Working with SigWizMenu
SigWizMenu is the signature astrologer that allows you to accomplish changes to IDS signatures anon on the Sensor. CSPM does not acquiesce you to tune thresholds and added parameters. These aforementioned changes can additionally be fabricated via the adaptation 2.2.3 Unix Director. The Signature Astrologer is an acting apparatus for adaptation 2.2.2 Unix Director users until they advancement to adaptation 2.2.3, as able-bodied as Cisco Secure PM users until these options are included in Cisco Secure PM. If you use Cisco Secure PM, you charge the Signature Astrologer to configure the adaptation 3.0 features.
Starting SigWizMenu
To alpha SigWizMenu, chase these steps:
From the animate or Telnet session, login as netrangr to the sensor you appetite to alpha SigWizMenu on. You should verify you are in the /usr/nr/bin agenda by application the pwd command. If you are not in that directory, use the cd command to change to the /usr/nr/bin directory. The book is hidden by absence so a apparent ls command will not appearance the executable.
Type .SigWizMenu at the command prompt. Don't balloon to put the aeon in advanced and bethink that Unix environments are case-sensitive. Columnist Enter aback prompted. You should get a awning that looks like Figure 7.30.
----------------------------------------------------------------------------
Accepted Sig Abstracts Book '/usr/nr/etc/SigData.conf'
Accepted Sig User Book '/usr/nr/etc/SigUser.conf'
Accepted Settings Book '/usr/nr/etc/SigSettings.conf'
----------------------------------------------------------------------------
1 - Tune Signature Parameters
2 - Add NEW Custom Signature
3 - Set Custom Signature Severity/Action
4 - Edit Signature Address Mapping
5 - Annul Signature Tunings and Custom Signatures
6 - Added 3.x Tokens
7 - Display Signatures
8 - All-around Settings
x - EXIT
----------------------------------------------------------------------------
Selection>
Figure 7.30: The SigWizMenu Card
Enter the advantage cardinal you appetite to assignment with. From this menu, you can accomplish tasks that are specific to signature behavior.
Notice the three files referenced at the top of the above-mentioned card printout:
Current Sig Abstracts Book '/usr/nr/etc/SigData.conf'
Current Sig User Book '/usr/nr/etc/SigUser.conf'
Current Settings Book '/usr/nr/etc/SigSettings.conf' SigData.conf
These files are what the signature astrologer uses to accomplish and advance a accepted agreement of all the signatures. The SigData.conf book contains the absence signatures. Aback signature amend files are activated to a sensor, this book is additionally adapted with accepted abstracts and is encrypted. The SigUser.conf agreement book is area signature modifications and additions are stored. This book is adapted aback changes are fabricated in the signature wizard, SigWizMenu. The SigSettings.conf book is adapted and managed through the signature astrologer also. It has the all-around Device Management (packetd) tokens.
Tune Signature Parameters
To tune a signature to your specific needs, you would use advantage 1 from the SigWizMenu. This allows you to change signature ambit anon on the sensor. There may be a adventitious that you do not appetite to see every little ICMP Echo Request accomplish an alarm. By affability the signature, you can adapt it to abridge the bulk of alarms, or accession thresholds afore the signature fires. Affability improves the sensor's achievement and adds believability to letters by affability out apocryphal positives and apocryphal negatives. Cisco provides a account of configurable signature ambit for all versions of the IDS software online at www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/.
Follow these accomplish to tune your signatures:
Select advantage 1 from the SigWizMenu card to tune an absolute signature.
Enter the signature ID of the signature you would like to tune. The account of accessible configurable ambit will be displayed (see Figure 7.31). Baddest the cardinal abutting to the constant you appetite to modify. Notice that the bottom-left bend of the awning displays the accepted amount if there are any. Just aloft the cursor and the accepted value, a abrupt description of the constant is displayed.
0 – Edit ALL Parameters
1 – AlarmInterval =
2 – AlarmThrottle = FireOnce
3 – ChokeThreshold = 100
4 – FlipAddr = 8
5 – IcmpCode =
6 – IcmpId =
7 – IcmpMaxCode =
8 – IcmpMaxSeq =
9 – IcmpMinCode =
10 – IcmpMinSeq =
11 – IcmpSeq =
12 – IpTOS =
13 – LimitSummary =
14 – MaxInspectLength =
15 – MinHits =
16 – ResetAfterIdle = 15
17 – SigComment =
18 – SigStringInfo =
19 – ThrottleInterval = 30
d – Annul a value
u – UNDO and continue
x – SAVE and continue
---------------------------------------------------------------------------
Selection> 10
Minimum accustomed IcmpSeq. Packets with Seq les than this amount will alarm.
(NUMBER)
- IcmpMinSeq -
[current value]
[new value] >
Figure 7.31: SigWizMenu Signature Ambit
Once you accept fabricated all of your modifications, blazon X to save it and continue. This will booty you aback to the capital menu. If you accomplish a mistake, blazon U to disengage any changes and continue. This will additionally booty you aback to the capital menu. To annul a value, blazon D to annul settings for a defined parameter.
Adding a New Custom Signature
Here is area your specific arrangement cartage patterns can be monitored by application custom signatures. Chase these accomplish to add a custom signature:
Select advantage 2 from the capital card to add a new custom signature. Several things charge booty abode (see Figure 7.32). You accept to baddest the agent the signature will be acclimated with. A Signature ID charge be assigned. If you don't accredit it, Cisco will do it for you. Accord your signature a name. Configure all of the ambit accessible to accommodated your needs. Footfall 1: Determine what you appetite the signature to detect.
Add NEW Custom Signature : CSIDS Signature Wizard
----------------------------------------------
1 – Agent Name 'Not Set'
2 – Accomplish SIGID
3 – Signature ID 'Not Set'
4 – Signature Name 'Not Set'
5 – INSERT NOW
ENTER – BACK TO MAIN
----------------------------------------------
Selection> 10
Figure 7.32: SigWizMenu Adding a New Custom Signature
Select advantage 1 to accept the agent name. All of the micro-engines will appear. Baddest the one that applies to you by entering the agnate cardinal at the prompt.
Two things can appear on this step. You can either baddest advantage 2 and accept the signature astrologer actualize a signature ID or you can baddest advantage 3 and actualize your own. Accomplish your choice.
Select advantage 4 to accord the signature a name.
By selecting advantage 5, you will admit the new signature into the database. The aftereffect is the Acclimatize Severity and Activity card (see Figure 7.33).
Adjust Severity and Activity : CSIDS Signature Wizard
----------------------------------------------
Signature: 21435
Alarm Level: 0 (OFF)
Alarm Action: 0 None
----------------------------------------------
0 – Turn Signature OFF
1 – Agent Name 'Not Set'
2 – Accomplish SIGID
3 – Signature ID 'Not Set'
4 – Signature Name 'Not Set'
5 – INSERT NOW
ENTER – BACK TO MAIN
----------x--- DONE
----------------------------------------------
Selection>
Figure 7.33: The Acclimatize Severity and Activity Card
Select the Anxiety Severity akin 1–5 and columnist Enter. The Acclimatize Severity and Activity card appears (see Figure 7.34).
Adjust Severity and Activity : CSIDS Signature Wizard
----------------------------------------------
Signature: 21436
Alarm Level: 4
Alarm Action: 0 None
----------------------------------------------
0 – Set Activity NONE
1 – Set Activity Shun
2 – Set Activity Log
3 – Set Activity Shun & Log
4 – Set Activity Reset
5 – Set Activity Shun & Reset
6 – Set Activity Log & Reset
7 – Set Activity Shun & Log & Reset
ENTER – acclimatize SEverity
----------x--- DONE
----------------------------------------------
Selection>
Figure 7.34: Acclimatize Severity and Activity
Choose the activity you appetite the signature to perform, again blazon x to complete the task.
Type x aback you are finished. The signature awning with all of the configurable ambit appears. Adapt any or all of the ambit you wish. (Refer to Figure 7.35.) Any constant cardinal that has an asterisk (*) is appropriate and charge be set in adjustment to save the settings. Once all of the advice is entered, baddest x to SAVE and continue. The signature is now in the database.
SigName: analysis sweep
----------------------------------------------
0 – Edit ALL Parameters
1 – AlarmInterval =
2 – AlarmThrottle = FireOnce
3 – ChokeThreshold = 100
4 – FlipAddr =
5 – LimitSummary =
6 – MaxInspectLength =
7 – MinHits =
8 – ResetAfterIdle = 15
9 * RpcProgram =
10 – SigComment =
11 – SigName = analysis sweep
12 – SigStringInfo =
13 – ThrottleInterval = 30
14 * Unique =
15 = WantFrag =
d – Annul a value
u – UNDO and continue
x – SAVE and continue
----------------------------------------------
Selection>
Figure 7.35: The Signature Astrologer
When you accept accomplished authoritative additions and modifications to your signature database, you charge actuate the signature. To do this, blazon x to avenue the Signature Wizard. Blazon y to save and actuate the changes (see Figure 7.36). The packetd activates the new configuration.
Current Sig User Book '/usr/nr/etc/SigUser.conf'
Current Settings Book '/usr/nr/etc/SigSettings.conf'
--------------------------------------------------
1 – Tune Signature Parameters
2 – Add NEW Custom Signature
3 – Set Custom Signature Severity/Action
4 – Edit Signature Address Mapping
5 – Annul Signature Tunings and Custom Signatures
6 – Added 3.x Tokens
7 – Display Signatures
8 – All-around Settings
x – EXIT
---------------------------------------------------
Selection> x
Save changes and Exit?
Activate Changes on Sensor?
y – Exit, Save, ACTIVATE CHANGES
s – Exit, Save, Do Not Activate
n – Exit. Do Not Save
Enter – Aback to Menu
Selection >
Figure 7.36: Activating the Signature
Note If you are application Unix Director adaptation 2.2.3 or later, the nrConfigure account will be able to configure aggregate that SigWizMenu configures. After advance to 2.2.3, you should use nrConfigure instead of SigWizMenu to tune the signatures.