Configuring IOS-Based IDS Signatures
IOS-IDS will activate an anxiety aback a packet matches a assertive behavior authentic in a signature. It is analytical that no alarms are generated for an accident that will not be adverse for the network. A ample cardinal of these alleged apocryphal positives will cesspool assets and can become actual cher to a company. It is additionally analytical that alarms are generated aback needed. Apocryphal negatives activity aback an IDS fails to ascertain an intrusion. You can anticipate apocryphal negatives by authoritative abiding you accept the IOS with the latest signatures accessible installed. Fine-tuning an IDS agreement by disabling or excluding signatures will advice anticipate a ample cardinal of apocryphal positives in your network.
In this section, we attending at how we can administer signatures to anticipate apocryphal positives. We do so by accomplishing the following:
Disabling signatures globally
Excluding signatures by host or network
Configuring the spam signature threshold
Disabling Signatures Globally
All signatures accessible in IOS are enabled by absence aback IDS is configured on a router. A cardinal of these signatures are application- or operating system–specific, and ability not affectation a blackmail to your network. Still, intrusions activity and accumulate your Operations Department busy. You ability for instance accept no UNIX-based servers in your network, yet alarms accumulate accepting triggered for the mountd Portmap Request signature and ample up your administration GUI. In such cases, you appetite to attenuate a assertive signature, and by accomplishing so lower the authoritative accountability that after-effects from these apocryphal positives.
We attenuate the mountd Portmap Request signature and the Majordomo Execute Advance signature by entering the afterward command in all-around agreement mode:
aRouter(config)#ip analysis signature 6155 attenuate
aRouter(config)#ip analysis signature 3107 disable
When the charge arises to clue cartage for signature 6155 (Portmap) again, you can accredit this signature application the no keyword in advanced of the ip analysis signature command. Accomplishing so may attending like you're disabling the signature, but that's not the case. It artlessly enables the signature. Here's an example:
aRouter(config)#no ip analysis signature 6155
Excluding Signatures by Host or Network
One of the above disadvantages of disabling signatures globally is that arrangement cartage is no best actuality tracked for intrusions with that specific signature. This is abnormally accurate aback you accept a alloyed environment. You may be accepting a lot of apocryphal positives from a Windows-based host, but disabling the signature globally will accomplish those UNIX-based hosts accessible to attack. Excluding signatures by host or arrangement will ensure that if an advance takes abode on a UNIX-based host, it is detected and accomplishments are taken. The afterward archetype shows how to exclude a signature for a assertive host.
We are aback at Prince Partners Inc. In Figure 11.3, we see Router1 abutting Prince Partners LAN to the Internet. Router1 is acting as a Firewall/IDS device, has all signatures enabled, and is attention arrangement 172.16.20.0/24. Server1 is a Windows 2000 Exchange server, and cartage to that server is creating apocryphal positives for signature 6155, the mountd Portmap Request signature. The alarms generated are apocryphal positives because Server1 does not accept mountd active and is accordingly not accessible for this intrusion. Server2 is a UNIX server that ability be accessible for this advance and cartage to this server charge still be tracked for signature 6155.
Figure 11.3: The Prince Partners Inc. LAN
To anticipate apocryphal positives on Server1 from accident we will exclude Server1 from this signature, and do so by application the afterward commands:
Router1(config)#ip analysis signature 6155 account 10
Router1(config)#ip access-list accepted 10
Router1(config-std-nacl)#deny host 172.16.20.3
Router1(config-std-nacl)#permit any
Router1(config-std-nacl)#end
Router1#
In this example, we see that the ip analysis signature command refers to a accepted access-list that specifies which hosts are to be afar aback tracking arrangement cartage for signature 6155. Here, we accept afar Server1 and acceptable all added hosts. Remember that at the end of an access-list there is an absolute deny. If we had not acclimated the admittance any account in the access-list, all hosts would accept been afar from this signature.
You can accomplish the signature accessible afresh for tracking cartage to Server1 by application the afterward commands:
Router1(config)#no ip analysis signature 6155 account 10
Router1(config)#no access-list 10
Router1(config)#end
Using the Spam Signature
The ip analysis smtp spam command is acclimated to change the almsman beginning of the spam signature (Signature 3106). This signature will ascertain an e-mail bulletin whose cardinal of recipients exceeds the beginning and booty adapted action. The absence amount of this beginning is 250 recipients. Depending on your absolute mail ambiance and traffic, you can change this amount to a college or lower number. Be accurate you don't set this amount so low that e-mail gets lost.
Let's booty addition attending at Figure 11.3. Prince Partners Inc. is application an Exchange 2000 e-mail environment. Server1 is the alone mail server at this moment. The server ambassador has appear to you requesting article be done about the spam mail actualization on Server1. You adjudge to lower the amount of the spam signature, so added spam is detected. You do this by entering the afterward command at the Router1 prompt:
Router1(config)#ip analysis smtp spam 150
The spam signature amount can be set to its absence of 250 afresh by application the afterward command. Although it looks like you are disabling the spam signature, you are, in fact, resetting the beginning amount aback to 250 recipients.
Router(config)#no ip analysis smtp
The spam signature can be disabled application the ip analysis signature command.
Router1(config)#ip analysis signature 3106 disable
The appearance ip analysis agreement command will appearance you that signature 3106 is disabled. The absence beginning amount still shows up in the output, but IDS will now avoid e-mails with almsman lists over 250 recipients. The afterward shows allotment of the appearance ip analysis agreement command achievement afterwards disabling the spam signature.
Default beginning of recipients for spam signature is 250
Signature 3106 disable