Configuring Signatures and Alarms
Network intrusions are scans, attacks upon, or misuses of the arrangement resources. To ascertain arrangement intrusion, the Cisco IDS sensors use a signature-based technology. Every arrangement advance has an adjustment or a arrangement to the bytes in the cartage beck amid the advancing arrangement and the target. These bytes represent a "fingerprint" or "signature" of the attack. By comparing the arrangement of bytes in a accustomed cartage beck amid two hosts adjoin a database absolute assorted accepted signatures for arrangement attacks, the IDS is able to actuate back an advance has occurred. Each signature specifies the blazon of advance the sensor detects and reports. As a sensor scans the arrangement packets, the rules acquiesce it to ascertain patterns that bout a accepted attack.
The IDS MC allows the abettor to specify which signatures should be enabled. Additionally, the acknowledgment action the IDS sensor initiates, whether it is artlessly adopting an anxiety on the Aegis Monitor animate or initiating a TCP RST, is additionally bent based on what is defined in the signature. Affability IDS signatures is one of the added important appearance of the IDS MC. Improperly acquainted IDS sensors annual for the abundant majority of apocryphal absolute alarms (alarms aloft by the IDS in acknowledgment to amiable arrangement traffic) and aftereffect in abeyant apprehension of the IDS arrangement by aegis personnel.
Configuring Signatures
Signatures are disconnected into six groups:
General (embedded)
TCP connection
UDP connection
String-Matching
Access Control List (ACL)
Custom
To accommodate an archetype of how to configure and tune signatures, we will use a accepted signature for a agreement and affability exercise.
Configuring Accepted Signatures
General signatures are signatures that are anchored in the sensor software itself. IDS end users cannot add or annul accepted signatures, but the end user can accredit or attenuate them and configure the acknowledgment to attacks that fit the accepted signatures. The afterward accomplish can be acclimated to configure a accepted signature:
From the Administration Center for IDS Sensors page, baddest Agreement | Settings.
A Table of Contents folio appears. Baddest the Object Selector handle.
In the Object Selector, baddest the sensor absolute the accepted signature to configure. The Object Selector will abutting and redisplay the Table of Contents.
In the Table of Contents, baddest Signatures | General. The accepted Signatures folio will appear, as apparent in Figure 10.23.
Figure 10.23: The Accepted Signatures Folio
Click the articulation for the signature accumulation to be modified. This after-effects in the affectation of the Signature(s) in Accumulation folio advertisement all of the signatures aural the called group, as apparent in Figure 10.24.
Figure 10.24: The Signature(s) in Accumulation Folio
Select the signature to configure by blockage the agnate box and beat Edit.
The Edit Signature(s) window appears (as apparent in Figure 10.25) and shows the name of the signature to configure. To accredit or attenuate the signature, analysis or uncheck the Accredit box.
Figure 10.25: The Edit Signature(s) Folio
Configuring Alarms
The severity of an alarm, as able-bodied as the accomplishments to be taken back an accident matches a signature, can be defined by alteration the signature.
To change the severity of an advance that matches this signature, baddest a Severity from the pull-down menu:
Info Indicates an accident that after-effects from accustomed activity.
Low Indicates an advance that is balmy in severity. The Aegis Monitor Accident Viewer will affectation this blazon of advance with a blooming icon.
Medium Indicates an advance that is moderately severe. The Aegis Monitor Accident Viewer will affectation this blazon of advance with a chicken icon.
High Indicates an advance that is awful severe. The Aegis Monitor Accident Viewer will affectation this blazon of advance with a red icon.
Note the options to the adapted of the Accomplishments label. Depending on the signature, you may specify one or added of the afterward accomplishments to be taken back a signature matches an event:
Log Stands for IP Log, and generates an IP affair log with advice about the attack.
Reset Stands for TCP Reset, and resets the TCP affair in which the advance signature was detected.
Block Causes the sensor to affair a command to a PIX firewall or Cisco router. That firewall or router will block packets from the advancing host or arrangement and accumulate them from entering the adequate network.
Tuning Accepted Signatures
Signatures are acquainted to abbreviate apocryphal alarms or "false positives." Apocryphal positives are anxiety indicators of an advance area either amiable or accepted action is present. A apocryphal absolute may aftereffect from accustomed arrangement action in which a arrangement administration base acclamation or scans arrangement accessories to ascertain their status. This polling action is agnate to the scanning active by hackers adjoin a targeted network. Additionally, a apocryphal absolute may action back an antagonist attempts to use an accomplishment adjoin a host whose software is not accessible to that accomplishment (for example, application a Microsoft IIS accomplishment adjoin an Apache Web server).
To tune a signature, acknowledgment to the accepted Signature(s) folio apparent in Figure 10.23. For the signature to be tuned, baddest the signature articulation in the Engine cavalcade of the table. This brings up the Tune Signature page, as apparent in Figure 10.26.
Figure 10.26: The Tune Signature Folio
There are three columns in the Tune Signature Parameters table: Constant Name, Value, and Default. Each one can be adapted to an appropriate, adapted value. Use the afterward action to tune a accustomed constant in a procedure:
Select the radio button for the constant to be acquainted in the Constant Name column, again baddest Edit, as apparent in Figure 10.27.
Figure 10.27: The Tune Signature Parameters Folio
Enter a amount for the constant in the Amount field, as apparent in Figure 10.28.
Figure 10.28: The Signature Constant Folio
Enter an alternative description for the signature constant in the Description field.
To acquire the changes, bang the OK button. The Tune Signature folio will redisplay.
On the Tune Signature page, bang OK to acquire the changes. The accepted Signature(s) folio will reappear.