mistakes are common and some alerts, for example, failed file server logins,
would trigger too often to be analyzed by the IPS analyst.)

3-104 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Focusing Cisco IPS Sensors to Policy

Taking a policy-based approach:


ƒ Detect unauthorized protocols:
– For example, only IP traffic is allowed, alert on everything else
ƒ Detect unauthorized applications:
– For example, only FTP is allowed, alert on everything else
ƒ Detect unauthorized actions:
– For example, only access to /myapp is allowed, alert on
anything else
ƒ In addition, enable almost all signatures (use with caution in
controlled, quiet environments, with no performance issues)

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—3-20

To help focus the Cisco IPS sensor, create policy-based signatures when you are monitoring
controlled environments, such as DMZ networks or dedicated portions of the network. Ensure
that alerts trigger for everything that the security policy does not permit.

The following are examples of creating signatures for unauthorized protocols or types, based on
a network security policy:

„ Detect IP protocol in segments where only Systems Network Architecture (SNA) or


Internetwork Packet Exchange (IPX) traffic is permitted.
„ Detect the use of ICMP types, such as echo request and echo reply, redirect messages, and
so on.

Note Destination unreachable ICMP packets are part of normal TCP/IP traffic when maximum
transmission unit (MTU) path discovery is used.

„ Trigger alerts for all nonpermitted services. For example, if your network allows only FTP,
trigger alerts on every other service.
„ Detect unauthorized actions. For example, if designing a special dedicated web site for an
internal application, create a custom STATE.HTTP signature, which detects Uniform
Resource Identifiers (URIs) that do not match the site.
„ If the environment permits it (there is not much traffic or noise on the network), turn on
nearly all of the signatures.

© 2007 Cisco Systems, Inc. Cisco IPS Signatures 3-105


The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Performance Optimization Guidelines

The Cisco IPS sensor performance can be optimized by:


ƒ Filtering traffic before capture
ƒ Reducing the Cisco IPS sensors detection capabilities
ƒ Load-balancing to multiple sensors
How to detect performance issues?
ƒ Both the Cisco IPS 4200 Series Sensors, and the Cisco Catalyst
6500 Series IDSM-2 have an alert that will fire when packets are
being dropped.

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—3-21

If the Cisco IPS sensor monitors noisy networks that have high volumes of traffic, performance
of the sensor may become an issue, and the sensor may not be able to detect all of the events. In
such conditions, it becomes important to tune the sensor, or to make changes to the
environment to avoid uncontrolled loss of detection capabilities.

Generally, as a designer, you can do the following to increase the performance of a Cisco IPS
sensor:
„ Enable additional filtering on the firewall that does not break any legitimate network use.
„ Reduce IPS detection capabilities for events that are not important for the current
environment. For example, you can turn off signatures for IIS web servers, if no such
servers are present. By doing this, some visibility may be lost, but the system would gain
an additional performance edge.
„ Use multiple sensors so that you can divide the task of monitoring between them.

The sensor itself may detect performance issues, or a network administrator may notice
performance issues on other devices.
„ Both the Cisco IPS 4200 Series Sensors and the Cisco Catalyst 6500 Series Intrusion
Detection System Services Module 2 (IDSM-2) trigger alerts when the system drops
packets.
„ If the Cisco IPS sensor is connected to a Switched Port Analyzer (SPAN) port of a network
switch, the network switch may report packet loss for this port.

3-106 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Filter Before Capture

Untrusted
Trusted

Filter traffic before Cisco IPS sensor capture:


ƒ Place the Cisco IPS sensor behind a filtering firewall
ƒ Selective capture (usually based on VACLs)

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—3-22

A correctly configured firewall filters out the majority of noise, letting through only legitimate
traffic, at least up to Open Systems Interconnection (OSI) Layer 4, although some firewalls can
also filter protocol data units for Layer 5 to Layer 7.

By placing the Cisco IPS sensor behind a firewall, the firewall will filter most of the low-level
noise, thus enabling the Cisco IPS sensor to focus on attacks in the traffic that the security
policy explicitly permits.

With the Cisco Catalyst 6500 Series IDSM-2, you can perform selective capture by setting the
appropriate VLAN access control lists (VACLs), which capture only a subset of traffic off the
switch backplane and copy it to the Cisco Catalyst 6500 Series IDSM-2. Therefore, the Cisco
Catalyst 6500 Series IDSM-2 receives only a copy of the packets that are suitable for analysis,
and completely ignores the rest of traffic. Using SPAN on a switch to monitor only
unidirectional (receive [Rx] or transmit [Tx]) traffic on a port or VLAN achieves a similar, but
less granular selective capture effect, .

© 2007 Cisco Systems, Inc. Cisco IPS Signatures 3-107


The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Reducing Cisco IPS Sensor
Detection Capabilities
Web
Server
HTTP
Signatures
Only

Untrusted
Trusted

E-Commerce
Server

Reduce the capabilities of the Cisco IPS sensor detection:


ƒ Disable unneeded signatures
ƒ Simplify signatures (string patterns, numeric thresholds)—may result in false
positives

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—3-23

By selectively disabling all unneeded signatures, the Cisco IPS sensor resources are free to
process the remaining events. In some cases, it is advisable to review the string-matching
signatures and create simpler rules. As a result, the rate of false positives may increase, but no
events are lost. You can use other techniques to mitigate the false positives.

3-108 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Cisco IPS Sensor Load Balancing
Web
Server
Layer 2-Layer 4
Signatures Only

Untrusted
Trusted

Layer 5-Layer 7
Signatures Only

Have multiple sensors analyze the same or split traffic:


ƒ Single path, multiple sensors with different configuration

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—3-24

To prevent loss of attack detection, use Cisco IPS sensor load balancing. Place more sensors on
the same network segment, and configure them to detect different types of events.
„ Configure one of the sensors to detect only low-level attacks, such as network sweeps, port
scans and policy violations, and configure the other sensor to detect application-level
attacks.
„ Configure one of the sensors to detect only UNIX-based attacks, and configure the other to
detect Microsoft Windows-based attacks.
„ Configure one of the sensors to detect only attacks on web servers, and configure the other
to detect UNIX RPC and NFS attacks.

© 2007 Cisco Systems, Inc. Cisco IPS Signatures 3-109


The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Cisco IPS Sensor Load Balancing (Cont.)

Untrusted Trusted

Have multiple sensors analyze the same or split traffic:


ƒ Multiple paths, multiple sensors with same configuration
ƒ Use equal-cost routing (if NAT provides a symmetric path)
ƒ Use firewall load balancing (best)

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—3-25

Sometimes it is possible to split the traffic entering the network. This reduces the amount of
traffic that each sensor must monitor. The IPS designer can use the same configuration for all
sensors.
„ If multiple servers are present, place them on separate network segments, and use a
separate sensor for each segment.
„ Use equal cost routing (ECR) to split the traffic in half. In such cases, use Network Address
Translation (NAT) to enforce the same path for return traffic.
„ Use firewall load balancing, as the figure illustrates, with Cisco IPS sensors behind each
firewall. Such a setup is the most transparent and scalable solution, and no NAT
configuration is necessary to achieve symmetric routing.

3-110 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Cisco IPS Sensor Load Balancing (Cont.)
Web
Server

Untrusted Trusted

E-Commerce
Server

Have multiple sensors analyze the same or split traffic:


ƒ Each path has its own sensor with a different configuration. This is a more
distributed IPS structure.
ƒ At the extreme, each monitored host has its own sensor.
© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—3-26

If possible or required, split the network into more segments and monitor each segment
separately.

Place servers in each network segment, and use Cisco IPS sensors to monitor each segment.
Divide the servers according to their role, and if necessary based on their operating system,
taking into account the fragment reassembly algorithms used for each operating system.
Configure each Cisco IPS sensor specifically for the network segment that it monitors, with the
detection engine and signatures tuned to the maximum. In the extreme, configure each Cisco
IPS sensor to monitor only the traffic from one host.

© 2007 Cisco Systems, Inc. Cisco IPS Signatures 3-111


The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Unidirectional Capture

Unidirectional (simplex) capture can be used to increase


performance:
ƒ Use only if attacks can be identified by a unidirectional stream
ƒ Requires tuning of the Cisco IPS sensor engine (disable TCP
handshake tracking, use TCP loose reassembly)
ƒ Simple to do with the Cisco Catalyst 6500 Series IDSM-2
(only capture traffic to a destination TCP/UDP port)
Unidirectional captures can also happen by mistake:
ƒ When packets are load-balanced or asymmetrically routed

Unidirectional captures should only be done as a last


resort to address performance problems.

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—3-27

Sometimes, an administrator can use unidirectional capture to increase performance by only


analyzing a TCP or UDP stream in one direction (for example, only from the client to the
server), without analyzing return traffic, because only the HTTP requests might contain
malicious data in some environments.

Note Always monitor streams bidirectionally. Only revert to unidirectional monitoring when
performance problems arise.

If unidirectional monitoring is required, ensure that the TCP reassembly engine is tuned.
„ TCPThreeWayHandShake: Configure the TCP stream reassembly subsystem to only
watch traffic when it observes the three-way handshake used to establish the TCP
connection. The default value is 0 (off). For simplex operation, the recommended setting is
off, because the Cisco IPS sensor does not see the full TCP handshake.
„ TCPStrictReassembly (strict or loose): A setting of “loose” indicates that the Cisco IPS
sensor does not need strict reassembly. Use the setting “loose” in environments where the
Cisco IPS sensor might drop packets or use unidirectional monitoring. A setting of “strict”
means that if the Cisco IPS sensor misses a packet for any reason, it does not process any
packets after that missed packet. The default setting is “strict.”

With a LAN switch that has capture functionality, such as the Cisco Catalyst 6500 Series
Switches, unidirectional monitoring is very simple to configure—copy only packets going to a
well-known destination port, such as HTTP, to the capture port (Cisco Catalyst 6500 Series
IDSM-2). Do not copy return traffic, packets with a source port of HTTP, or any traffic from
the web server, to the Cisco Catalyst 6500 Series IDSM-2 IPS engine.

Unidirectional capture situations might also arise when asymmetric routing is in place—for
example, with certain load-balancing designs. Always fix the design and only revert to simplex
capture if no other solution is possible. It is always best to see as much traffic as possible to
detect the largest number of anomalies.

3-112 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Customizing Built-in Signatures
This topic provides different signature tuning scenarios.

Signature Tuning Scenario 1

ƒ A company FTP server stores software that is being beta tested


by customers. The company wants to detect unauthorized login
attempts.
ƒ Using the signature search features in the Cisco IDM, the network
security administrator discovers signature 6250, the FTP
Authorization Failure signature.
ƒ After examining the parameters for signature 6250, the
administrator decides to tune the signature as follows:
– Change the severity level from informational to high
– Add the Deny Connection Inline action to the default action of
Produce Alert

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—3-28

Signature tuning can also help you detect and prevent network activity specific to your current
network environment. The following scenario provides an example.

A company FTP server stores software that is being beta tested by customers. The company
wants to detect unauthorized login attempts. The FTP Authorization Failure signature can be
tuned to detect these attempts and take the following actions:
„ Trigger a high-severity alert
„ Deny the connection inline

© 2007 Cisco Systems, Inc. Cisco IPS Signatures 3-113


The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Signature Tuning Scenario 1 (Cont.)

Alert Severity

Edit

Event
Action

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—3-29

The Edit Signature window enables you to tune signatures by changing the values of the
signature parameters. A + icon indicates that more parameters are available for the signature.
Click the + icon to expand a section and view the remaining parameters.

A green icon indicates that the parameter is currently using the default value. If you click the
green icon, it becomes a red diamond icon. This activates the Parameter field and enables you
to edit the value. Clicking the red diamond icon restores the default value.

After accessing the Edit Signature window for the FTP Authorization Failure signature, the
network security administrator tunes the signature as follows:

Step 1 Click the green Alert Severity icon.

Step 2 Choose High from the Alert Severity drop-down menu.

Step 3 Expand Engine to show the engine-specific parameters.

Step 4 Click the green Event Action icon.

Step 5 Choose Deny Connection Inline from the Event Action list.

Step 6 Hold down the Ctrl key while choosing Produce Alert from the Event Action list.

Step 7 Click OK. The Edit Signature window closes, displaying the Signature
Configuration panel.

Step 8 Click Apply to save your changes.

3-114 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Signature Tuning Scenario 2

ƒ You are replacing D-Link devices on your network with Linksys wireless
devices, but you still have some old D-Link systems that have not yet been
replaced. Until they are replaced, you want to make sure that they are not
being attacked. You would like to do the following to protect the D-Link
devices and other devices on your network:
– Alert on any attempt to access a D-Link configuration file from any system
other than your management system
– Generate a single alert every 5 minutes when the signature is being
triggered by a single-source IP address
– Use the Deny Packet Inline action to drop traffic from non-D-Link devices
ƒ You discover that signature 4611 detects TFTP requests for D-Link
configuration files, but it does not meet your requirements to do the following:
– Generate a single alert for a single-source IP every 5 minutes
– Drop the TFTP request before it reaches its target

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—3-30

The following scenario provides another example of signature tuning.


You have been using D-Link devices on your network. You are now migrating to Linksys
wireless devices, but you still have some old D-Link systems that have not yet been replaced.
Until they are replaced, you want to ensure their security.
You want to alert on any attempt to access a D-Link configuration file from any system other
than your designated management system. However, you only want to generate a single alert
every 5 minutes when the signature is being triggered by a single-source IP address. You want
to use the Deny Packet Inline action to drop traffic from non-D-Link devices.

Using the search capabilities of the Cisco IDM, you discover signature 4611. It detects TFTP
requests for the D-Link configuration files, but it does not completely meet your requirements
for the following reasons:
„ It does not generate a single alert for a single-source IP every 5 minutes.
„ It does not use the inline packet drop to stop the TFTP traffic.

© 2007 Cisco Systems, Inc. Cisco IPS Signatures 3-115


The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Signature Tuning Scenario 2 (Cont.)
Enter Sig
ID: 4611

Configuration Find

Signature
Definition
Edit

Select By:
Signature Sig ID
Configuration

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—3-31

You can tune signature 4611 to meet your requirements by completing the following steps:

Step 1 Choose Sig ID from the Select By drop-down menu.

Step 2 Choose the 4611 signature.

Step 3 Click Edit. The Edit Signature window opens.

3-116 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Signature Tuning Scenario 2 (Cont.)
Event
Action

Event
Counter Event
Count
Key

Specify Alert
Interval
Alert
Frequency

Summary Alert
Mode Interval

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—3-32

Step 4 Expand the Engine icon to show the engine-specific parameters for the STRING
UDP engine.

Step 5 Click the green Event Action icon. It becomes a red diamond.

Step 6 Choose Product Alert from the Event Action list.

Step 7 Hold down the Ctrl key and choose Deny Packet Inline. After you finish
configuring the signature and apply your configuration, signature 4611 will use the
inline drop action to stop TFTP traffic.

Step 8 Expand Event Counter to show the Event Counter parameters.

Step 9 Complete the following substeps to configure signature 4611 to generate a single
alert for a single-source IP every 5 minutes:
1. Click Event Count Key.

2. Choose Attacker Address from the Event Count Key drop-down menu.
3. Click Specify Alert Interval.

4. Choose Yes from the Specify Alert Interval drop-down menu.

5. Click Alert Interval.


6. Enter 300 in the Alert Interval field.

7. Expand Alert Frequency to show the Alert Frequency parameters.

8. Click Summary Mode.


9. Choose Fire Once from the Summary Mode drop-down menu.

Step 10 Click OK.

© 2007 Cisco Systems, Inc. Cisco IPS Signatures 3-117


The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
For the example, you also must create an event filter that prevents the request from being
dropped when it originates from a legitimate management system. Filters are explained in the
“Advanced Cisco IPS Configuration” module.

3-118 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
How to Create Custom Signatures
This topic explains how to design and create custom signatures.

Creating Custom Signatures

ƒ Creating a custom signature requires detailed knowledge of the


attack for which you create it.
ƒ Poorly written signatures can generate false positives and false
negatives.
ƒ You should test a custom signature carefully before you deploy it.
ƒ The Custom Signature Wizard in the Cisco IDM guides you
through the process of creating custom signatures and enables
you to create custom signatures in either of the following ways:
– Using a signature engine
– Without using a signature engine
ƒ You can also create custom signatures without using the Custom
Signature Wizard.

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—3-33

Although the Cisco IDM Custom Signature Wizard is available to help you quickly and easily
create custom signatures, creating effective custom signatures is not a simple task. It requires
detailed knowledge of the attack for which you are creating the signature. In addition, a custom
signature can affect the performance of the sensor, and poorly written signatures can generate
false positives and false negatives. Before deploying a custom signature, you should carefully
test it to ensure that it behaves as expected. You should also analyze its impact on sensor
performance.

To establish a baseline and test the impact of a signature, choose Interface Configuration >
Traffic Flow Notifications to configure the Missed Packets Threshold and Notification
Interval settings. Then allow the sensor to run with the current signature set to see if the sensor
is handling the load. Adjust the values if needed. Then add a single custom signature and
monitor events for any status notifications.

The Custom Signature Wizard guides you through a step-by-step process for creating custom
signatures. It enables you to create custom signatures using either one of the following
methods:
„ Specifying a signature engine
„ Without specifying a signature engine

Note You can also create custom signatures without using the Custom Signature Wizard.

© 2007 Cisco Systems, Inc. Cisco IPS Signatures 3-119


The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Custom Signature Scenarios
This topic uses scenarios to explain the creation of custom signatures.

Custom Signature Scenario 1

A network security administrator wants to create a


custom signature that is triggered by SYN packets
destined for port 23. The administrator decides to use the
ATOMIC IP engine for the following reasons:
ƒ Atomic signatures can trigger on the contents of a single packet.
ƒ The ATOMIC IP engine allows you to select a Layer 4 protocol.
ƒ You can use the TCP Flags and TCP Mask parameters to specify
the flag of interest.
ƒ You can use the Destination Port Range parameter to specify the
destination port of interest.

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—3-34

In the first scenario, a network security administrator wants to create a custom signature that is
triggered by SYN packets destined for port 23. The administrator decides to use the Custom
Signature Wizard to create the signature. The administrator decides, for the following reasons,
to use the ATOMIC IP engine to create the signature:
„ Atomic signatures can trigger on the contents of a single packet.
„ The ATOMIC IP engine allows you to select a Layer 4 protocol.
„ You can use the TCP Flags and TCP Mask parameters to specify the flag of interest.
„ You can use the Destination Port Range parameter to specify the destination port of
interest.

3-120 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Using the Custom Signature Wizard
Configuration

Signature
Definition

Custom
Signature
Wizard

Start the
Wizard

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—3-35

Complete the following steps to create the signature by specifying a signature engine in the
Custom Signature Wizard:

Step 1 Click Configuration, choose Signature Definitions, and then click the Custom
Signature Wizard tab. The Custom Signature Wizard panel is displayed.

Step 2 Click Start the Wizard. The Welcome panel is displayed.

© 2007 Cisco Systems, Inc. Cisco IPS Signatures 3-121


The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Specifying a Signature Engine

Select
Engine

Next

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—3-36

Step 3 Click the Yes radio button. If you click No, the Wizard leads you through creating a
custom signature without using a signature engine.

Step 4 Choose Atomic IP from the Select Engine drop-down list. You can choose from the
following list of engines:
„ Atomic IP
„ Service HTTP
„ Service MSRPC
„ Service RPC
„ State SMTP
„ String ICMP
„ String TCP
„ String UDP
„ Sweep

Step 5 Click Next. The Signature Identification panel is displayed.

3-122 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Configuring the Signature Identification
Parameters

Signature
ID

Signature
Name

Next

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—3-37

Step 6 Accept the default Signature ID number 60000. Valid signature ID values range
from 60000 to 65000.

Step 7 Accept the default SubSignature ID number 0.

Step 8 Enter Syn23 in the Signature Name field.

Step 9 (Optional) In the Alert Notes field, enter text to be associated with the alert if this
signature fires. Alert Notes text is reported to the Event Viewer when an alert is
generated.

Step 10 (Optional) In the User Comments field, enter notes or other comments about this
signature that you want stored with the signature parameters.
Step 11 Click Next. The Engine Specific Parameters panel is displayed.

© 2007 Cisco Systems, Inc. Cisco IPS Signatures 3-123


The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Configuring the Engine-Specific
Parameters

Specify
Layer 4 TCP
Protocol Flags

TCP
Layer 4 Mask
Protocol

Specify Destination
Destination Port Range
Port Range

Next

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—3-38

Step 12 Expand Specify Layer 4 Protocol.

Step 13 Choose Yes from the Specify Layer 4 Protocol drop-down list.

Step 14 Choose TCP Protocol from the Layer 4 Protocol drop-down list. If you are creating
an ATOMIC IP custom signature, you can choose one of the following from the
Layer 4 Protocol drop-down list.
„ ICMP Protocol
„ Other IP Protocols
„ TCP Protocol
„ UDP Protocol

Note After you make your selection, the screen refreshes to present configuration options specific
to that selection.

Step 15 Choose SYN from the TCP Flags drop-down list.

Step 16 Choose Syn and Ack from the TCP Mask drop-down list.

Step 17 Check the Specify Destination Port Range check box.

Step 18 Choose Yes from the Specify Destination Port Range drop-down list.

Step 19 Enter 23 in the Destination Port Range field. Valid values range from 0 to 65535.

Step 20 Click Next. The Alert Response panel is displayed.

3-124 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Configuring the Alert Response

Signature
Fidelity
Rating

Severity of
the Alert

Next

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—3-39

Step 21 Accept the default value of 75 for the Signature Fidelity Rating.

Step 22 Choose High from the Severity of the Alert drop-down menu list.

Step 23 Click Next. The Alert Behavior panel is displayed. From the Alert Behavior panel,
you can accept the default alert behavior by clicking Finish, or you can change it by
clicking Advanced. Clicking Advanced opens the Advanced Alert Behavior Wizard,
with which you can configure alert handling for this signature.

© 2007 Cisco Systems, Inc. Cisco IPS Signatures 3-125


The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Configuring the Alert Behavior

Advanced

Finish

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—3-40

Step 24 Click Finish to accept the default alert behavior. The Create Custom Signature
window opens, asking you if you want to proceed.

Step 25 Click Yes.

3-126 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Custom Signature Scenario 2

A network security administrator wants to create a


signature that can detect and drop traffic containing the
word “confidential.” The administrator wants the signature
to fire if the traffic is directed to the following ports:
ƒ FTP: 20 and 21
ƒ Telnet: 23
ƒ SMTP: 25
ƒ HTTP: 80
ƒ POP3: 110

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—3-41

In our second custom signature scenario, the network security administrator wants to create a
signature that can detect the word “confidential” in common electronic communications. The
administrator also wants the sensor to drop any traffic that contains the string “confidential”
and generate an alert. Other than the string for which the signature should search, the
administrator has only the following information:
„ The traffic that must be inspected
„ The ports used by that traffic

© 2007 Cisco Systems, Inc. Cisco IPS Signatures 3-127


The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Custom Signature Scenario 2 (Cont.)

The administrator wants to configure the signature to


send alerts to the Event Store as follows:
ƒ Send an alert to the Event Store every time the signature fires.
ƒ This alert should fire when a single victim triggers 3 events in a
60-second period.
ƒ If the alert rate exceeds 20 alerts in 30 seconds, dynamically
change its response as follows:
– Send a summary alert for firings of the signature on the same
victim address during the interval.
– If the alert rate exceeds 25 in the 30-second interval, send a
global summary alert, which counts the number of times the
signature fires for all attacker and victim IP addresses and
ports.

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—3-42

The administrator wants to configure the signature so that an alert is sent to the Event Store
every time that the signature fires but only up to a specified limit. The administrator wants the
signature to limit the number of alerts by dynamically changing its response as follows when
the alert rate exceeds 20 alerts in 30 seconds:
„ Send a summary alert for firings of the signature on the same victim address during the
interval.
„ If the alert rate exceeds 25 in the 30-second interval, send a global summary alert, which
counts the number of times that the signature fires for all attacker and victim IP addresses
and ports.

3-128 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Using the Custom Signature Wizard
Without Specifying a Signature Engine

No

Next

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—3-43

You can use the Custom Signature Wizard to create the signature without specifying which
engine to use. To open the Custom Signature Wizard, click Configuration choose Signature
Definition and click the Custom Signature Wizard tab. When the Custom Signature Wizard
panel is displayed, click Start the Wizard to begin creating a signature. Proceed to create the
signature by completing the following steps:

Step 1 Click the No radio button to create a custom signature without using a signature
engine.

Step 2 Click Next. The Protocol Type panel is displayed.

© 2007 Cisco Systems, Inc. Cisco IPS Signatures 3-129


The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Selecting the Protocol Type

TCP

Next

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—3-44

Step 3 From the Protocol Type panel, choose TCP as the protocol to inspect.

Step 4 Click Next. The TCP Traffic Type panel is displayed.

3-130 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Configuring the TCP Traffic Type

Single TCP
Connection

Next

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—3-45

Step 5 Click the Single TCP Connection radio button.

Step 6 Click Next. The Service Type panel is displayed.

Step 7 Choose the OTHER radio button.

Step 8 Click Next. The Signature Identification panel is displayed.

© 2007 Cisco Systems, Inc. Cisco IPS Signatures 3-131


The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Configuring the Signature Identification

Signature ID

SubSignature ID Signature Name

Alert Notes

User Comments

Next

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—3-46

Step 9 Complete the following substeps to configure the signature identification


parameters:
1. Accept the default signature ID number. Valid signature ID values range from
60000 to 65000.

2. Accept the default SubSignature ID number.

3. Enter the name Confidential in the Signature Name field.


4. (Optional) In the Alert Notes field, enter text to be associated with the alert if
this signature fires. The Alert Notes text is reported to the Event Viewer when
an alert is generated.
5. (Optional) In the User Comments field, enter notes or other comments about this
signature that you want stored with the signature parameters.

Step 10 Click Next. The Engine Specific Parameters panel is displayed.

3-132 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Configuring the Engine-Specific
Parameters

Event Action

Regex String

Service Ports

Direction

Next

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—3-47

Step 11 Complete the following substeps to configure the engine-specific parameters:


1. Click the Event Action icon.

2. Choose Deny Connection Inline from the Event Action list.


3. Hold down the Ctrl key while you choose Produce Alert from the Event
Action list.

4. Enter [cC][oO][nN][fF][iI][dD][eE][nN][tT][iI][aA][lL] in the Regex String


field.

5. Enter 20,21,23,25,80,110 in the Service Ports field.

6. Verify that To Service is displayed in the Direction field.


7. Click Next. The Alert Response panel is displayed.

© 2007 Cisco Systems, Inc. Cisco IPS Signatures 3-133


The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Configuring the Alert Response

Signature
Fidelity Rating

Severity of
the Alert

Next

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—3-48

Step 12 Complete the following substeps to configure the alert response:


1. (Optional) Change the Signature Fidelity Rating.

2. Choose an alert severity from the Severity of the Alert drop-down list.

Step 13 Click Next. The Alert Behavior panel is displayed.

3-134 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Configuring the Alert Behavior

Advanced

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—3-49

Step 14 Click Advanced to change the alert behavior. The Event Count and Interval panel is
displayed.

© 2007 Cisco Systems, Inc. Cisco IPS Signatures 3-135


The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Configuring the Event Count and Interval

Event Count

Event Count
Key Use Event Interval

Event
Interval
Next

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—3-50

Step 15 Complete the following substeps to configure the Event Count and Interval:
1. Enter 3 in the Event Count field.

2. Choose Victim Address from the Event Count Key drop-down list.
3. Check the Use Event Interval check box.

4. Enter 60 in the Event Interval (seconds) field.

5. Click Next. The Alert Summarization panel is displayed.

3-136 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Configuring Alert Summarization

Alert Every
Time the
Signature
Fires

Next

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—3-51

Step 16 Complete the following substeps to configure Alert Summarization:


1. Click the Alert Every Time the Signature Fires radio button.

2. Click Next. The Alert Dynamic Response panel is displayed.

© 2007 Cisco Systems, Inc. Cisco IPS Signatures 3-137


The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Configuring Alert Dynamic Response

Summary Key

Use Dynamic Summary


Summarization Threshold

Specify Summary
Global Interval
Summary (seconds)
Threshold

Global
Summary
Threshold Finish

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—3-52

Step 17 Complete the following substeps to configure the Alert Dynamic Response:
1. Choose Victim Address from the Summary Key drop-down list.

2. Check the Use Dynamic Summarization check box.


3. Enter 20 in the Summary Threshold field.

4. Enter 30 in the Summary Interval (seconds) field.

5. Check the Specify Global Summary Threshold check box.


6. Enter 25 in the Global Summary Threshold field.

7. Click Finish. The Alert Behavior panel is displayed.

Step 18 Click Finish to complete the creation of the custom signature. The Create Custom
Signature window opens, asking if you want to proceed.

Step 19 Click Yes.

3-138 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Custom Signature Scenario 3

ƒ A network security administrator wants to create a signature that fires


when a Nimda attack is occurring.
ƒ Nimda triggers the following built-in signatures, which are components of
a Nimda attack:
– 5081: cmd.exe Access
– 5124: IIS CGI Decode
– 5114: IIS Unicode Attack
– 3215: Dot Dot Execute
– 3216: Dot Dot Crash
ƒ The administrator wants the sensor to generate an alert for the new
signature if the component signatures are triggered by the same attacker
within a 60-second interval.
ƒ To limit the number of alerts that are generated, the administrator wants
the sensor to generate alerts only for the new signature and not for the
component signatures.

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—3-53

In our third custom signature scenario, the network security administrator must create a
signature that fires when a Nimda attack is occurring. Nimda triggers the following built-in
signatures, which are components of a Nimda attack:
„ 5114: IIS Unicode Attack
„ 5081: cmd.exe Access
„ 5124: IIS CGI Decode
„ 3215: Dot Dot Execute
„ 3216: Dot Dot Crash

The administrator wants the sensor to generate an alert for the new signature if the component
signatures are triggered by the same attacker within a 60-second period. The administrator
wants to limit the number of alerts generated by having the sensor generate alerts only for the
new signature and not for the component signatures. The administrator learns that the META
engine can be used to meet this need.

© 2007 Cisco Systems, Inc. Cisco IPS Signatures 3-139


The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Creating a Custom Signature Without the
Signature Wizard
Configuration Select Engine

Signature Select By
Definition

Signature
Configuration Add

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—3-54

The network security administrator can create the custom meta signature without using the
Custom Signature Wizard by completing the following steps.

Step 1 Click the Configuration button.

Step 2 Choose Signature Configuration from the Signature Definition menu. The
Signature Configuration panel is displayed.

Step 3 Choose Engine from the Select By drop-down list.

Step 4 Choose Meta from the Select Engine drop-down list.

Step 5 Click Add. The Add Signatures window opens.

3-140 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Creating a Meta Signature
Signature
ID
Alert
Severity
Signature
Name

Engine

Event
Action

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—3-55

Step 6 Accept the default Signature ID. Valid signature ID values range from 60000 to
65000.

Step 7 Accept the default SubSignature ID.

Step 8 Choose an alert severity from the Alert Severity drop-down list.

Step 9 Enter a numerical value indicating your confidence in the accuracy of the signature
in the Sig Fidelity Rating field. Valid values range from 0 to 100. The default is 75.
Step 10 Click the Sig Description icon.

Step 11 Enter a name for your signature in the Signature Name field.

Step 12 Click the Engine icon.

Step 13 Choose Meta from the Engine drop-down menu.

Step 14 Click the Event Action icon.

Step 15 Choose the actions that you want to assign to the signature from the Event Action
list.

© 2007 Cisco Systems, Inc. Cisco IPS Signatures 3-141


The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Creating a Meta Signature (Cont.)

Component
List

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—3-56

Step 16 Click the Component List icon. The Component List window opens.

3-142 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Listing the Component Signatures

Entry Key
Component
Add Sig ID

Component
SubSig ID

OK

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—3-57

Step 17 Click Add. The Add List Entry window opens.

Step 18 Enter a label for this entry in the Entry Key field.

Step 19 Enter 5114, the signature ID for the first component signature in the Component Sig
ID field.

Step 20 Enter 1, the SubSig ID, for the first component signature in the Component SubSig
ID field.
Step 21 Click OK. The component signature is displayed in the available entries list of the
Component List window.

© 2007 Cisco Systems, Inc. Cisco IPS Signatures 3-143


The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Listing the Component Signatures
(Cont.)

Available
Entries
Selected
Entries
Select

OK

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—3-58

Step 22 Choose the Entry Key name from the Available Entries list.

Step 23 Click Select. The entry key moves to the Selected Entries list.

Step 24 Click Add again and repeat Steps 18 to 23 to add each component signature.

Step 25 Click OK after you have added all component signatures. The Add Signatures
window is displayed.

3-144 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Configuring the Meta Reset Interval and
Meta Key

Meta
Reset
Interval

Meta
Key

OK

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—3-59

Step 26 Verify that the default for the Meta Reset Interval field is 60.

Step 27 Verify that the default for the Meta Key field is the Attacker Address.

Step 28 Click OK.

© 2007 Cisco Systems, Inc. Cisco IPS Signatures 3-145


The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Removing “Produce Alert” from
Component Signatures

Enter
Configuration Sig ID

Select
By

Actions
Signature
Definition

Signature
Configuration
Produce
Alert
© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—3-60

To keep the sensor from generating alerts for the component signatures, remove the Produce
Alert action from the component signatures.

Caution Removing the Produce Alert action from the component signatures means that the sensor
will never generate alerts when these signatures fire, regardless of whether the meta
signature is triggered.

3-146 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Summary
This topic summarizes the key points that were discussed in this lesson.

Summary

ƒ You tune a sensor for noise reduction, false positive reduction, and false negative
reduction.
ƒ To reduce noise that a Cisco IPS sensor generates, filter out events where no, or
rare cases, signal an attack.
ƒ Two main strategies for reducing false positives are alert and signature filtering,
and signature tuning.
ƒ Two common things to tune when trying to reduce false negatives are the numeric
threshold of the alert and the content of the signature.
ƒ To better focus a Cisco IPS sensor, always tune fragmentation settings, turn on
deobfuscation only for relevant events, and turn on alerts for noisy events only for
specific hosts.
ƒ When needed, new signatures can be created using the Cisco IDM Custom
Signature Wizard.
ƒ Signature tuning helps you detect and prevent network activity specific to your
current network environment.
ƒ Creating effective custom signatures requires detailed knowledge of the attack for
which you are creating the signature.

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—3-61

© 2007 Cisco Systems, Inc. Cisco IPS Signatures 3-147


The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Module Summary
This topic summarizes the key points that were discussed in this module.

Module Summary

ƒ A signature is a set of rules that your sensor uses to detect typical


intrusive activity, such as DoS attacks.
ƒ A signature engine is a component of the sensor that supports a category
of signatures. Each Cisco IPS Signature is created and controlled by a
signature engine specifically designed for the type of traffic being
monitored.
ƒ Signatures are tuned for many reasons. Some of the more common ones
are:
– Noise reduction
– False positive reduction
– False negative reduction
– Focusing on the environment
– Addressing sensor performance issues

© 2007 Cisco Systems, Inc. All rights reserved. IPS v6.0—3-1

The fundamental unit of the Cisco Intrusion Prevention System (IPS) sensor product is the
signature. Signatures are sets of rules that are used to detect malicious traffic. Each signature is
defined and controlled by one of the signature engines. When a signature fires, and it is
configured to create an alert, those alerts are stored in the sensor Event Store.

You need to tune signatures in order to accomplish a number of things:


„ Noise reduction
„ False positive reduction
„ False negative reduction
„ Focusing on the environment
„ Addressing sensor performance issues

References
For additional information, refer to these resources:
„ Cisco Systems, Inc. The Science of IDS Attack Identification.
http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_white_paper09186a00
80092334.shtml.
„ Cisco Systems, Inc. MySDN: List of All Signatures.
http://tools.cisco.com/MySDN/Intelligence/allSignatures.x.
„ Cisco Systems, Inc. About Cisco: Cisco Security Center. http://www.cisco.com/security.

3-148 Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.

You might also like