Creating a Custom Signature
The task of creating custom signatures can be difficult and, at first glance, seem overwhelming, but the following steps will hopefully have you off and running in no time. Even though Cisco supplies us with several hundred signatures, you may have to still create a custom signature because of odd traffic on your network or because of a new security threat. Also, string signatures may come in handy when new vulnerabilities are published on the network without patches and/or tuned signatures to combat them. A good source of signature files to work with as a starting point is the Snort signature file archive. While you can not use the Snort file directly, you can use the offsets and strings contained within the Snort signature file to help build your own Cisco signatures in less time then waiting for the next update from Cisco. In view of how quickly some recent Internet attacks have taken place, this is a good way to provide additional security for your network in a hurry.
Creating Custom Signatures Using IDM
Custom signatures using IDM has the same feel as if you were doing it with the Signature Wizard, discussed later in the chapter. Once you get logged into IDM for the sensor you want to create a custom signature for, follow these steps:
-
From the main screen, go to Configuration | Custom Signatures. Select the engine that your custom signature will apply to, as shown in Figure 7.27.
Figure 7.27: Custom SignaturesNote Notice the Tuned Signatures section in Figure 7.27. Once you have changed any of the preconfigured signatures in a micro-engine, that signature will appear in this section.
-
At the bottom of the screen, click Add. On the Adding screen, start filling in the information and setting the parameters on the page that will be the signature. Refer to Figure 7.28. If you have questions about the type of information to add, move your cursor across the field title to get more information.
-
After you have added all of the required information, click OK. The result is having your signature added to the sensor configuration and listed in the Custom Signatures section of the micro-engine (see Figure 7.29). When you scroll your mouse across the down-arrow icon to the right, you will see what the configuration is without actually having to open the signature for editing.
-
Once you have added all of your custom signatures, you have to apply the changes to the sensor before they will take effect. Click Apply Changes in the upper right-hand corner of the IDM screen. Once the changes have been applied, you can then check your event view to see if the custom signatures are firing alarms.
Creating Custom Signatures Using CSPM
When using CSPM, it can be something of a surprise to you that CSPM can only set a signature's actions and severities. It cannot tune signatures for the IDS sensor appliance. In other words, CSPM can set the severity and the action to associate to the signature but cannot set what triggers that signature. This is where SigWizMenu on the Sensor has to be used to tune the Sensors. SigWizMenu and CSPM can both be used to configure the same Sensor since they affect different parts of the configuration. The parameters that will cause the signature to trigger are set by tuning with the SigWizMenu. The tuning involves changing what it takes for a signature to trigger (such as the number of hosts in a sweep) and does not mean setting actions and severity levels