Understanding Cisco IDS Alarms

Understanding Cisco IDS Alarms

It is important to understand the relationship between signatures and alarms. Not all signatures are labeled as a high or low signature. Some signatures are not even enabled and are therefore useless until enabled. Depending on what you want to see, you may end up tuning a signature that once was disabled or considered informational or a low-level event, and tune it to high because you have been seeing strange activity, or have been tasked with researching an event. While Cisco has taken the time and assigned a severity level to all of the alarms, it is up to you to make the final call regarding how the alarms need to be configured. This will change over time, so note that just because you spent the time once to configure the IDS sensor alarms, you are not done. The signature tuning and alarm tuning is an ongoing task. Within the Cisco IDS sensor alarms, there are three levels of severity, Low(3), Medium(4), and High(5). Cisco also provides a None(1) and an Informational(2) level.

Alarm Level 5 – High Severity

It only makes sense to cover the highest severity level first. They are the most important and you should be more concerned with them than most of the others. Most of the signatures that trigger on unauthorized access, circumvent Access Control Lists, and Denial-of-Service attacks are by default set to a high severity level. Only high-level signatures are mapped to this severity level. Some examples of signatures with high severity levels are

  • 3525-IMAP Authenticate Buffer Overflow

  • 3250-TCP Hijacking

  • 3251-TCP Hijacking Simplex Mode

  • 5036-WWW Windows Password File Access Attempt

Alarm Level 4 – Medium Severity

Medium severity level signatures fire based on unusual or abnormal activity on the network. If you have legacy systems on your network, they may generate some false positives or it could be legitimate. The problem with these legacy systems is the fact that they may have gone unpatched for some time. Low and Medium signatures are mapped to this severity level. Some examples of signatures with medium severity levels are

  • 3327-Windows RPC DCOM Overflow

  • 4052-Chargen DoS

  • 5068-WWW formmail.pl Access

  • 5101-WWW CGI Center Auction Weaver Attack

Alarm Level 3 – Low Severity

These are, of course, a low threat to the environment. They pose very little threat. In most cases, the traffic they look at is benign, meaning they are of very little threat by themselves. Cisco provides them as more of an FYI of the different types of traffic that is traversing your network. This severity level is mapped to the None and Informational signatures. Some examples of these signatures are

  • 3602-Cisco IOS Identity

  • 5082-WWW WEBactive Logfile Access

  • 6053-DNS Request for All Records

Sensor Status Alarms

Sensor status alarms are used to monitor the health of the sensor daemons. Events like 998 - Daemon Down and 999 - Daemon Unstartable! appear when sensor services fail or cannot be started or restarted. Communication between the sensor and director is also monitored. 993 - Missed Packet Count fires when a threshold for dropped packets is met. Signature 993 is very useful in tuning the sensor. Signatures 994 - Have Traffic and 995 - NO Traffic detect traffic at the interface. If traffic is detected, signature 994 will fire. If traffic is not detected for a certain period of time signature 995 will fire. The last two, 996 - Route Up and 997 - Route Down provide communication information between the sensor and director. The following is a complete list of the status alarms.

  • 993-Missed Packet Count This signature is triggered when the sensor is dropping packets. The percentage dropped can be used to help you tune the traffic level you are sending to the sensor. For example, if the alarms show there is a low count of dropped packets or even zero, the sensor is monitoring the traffic without being overutilized. On the other hand, if 993 alarms show a high count of dropped packets, the sensor may be oversubscribed. Alarm level 1.

  • 994-Traffic Flow Started This signature triggers when traffic to the sensing interface is detected for the first time or resumes after an outage. SubSig 1 fires when initial network activity is detected. SubSig 2 fires when the link (physical) layer becomes active. Alarm level 1.

  • 995-Traffic Flow Stopped Subsignature 1 is triggered when no traffic is detected on the sensing interface. You can tune the timeout for this via the TrafficFlowTimeout parameter. SubSignature 2 is triggered when a physical link is not detected. Alarm level 1.

  • 993-Missed Packet Count This signature is triggered when the sensor is dropping packets and the percentage dropped can be used to help you tune the traffic level you are sending to the sensor. For example, if the alarms show that there is a low count of dropped packets or even zero, the sensor is monitoring the traffic without being overutilized. On the other hand, if 993 alarms show a high count of dropped packets, the sensor may be oversubscribed. Alarm level 1.

  • 994-Traffic Flow Started This signature triggers when traffic to the sensing interface is detected for the first time or resumes after an outage. SubSig 1 fires when initial network activity is detected. SubSig 2 fires when the link (physical) layer becomes active. Alarm level 1.

  • 995-Traffic Flow Stopped Subsignature 1 is triggered when no traffic is detected on the sensing interface. You can tune the timeout for this via the TrafficFlowTimeout parameter. SubSignature 2 is triggered when a physical link is not detected. Alarm level 1.

  • 996-Route Up This signifies that traffic between the sensor and director has started. When the services on the director and/or sensor are started, this alarm will appear in Event Viewer. Alarm level 1.

  • 997-Route Down This signifies that traffic between the sensor and director has stopped. When the services on the director and/or sensor are started, this alarm will appear in Event Viewer. Alarm level 1.

  • 998-Daemon Down This is issued when one or more of the IDS sensor services has stopped. Alarm level 1.

  • 999-Daemon Unstartable Issued when one or more of the IDS sensor services is unable to be started. Alarm level 1.


Note

Study these Sensor Status Alarms. They are covered on the test