Professional Documents
Culture Documents
IPS60StudentGuide Vol1 UnEncrypted PDF
IPS60StudentGuide Vol1 UnEncrypted PDF
Implementing Cisco
Intrusion Prevention
Systems
Volume 1
Version 6.0
Student Guide
EPWS: 06.08.07
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
DISCLAIMER WARRANTY: THIS CONTENT IS BEING PROVIDED AS IS. CISCO MAKES AND YOU RECEIVE NO WARRANTIES IN
CONNECTION WITH THE CONTENT PROVIDED HEREUNDER, EXPRESS, IMPLIED, STATUTORY OR IN ANY OTHER PROVISION OF
THIS CONTENT OR COMMUNICATION BETWEEN CISCO AND YOU. CISCO SPECIFICALLY DISCLAIMS ALL IMPLIED
WARRANTIES, INCLUDING WARRANTIES OF MERCHANTABILITY, NON-INFRINGEMENT AND FITNESS FOR A PARTICULAR
PURPOSE, OR ARISING FROM A COURSE OF DEALING, USAGE OR TRADE PRACTICE. This learning product may contain early release
content, and while Cisco believes it to be accurate, it falls subject to the disclaimer above.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Welcome to Cisco Systems Learning. Through the Cisco Learning Partner Program,
Cisco Systems is committed to bringing you the highest-quality training in the industry.
Cisco learning products are designed to advance your professional goals and give you
the expertise you need to build and maintain strategic networks.
Cisco relies on customer feedback to guide business decisions; therefore, your valuable
input will help shape future Cisco course curricula, products, and training offerings.
We would appreciate a few minutes of your time to complete a brief Cisco online
course evaluation of your instructor and the course materials in this student kit. On the
final day of class, your instructor will provide you with a URL directing you to a short
post-course evaluation. If there is no Internet access in the classroom, please complete
the evaluation within the next 48 hours or as soon as you can access the web.
On behalf of Cisco, thank you for choosing Cisco Learning Partners for your
Internet technology training.
Sincerely,
Cisco Systems Learning
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Table of Contents
Volume 1
Course Introduction
Overview
Learner Skills and Knowledge
Course Goal and Objectives
Course Flow
Additional References
Cisco Glossary of Terms
Your Training Curriculum
1
1
1
2
3
4
4
5
1-1
Overview
Module Objectives
1-1
1-1
1-3
1-3
1-3
1-4
1-7
1-7
1-10
1-12
1-14
1-15
1-18
1-22
1-25
1-27
1-27
1-27
1-28
1-44
1-48
1-54
1-63
1-63
1-64
1-64
1-69
1-71
1-71
1-71
1-72
1-77
1-77
1-77
1-80
1-84
1-85
1-85
1-85
1-86
1-87
1-92
1-97
1-98
Evasion Attacks
TTL-Based Attacks
Encryption-Based Attacks
Resource Exhaustion Attacks
Summary
Module Summary
References
1-100
1-102
1-103
1-104
1-106
1-107
1-107
2-1
Overview
Module Objectives
2-1
2-1
2-3
Overview
Objectives
Introducing the CLI
Initializing the Sensor
Performing Administrative Tasks
Additional Administrative Commands
Summary
2-3
2-3
2-4
2-19
2-25
2-29
2-44
2-45
Overview
Objectives
Introducing the Cisco IDM
Getting Started with the Cisco IDM
How to Configure SSH
How to Reboot and Shut Down the Sensor
Summary
2-45
2-45
2-46
2-53
2-60
2-63
2-65
2-67
Overview
Objectives
How to Configure Allowed Hosts
How to Set the Time
How to Configure Certificates
How to Configure User Accounts
Defining Interface Roles
Command and Control Interface
Monitoring Interfaces
TCP Reset Interfaces
How to Configure the Interfaces
How to Configure Software and Hardware Bypass Mode
Viewing Events in the Cisco IDM
Summary
Module Summary
References
2-67
2-67
2-68
2-70
2-76
2-78
2-83
2-84
2-86
2-95
2-96
2-106
2-110
2-111
2-112
2-112
3-1
Overview
Module Objectives
3-1
3-1
3-3
Overview
Objectives
Cisco IPS Signatures
How to Locate Signature Information
How to Configure Basic Signatures
Special Considerations for Signature Actions
Summary
ii
3-3
3-3
3-4
3-18
3-21
3-33
3-35
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
3-37
Overview
Objectives
Introducing Cisco IPS Signature Engines
Common Signature Engine Parameters
ATOMIC Signature Engines
FLOOD Signature Engines
SERVICE Signature Engines
STRING Signature Engines
SWEEP Signature Engines
TROJAN Signature Engines
TRAFFIC Signature Engines
AIC Signature Engines
STATE Signature Engine
META Signature Engine
NORMALIZER Engine
Summary
3-37
3-37
3-38
3-41
3-53
3-54
3-55
3-60
3-61
3-64
3-65
3-67
3-76
3-79
3-81
3-84
Customizing Signatures
3-85
Overview
Objectives
Tuning Signatures
Noise Reduction
False Positive Reduction
False Negative Reduction
Focusing Cisco IPS Sensors
Customizing Built-in Signatures
How to Create Custom Signatures
Custom Signature Scenarios
Summary
Module Summary
3-85
3-85
3-86
3-88
3-91
3-95
3-100
3-113
3-119
3-120
3-147
3-148
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
iii
iv
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
IPS
Course Introduction
Overview
This course delivers the knowledge and skills needed to design, install, configure, and maintain
a Cisco Intrusion Prevention System (IPS) sensor for small, medium, and enterprise networks,
and also procedures for managing IPS alarms.
IPS v6.03
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Course Goal
To deploy, configure, and administer Cisco IPS
sensors to protect network devices and hosts as well
as efficiently manage IPS alarms.
IPS v6.04
Upon completing this course, you will be able to meet these objectives:
Install and configure the basic settings on a Cisco IPS 4200 Series Sensor
Use the Cisco IDM to configure built-in signatures to meet the requirements of a given
security policy
Configure some of the more advanced features of the Cisco IPS product line
Initialize and install into your environment the rest of the Cisco IPS family of products
Use the CLI and Cisco IDM to obtain system information, and configure the Cisco IPS
sensor to allow an SNMP NMS to monitor the Cisco IPS sensor
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Course Flow
This topic presents the suggested flow of the course materials.
Course Flow
Day 1
A
M
Course
Introduction
Module 1:
Intrusion
Prevention
Overview
Day 2
Day 3
Day 4
Module 3:
Cisco IPS
Signatures
Module 4:
Advanced
Cisco IPS
Configuration
Module 5:
Additional
Cisco IPS
Devices
Lunch
Module 2:
P Installation of
M a Cisco IPS
4200 Series
Sensor
Module 3:
Cisco IPS
Signatures
(Cont.)
Module 4:
Advanced
Cisco IPS
Configuration
(Cont.)
Module 6:
Cisco IPS
Sensor
Maintenance
IPS v6.05
The schedule reflects the recommended structure for this course. This structure allows enough
time for the instructor to present the course information and for you to work through the lab
activities. The exact timing of the subject materials and labs depends on the pace of your
specific class.
Course Introduction
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Additional References
This topic presents the Cisco icons and symbols that are used in this course, as well as
information on where to find additional technical references.
Multilayer
Switch
Cisco IPS
Sensor
Cisco PIX
Firewall
Laptop
Cisco Catalyst
6500 Series
IDSM-2
Server
Web, FTP, etc.
Network
Cloud
Workgroup
Switch
Hub
Cisco Adaptive
Security Appliance
5500 Series
Secure Endpoint
Ethernet
Link
Security
Management
IPS v6.06
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
www.cisco.com/go/certifications
2007 Cisco Systems, Inc. All rights reserved.
IPS v6.07
You are encouraged to join the Cisco Certification Community, a discussion forum open to
anyone holding a valid Cisco Career Certification (such as Cisco CCIE, CCNA, CCDA,
CCNP, CCDP, CCIP, CCVP, or CCSP). It provides a gathering place for Cisco certified
professionals to share questions, suggestions, and information about Cisco Career Certification
programs and other certification-related topics. For more information, visit
www.cisco.com/go/certifications.
Course Introduction
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Expert
CCIE
CCSP
Professional
CCNA
Associate
Network Security
www.cisco.com/go/certifications
2007 Cisco Systems, Inc. All rights reserved.
IPS v6.08
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Module 1
Module Objectives
Upon completing this module, you will be able to explain how the Cisco Intrusion Prevention
System (IPS) protects network devices from attacks. This ability includes being able to meet
these objectives:
Define intrusion detection and intrusion prevention along with related terms and concepts
Describe the Cisco IPS solutions and explain how Cisco IPS protects network devices from
attacks
Describe the Cisco monitoring solutions and suggest how to utilize them
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
1-2
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Lesson 1
Objectives
Upon completing this lesson, you will be able define intrusion detection and intrusion
prevention along with related terms and concepts. This ability includes being able to meet these
objectives:
Describe the similarities and differences among the various intrusion detection technologies
Describe the new features included in the Cisco IPS Sensor Software Version 6.0
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
IPS v6.01-2
An IDS has the capability to detect misuse and abuse of, and unauthorized access to, networked
resources. The Cisco intrusion protection product portfolio consists of a variety of devices
called sensors, all of which can monitor traffic from a particular network segment, analyze it,
detect malicious activity, and take a response action if the traffic is deemed malicious.
An IDS is usually a dedicated device that monitors network traffic and detects anomalies based
on certain criteria. These criteria can be a database of signatures, a statistical knowledge of
what represents normal network traffic, or an administrator-specified security policy.
The following attacks are the most commonly detected attacks by a network IDS:
Network sweeps and scans, which can indicate network reconnaissance, can be detected by
a network IDS.
Common network anomalies on most Open Systems Interconnection (OSI) layers, which
include the following, can be detected by a network IDS:
1-4
Malformed application-layer protocol units (for example, an HTTP request that does
not begin with GET, POST, HEAD, or other valid HTTP command)
Flooding denial of service (DoS) attacks can come in the form of a very large amount of
Internet Control Message Protocol (ICMP) packets, or TCP SYN packets. These attacks
can impact the resources of a system and severely degrade performance. It is even possible
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
that the attack could force the system to consume all of its memory, as in the case with a
TCP SYN flood, because the system must reserve a certain amount of memory for each
connection set up.
Application layer content attacks can come in the form of buffer overflow attempts in
URLs or Multipurpose Internet Mail Extensions (MIME)-type headers.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
1-5
IPS v6.01-3
An IPS has the capability to detect and prevent misuse and abuse of, and unauthorized access
to, networked resources. All Cisco sensors can perform intrusion prevention.
The Cisco Intrusion Prevention System (IPS) is an online, network-based solution, designed to
accurately identify, classify, and stop malicious trafficincluding worms, spyware and adware,
network viruses, and application abusebefore they affect business continuity.
Utilizing Cisco IPS Sensor Software Version 6.0, the Cisco IPS solution combines online
prevention services with innovative technologies to improve accuracy. The result is total
confidence in the provided protection of your Cisco IPS solution, without the fear of legitimate
traffic being dropped.
The Cisco IPS solution also offers comprehensive protection of your network through its
unique ability to collaborate with other network security resources, providing a proactive
(Adaptive Threat Defense [ATD]) approach to protecting your network.
1-6
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Signature-Based IPS
STRING MATCH!
/cgi-bin/phf followed by
/etc/shadow
Attacker
Target
HTTP
GET /cgi-bin/phf?Qname=x%0acat+/etc/shadow
IPS v6.01-4
Signature-Based IPS
A signature is a set of rules that pertain to typical intrusion activity. Highly skilled network
engineers research known attacks and vulnerabilities and develop signatures to detect these
attacks and vulnerabilities.
A signature-based IPS monitors the network traffic and compares the data in the flow against a
database of known attack signatures.
To determine an attack signature, which is usually a well-known pattern of attacks, a signaturebased IPS looks at the packet headers or data payloads. For example, a signature might be a
sequence or a string of bytes in a certain context. Here are some examples:
Attacks against a web server are usually in the form of specially crafted URLs. Therefore,
the IPS looks for the signature at the start of the data flow, which begins with an HTTP
request from the client.
An attack against a Simple Mail Transfer Protocol (SMTP) server can be in the form of a
buffer overflow in the mail from command of the SMTP session. The IPS looks for an
attack signature in the SMTP session that starts with the mail from command and includes
the signature before the end of the line.
An attack on the mail client can be in the form of a buffer overflow in the MIME header of
the message itself. The IPS looks for the sequence of bytes that identifies the start of a new
MIME part in the message and a sequence of bytes that compose a buffer overflow
following it.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
1-7
These examples illustrate the fact that a signature-based IPS detects only attacks that a vendor
or IPS administrator has entered into a database. Usually a signature-based IPS is unable to
detect undiscovered or unreported attacks. Therefore, all signature-based IPSs place a certain
amount of burden on the administrator, because they will have to regularly update the signature
database. Usually, the manufacturers publish database updates; however, the administrator must
still monitor the updates, be continually aware of the new types of attacks, and confirm that the
latest database can detect these attacks. If not, the administrator must create custom signatures
that will cover these attacks.
The patterns in a network IPS can be based on the following:
1-8
Data matching and stateful (session-aware) data matching, for example, string matching
Full protocol decodes, where a pattern in the protocol itself is being examined
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Limitations:
Cannot detect unknown attacks (not always true with good generic
signatures)
Requires constant update to stay current
Is susceptible to evasion
Has high false positive rate with bad signatures
Requires creation of signatures
Is always reactive
2007 Cisco Systems, Inc. All rights reserved.
IPS v6.01-5
Features
The features of signature-based IPS are as follows:
After the IPS has been tuned to filter out all events that represent a low threat, and all
events that do not apply to the network topology (for example signatures for attacks against
web servers that are not used in the monitored network), the IPS notifies the analyst of the
attacks that are relevant to the monitored network. Therefore, a signature-based IPS, when
tuned, should have a low false positive rate.
A signature-based IPS usually has a simple way of adding new signatures, which allows the
administrator to keep the database up to date with signatures for the newest attacks without
waiting for the next manufacturer update. Also, the signatures are usually easy enough to
understand that they can be translated from another source and put into the database (for
example some other IPS, a Computer Emergency Response Team [CERT] advisory, and so
on).
Limitations
The limitations of the signature-based IPS are as follows:
The IPS cannot detect a new attack for which there is no signature in the database. This
behavior can sometimes be avoided, if the signature is generic. For example, most directory
traversal attacks can be detected by checking for the presence of the string .. in the URL.
However, this signature would also be triggered by legitimate requests that contain .. in
the URL. Therefore, this signature is also too generic and would trigger many false
positives.
The administrator must constantly update the signature database so that the IPS can detect
the most recent attacks.
If the signature is not well-written, evasion is possible. For example, the string .. can be
URL encoded %2E%2E, or Unicode Transformation Format (UTF) codes can be used
instead of ASCII.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
1-9
Bad (vendor or custom) signature design can cause many false positives to fire; therefore,
good signature design, which is not simple, is required.
Anomaly-Based IPS
Alarm!
The SNMP message does not
conform to the protocol!
Alarm!
There is too much UDP
traffic in the mix!
Attacker
Attacker
Target
Target
UDP Flood
Alarm!
The web server is writing
to the \WINNT folder!
Attacker
Target
HTTP
www file
access
IPS v6.01-6
Anomaly-Based IPS
An anomaly-based IPS monitors the network for events and content that represents an anomaly
(that is, a departure from normal behavior). This anomaly can be an unusual increase in a
certain type of traffic, an occurrence of some type of traffic not usually present on a monitored
network, or a malformed message of a known protocol.
Here are the two types of anomaly-based IPS:
1-10
Statistical anomaly detection: This approach learns about the profile of the monitored
network (traffic patterns) from the network itself over a period of time. After that period,
this approach can detect if statistical properties of the network traffic deviate enough from
the usual pattern and triggers an alarm.
An anomalous packet, such as a Christmas tree packet, or a TCP packet where the
source and destination addresses and ports are equal
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Limitations:
Output is more vague than other methods
(does not pinpoint the exact nature of attack)
Statistical anomaly requires the creation of statistical user and network
profiles
Is prone to a high number of false positives because of the difficulty in
defining normal activity
IPS v6.01-7
Features
A significant feature of anomaly-based IPS is that it can detect attacks that have not been
discovered or reported anywhere. Anomaly-based IPS is best suited for an environment where
the pattern of traffic is very well-defined (for example, monitoring a single application on a
host or over the network).
Limitations
The biggest challenge with anomaly-based detection is that statistical approaches work best in
larger environments. Historically that has limited the development of anomaly-based solutions.
With the Cisco IPS Sensor Software Version 6.0 anomaly detection feature, no attempt is made
to be a pure anomaly-based system. Instead, it focuses on worm-based attacks. No matter what
the size of the environment, this form of anomaly detection is highly reliable.
Note
When an anomaly-based IPS has a larger knowledge base, there are less false positives.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
1-11
Policy-Based IPS
Attacker
Alarm!
Only DECnet traffic
is allowed here!
Alarm!
Someone has connected via
FTP to the web server!
Attacker
Target
Target
FTP
IP
IP
IP
IPS v6.01-8
Policy-Based IPS
A policy-based IPS will trigger if a violation of a configured policy occurs. Therefore, a policybased IPS provides a very popular method of detection, especially if unknown attacks must be
detected.
A policy-based IPS has to have a clear representation of what the security policy is. For
example, an administrator can write a network access policy in terms of permissions (which
networks can communicate with which networks, using which protocols).
Some security policies are hard to incorporate into the IPS. If, for example, browsing of
pornographic, hacker, or warez sites is not allowed, the IPS must be able to communicate
with some type of blacklist database to check if a policy violation has occurred. Whether this
communication is possible depends on the implementation of the IPS.
1-12
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Limitations:
Requires the operator to design the policy ruleset from scratch
IPS v6.01-9
Features
One of the important features of the policy-based IPS is that it is reliable and triggers very few
false positives. These benefits are possible because the administrator enters a security policy
into the IPS that precisely defines what is and what is not allowed, which results in very few
false positive alarms
In most current policy-based IPSs, you define the policy exclusively with a list of custom
signatures that describe what is and what is not allowed in the network. These rules usually
describe all that is forbidden, and the exceptions to the allowed events (for example, trigger an
alarm for any type of traffic destined to host X, except HTTP). The IPS is very focused to the
environment, because you have told it exactly what to allow and what not to allow. It does not
rely on vendor or generic settings.
Limitations
The deployment of the policy-based IPS can take quite some time, because it requires the
administrator to design the policy ruleset from scratch. With other types of IPS, notably
signature-based IPS, the deployment time may be shorter because the administrator can
immediately connect the device to the network, and the default settings can then be tuned to
match the specifics of the network.
Even though it is usually easy to define in a security policy exactly what to allow, it may not be
easy or even possible to define all potential violations of the security policy and the level of
threat they represent. Because of this, many events may fall into a gray area, where it is
difficult for the IPS to decide what alarm level to trigger when a violation occurs.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
1-13
Protocol Analysis
Intrusion detection analysis is performed on the protocol
specified in the data stream:
Examines the protocol to determine the validity of the packet
Checks the content of the payload (pattern matching)
Performs nonstatistical anomaly detection
IPS v6.01-10
1-14
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
IPS v6.01-11
Poor passwords: Passwords are the first line of defense. Weak or easily guessed
passwords are considered vulnerabilities.
Improper input handling: Software that does not properly handle all possible input can
have unexpected results. Often, this leads to either a DoS or access to restricted system
resources.
Password guessing tools: These tools attempt to crack passwords by using knowledge of
the algorithm used to generate the actual password or by attempting to access a system
using permutations and combinations of different character sets. Some popular password
cracking tools are L0phtCrack and John the Ripper.
Shell or batch scripts: These scripts are created to automate attacks or perform simple
procedures known to expose the vulnerability.
Executable code: Exploits written as executable code require programming knowledge and
access to software tools such as a compiler. Consequently, executable code exploits are
considered to be more advanced forms of exploitation.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
1-15
False Alarms
False positive: Normal traffic or a benign action causes the
signature to fire.
False negative: A signature is not fired when offending traffic is
detected. An actual attack is not detected.
IPS v6.01-12
The ability of an intrusion detection product to accurately detect an attack or a policy violation
and generate an alarm is critical to its functionality. The two forms of false alarms are false
positives and false negatives.
A false positive is a situation in which normal traffic or a benign action causes the signature to
fire. Consider this scenario: a signature exists that generates alarms if the enable password of
any network device is entered incorrectly. A network administrator attempts to log into a Cisco
router but enters the wrong password. The IPS cannot distinguish between a rogue user and the
network administrator, and it generates an alarm.
A false negative is a situation in which a signature is not fired when offending traffic is
detected. Offending traffic can be as simple as someone sending confidential documents
outside of the corporate network or as complex as an attack against corporate web servers.
False negatives should be considered software bugs and reported in accordance with the
software license agreement.
Note
1-16
You should only consider a false negative to be a software bug if, in fact, the IPS has a
signature that has been designed to detect the offending traffic.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
True Alarms
True positive: A signature is fired properly when the offending
traffic is detected. An attack is detected as expected.
True negative: A signature is not fired when nonoffending traffic is
detected. Normal traffic or a benign action does not cause an
alarm.
IPS v6.01-13
Like false alarms, there are two forms of true alarms. A true positive is a situation in which a
signature is fired properly when offending traffic is detected and an alarm is generated. For
example, Cisco IPS sensors have signatures that detect Unicode attacks against Microsoft
Internet Information Server (IIS) web servers. If a Unicode attack is launched against Microsoft
IIS web servers, the sensors detect the attack and generate an alarm.
A true negative is a situation in which a signature is not fired when nonoffending traffic is
captured and analyzed. In other words, the sensor does not fire an alarm when it captures and
analyzes normal network traffic.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
1-17
2
If the traffic matches a signature,
the signature fires.
Switch
3
The sensor can send an alarm
to a management console and
take a response action such as
resetting the connection.
Sensor
Management
System
2007 Cisco Systems, Inc. All rights reserved.
Target
IPS v6.01-14
By default, the monitoring interface of a Cisco sensor works in promiscuous mode, which
means that it monitors all traffic on the local network via a network device that captures traffic
for the sensor. The network device sends copies of packets to the sensor for analysis. If the
traffic matches a signature, the signature fires. The sensor can send an alarm to the management
console and take a response action such as initiating a block or resetting the connection.
Sensors running in promiscuous mode are IDS sensors.
1-18
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Sensor
An alert can be
sent to the
management console.
Management
System
2007 Cisco Systems, Inc. All rights reserved.
If a packet triggers a
signature, it can be
dropped before it
reaches its target.
Target
IPS v6.01-15
In contrast to a sensor in promiscuous mode, an inline sensor processes packets as they flow
through the data forwarding path of the network, and can make the decision to forward or drop
packets based on what it detects. An inline sensor is, therefore, an IPS. An inline IPS provides
an added level of protection from Internet worms and from atomic attacks, in which malicious
content is contained in a single packet. With the sensor monitoring all traffic as it moves
through the data forwarding path, a packet that triggers a signature can be dropped before it
reaches its target. The sensor can also send an alert to the management console and take other
response actions.
The Cisco IPS Sensor Software Version 6.0 is a standard image that includes both promiscuous
IDS and inline IPS functionality. You can switch a sensor between inline and promiscuous
mode without causing a reboot or reimage of the sensor. If your sensor has sufficient
monitoring interfaces, you can use inline and promiscuous mode simultaneously.
One method to run the sensor in inline mode is to install it between two network devices as
shown in the figure. The network devices could include routers, switches, or firewalls.
You must configure two monitoring interfaces of the sensor as an inline pair. These inline port
pairs operate in a transparent Layer 2 repeater mode in which packets that enter one interface of
the port pair are transmitted out the other interface of the port pair unless a defined signature
response action drops the packets.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
1-19
Confidence in IPS
Cisco IPS Sensor Software Version 6.0 contains several
features that enable you to use inline deny actions with
confidence. Among these features are:
Risk rating
High availability
Application firewall
Meta event generator
Anomaly detection
IPS v6.01-16
Cisco IPS Sensor Software Version 6.0 contains several features dedicated to preventing your
inline sensor from denying mission-critical packets or in any way disrupting your network. A
brief overview of these features is as follows:
1-20
Risk rating: The risk rating feature enables you to make intelligent decisions when
configuring inline drop actions and thereby reduce false alarms. You can use the risk rating
system to control what causes an alarm. The risk rating is made up of several factors:
Event severity: This is the severity level that you assign to a signature.
Asset value: This is a designation of the criticality of the target system. You can
assign a criticality of no value, low, medium, high, or mission-critical to devices on
your network.
Attack relevancy: The severity of the attack can be escalated or de-escalated based
on the relevance of the attack.
Other: Other variables, such as the Promiscuous Delta (PD) or the Watch List
Rating (WLR), are calculated into the risk rating under special circumstances.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
maintenance activities and allows the IPS processes and subsystems to be shut down
without impacting network traffic.
Meta event generator: This feature provides accurate worm mitigation through event
correlation.
Anomaly detection: The anomaly detection component of the sensor detects worminfected hosts. Cisco IPS Sensor Software Version 6.0 is less dependent on signature
updates for protection again worms such as Code Red and SQL Slammer. The anomaly
detection component lets the sensor learn normal activity and send alerts or take dynamic
response actions for behavior that deviates from what it has learned as normal behavior.
Note
Anomaly detection alone cannot stop a single exploit from happeningnor will it stop the
very first infection in the network.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
1-21
IPS v6.01-17
The main new features of Cisco IPS Sensor Software Version 5.1 are as follows:
1-22
Dedicated antivirus engine: Provides a dedicated antivirus engine that analyzes traffic to
accurately identify the unique behavior of viruses and stop them from propagating across
the network
Generic Routing Encapsulation (GRE) inspection: Allows the sensor to detect and stop
attacks contained in GRE-encapsulated traffic
Multigigabit-per-second performance
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Multi STRING signature engine: Provides inspection of Layer 4 transport protocol, such
as ICMP, TCP, and User Datagram Protocol (UDP), payloads using multiple string
matches for one signature
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
1-23
IPS v6.01-18
Cisco IPS Sensor Software Version 6.0 adds many new features, which include the following:
1-24
Virtualization in Cisco IPS Sensor Software Version 6.0 is not supported for virtual
machines. It is a policy that is virtualized on different virtual sensors.
The SERVICE Server Message Block (SMB) engine has been enhanced and is now called
the SERVICE SMB Advanced engine. There is a new engine added to examine
Transparent Network Substrate (TNS), an industry standard database network protocol.
Passive operating system fingerprinting is a set of features that enables the Cisco IPS to
identify the operating system of the victim of an attack.
The risk rating system is associated with alerts, not signatures. It is calculated from several
components, some of which are configured, others calculated, and some are derived from
other risk rating components.
The External Product Interface (EPI) allows sensors to subscribe for events from other
devices. Although designed to be generic, at this time, the EPI can process only events
from the CiscoWorks Management Center for Cisco Security Agent.
Password recovery no longer requires you to reimage the sensor. It is now possible to
recover the admin account without reimaging. The password is reset to cisco.
The Cisco IPS Device Manager (IDM) now has a new and improved home page with
several new icons for configuring and monitoring sensors.
The anomaly detection feature is designed to detect worm-infected hosts. This component
learns normal activity and sends alerts or takes configured actions for behavior that is
significantly different from what it has learned to be normal.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Summary
This topic summarizes the key points that were discussed in this lesson.
Summary
An IDS has the ability to detect misuse and abuse of, and unauthorized
access to, networked resources. An IPS has the ability to detect and
prevent misuse and abuse of, and unauthorized access to, networked
resources.
Anomaly-based intrusion prevention notes activity that is considered
outside of normal activity. Policy-based intrusion prevention defines
intrusions as violations of policy and as malicious behavior. Signaturebased intrusion prevention matches patterns of malicious activity.
A vulnerability is a weakness that compromises either the security or
functionality of a system, and an exploit is something that is used to take
advantage of a vulnerability.
If your sensor has sufficient monitoring interfaces, you can use inline and
promiscuous mode simultaneously.
Both Cisco IPS Sensor Software Version 5.1 and Version 6.0 added
features to increase the effectiveness of the Cisco IPS Sensor Software.
IPS v6.01-19
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
1-25
1-26
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Lesson 2
Objectives
Upon completing this lesson, you will be able to describe the Cisco Intrusion Prevention
System (IPS) solutions and explain how Cisco IPS protects network devices from attacks. This
ability includes being able to meet these objectives:
Explain the various models available in the Cisco family of IPS sensors
Describe the Cisco Self-Defending Network and how the Cisco IPS products fit in to that
structure
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
600
Cisco Catalyst
6500 Series
IDSM-2
Cisco ASA
AIP-SSM
450
Cisco IDS
4240 Sensor
250
200
80
Cisco IDS
4215 Sensor
Cisco IDS
Network
Module
Mbps
45
10/100/1000 TX
10/100 TX
10/100/1000 TX
1000 SX
10/100/1000
TX
1000 SX
Network Media
2007 Cisco Systems, Inc. All rights reserved.
IPS v6.01-2
The figure and table provide information about current Cisco sensors that can run Cisco IPS
Sensor Software Version 6.0 or higher. These legacy sensors can also run Cisco IPS Sensor
Software Version 6.0:
The performance values are approximate and can vary depending on packet size. Refer to the
product release notes and cisco.com for the most current information.
1-28
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Performance
(Mbps)
Cisco IDS
Network
Module
Cisco IDS
4215
Sensor
45
80
Cisco
Adaptive
Security
Appliance
Advanced
Inspection
and
Prevention
Security
Services
Module
(Cisco ASA
AIP-SSM)
225 (Cisco
ASA AIP-SSM10)
Cisco IPS
4240
Sensor
Cisco IPS
4255 Sensor
Cisco
Catalyst
6500
Series
Intrusion
Detectio
n
System
Module 2
(IDSM-2)
250
600
600
1000
10/100/100
0
BASE-TX
10/100/1000
BASE-TX
Switched
1000
10/100/1
000
BASE-TX
Cisco
IPS 4260
Sensor
450 (Cisco
ASA AIP-SSM20)
Network
media
10/100/1000
BASE-TX
10/100
BASE-TX
10/100/1000
BASE-TX
1000 SX
Note
1000BASE-S
X
1000BAS
ESX
For the Cisco ASA AIP-SSM, performance values vary considerably depending on which
model of the Cisco ASA 5500 Series Adaptive Security Appliance the Cisco ASA AIP-SSM
is installed.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
1-29
IPS v6.01-3
The Cisco IPS 4200 Series Sensors are market-leading dedicated appliances for intrusion
detection and prevention, with the highest performance and lowest false alarm rates of the
industry. The Cisco IPS 4200 Series Sensors are focused on protecting network devices,
services, and applications. They are capable of detecting sophisticated attacks such as the
following:
1-30
Network attacks
Application attacks
Fragmented attacks
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
4
IPS v6.01-4
The Cisco ASA AIP-SSM provides the intrusion detection and prevention security feature set
for the Cisco ASA 5500 Series Adaptive Security Appliances . It runs the same Cisco IPS
Sensor Software Version 6.0 or higher software image as the sensor appliances and, therefore,
provides the same security features as the sensor appliance.
The Cisco ASA AIP-SSM is available in two models, the Cisco ASA AIP-SSM-10 and the
Cisco ASA AIP-SSM-20. The Cisco ASA AIP-SSM-20 has a faster processor and more
memory than the Cisco ASA AIP-SSM-10.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
1-31
IPS v6.01-5
The Cisco Catalyst 6500 Series IDSM-2 provides full-featured intrusion protection in the core
network fabric device. The Cisco Catalyst 6500 Series IDSM-2 is specifically designed to
address switched environments by integrating the IDS functionality directly into the switch.
The Cisco Catalyst 6500 Series IDSM-2 runs the same software image as the sensor appliances
and can be configured to perform intrusion prevention.
1-32
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
IPS v6.01-6
The Cisco IDS Network Module can be installed on the following Cisco routers to provide 45
Mbps of full-featured intrusion protection services within the router:
The Cisco IDS Network Module provides the capability to inspect all traffic traversing the
router and then identify and terminate unauthorized or malicious activity. The Cisco IDS
Network Module leverages the current Cisco IDS sensor technology to expand IDS support into
the branch office router. It requires an encryption feature set of Cisco IOS Release 12.2(15)ZJ
or later for the routers. Through collaboration with IP Security (IPsec), virtual private network
(VPN), and Generic Routing Encapsulation (GRE) traffic, the module allows decryption, tunnel
termination, and traffic inspection at the first point of entry into the network. Only one Cisco
IDS Network Module is supported in a single router; however, it is not restricted to a specific
network module slot within the router.
Note
Cisco IDS Network Module does not support inline interface pairs or VLAN pairs, and it does
not support virtualization.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
1-33
Monitoring Interface
Router
Switch
Sensor
Router
Out-of-Band
Network
Switch
Command and
Control Interface
Management System
2007 Cisco Systems, Inc. All rights reserved.
IPS v6.01-7
Each sensor appliance has at least two interfaces. One of these interfaces is the designated
command and control interface. This interface has an assigned IP address, which allows it to
communicate with a management workstation and other network devices. The other interface
monitors the desired network segment. The monitoring interface has no IP address and is not
visible on the network.
Some sensors have more than one monitoring interface. These sensors can work in either of
these modes:
Promiscuous mode: Promiscuous mode is illustrated in the figure and is available in all
sensors. Sensors running in promiscuous mode are able to detect malicious activity and
take a response action.
Inline mode: Inline mode is available only in sensors running Cisco IPS Sensor Software
Version 6.0 or higher that have at least two monitoring interfaces or to which additional
interfaces can be added. This includes the Cisco IDS 4215 Sensor, Cisco IPS 4235, Cisco
IPS 4240 Sensor, Cisco IDS 4250 XL Sensor, Cisco IPS 4255 Sensor, and Cisco IPS 4260
Sensor, and the Cisco Catalyst 6500 Series IDSM-2 Module. Sensors running in inline
mode are able to prevent malicious activity and take a response action.
Note
1-34
Cisco IPS Sensor Software Version 6.0 is also supported on the Cisco IDS Network Module;
however, this sensor does not support inline functionality.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
In Cisco IPS Sensor Software Version 6.0, the physical interfaces of the sensor are named using
the convention <type><slot>/<port>. The type, slot, and port are defined as follows:
<Type>: This is the name of the interface type. Names are defined as follows:
For management interfaces, <type> is Management on the Cisco IPS 4240 Sensor
and Cisco IPS 4255 Sensor. It is GigabitEthernet or FastEthernet for all other sensor
platforms.
<slot>: This is the physical expansion slot number in which the interface card is installed.
The slot is 0 for all built-in interfaces and 1 or greater for expansion slots. Slots are
numbered from right to left or from bottom to top.
<port>: This is the interface index on the interface card. Port numbers must be unique for
all interfaces on a given slot and a given interface type. For example, FastEthernet3/2 and
GigabitEthernet3/2 can coexist. The port numbers for a given interface type are numbered
in increasing order from right to left, starting with zero.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
1-35
Power
LED
Command and
Control Interface
LED
IPS v6.01-8
The technical specifications for the Cisco IDS 4215 Sensor are as follows:
Performance: 65 Mbps
The physical dimensions of the Cisco IDS 4215 Sensor are as follows:
1-36
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Optional
Monitoring
Interfaces
Console
Port
Monitoring
Interface
Command and
Control
Interface
IPS v6.01-9
The back of the Cisco IDS 4215 Sensor can have up to six Ethernet interfaces, one command
and control interface, and five monitoring interfaces. Reading from right to left, the interfaces
are as reflected in the table.
Interfaces
Position on Sensor
Label on Sensor
Function
Name
Ethernet 1
FastEthernet0/0
Ethernet 0
Sensing
FastEthernet0/1
None
Sensing
FastEthernet1/0
None
Sensing
FastEthernet1/1
None
Sensing
FastEthernet1/2
None
Sensing
FastEthernet1/3
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
1-37
Power
Indicator
Status
Indicator
Flash
Indicator
IPS v6.01-10
The technical specifications for the Cisco IPS 4240 Sensor are as follows:
Form factor: 1 RU
The physical dimensions of the Cisco IPS 4240 Sensor are as follows:
Note
1-38
There is also a Cisco IPS 4240 Sensor which is based on the Cisco IPS 4240 Sensors but
has unique features including support for DC power and Network Equipment Building
System (NEBS) level 3 compliance.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Command and
Control Interface
Compact
Flash
Console
Port
Auxiliary
Port
USB
Ports
IPS v6.01-11
The back panel of the Cisco IPS 4240 Sensor is made up of the following:
There are four 10/100/1000BASE-TX monitoring interfaces. Reading from right to left, the
interfaces are as reflected in the table.
Interfaces
Position on Sensor
Label on Sensor
Function
Name
Sensing
GigabitEthernet0/0
Sensing
GigabitEthernet0/1
Sensing
GigabitEthernet0/2
Sensing
GigabitEthernet0/3
MGMT
Management0/0
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
1-39
Power
Indicator
Status
Indicator
Flash
Indicator
IPS v6.01-12
The technical specifications for the Cisco IPS 4255 Sensor are as follows:
Form factor: 1 RU
The physical dimensions of the Cisco IPS 4255 Sensor are as follows:
1-40
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Command and
Control Interface
USB
Ports
Compact
Flash
Console
Port
Auxiliary
Port
IPS v6.01-13
The back panel of the Cisco IPS 4255 Sensor is made up of the following:
There are four 10/100/1000BASE-TX monitoring interfaces. Reading from right to left, the
interfaces are as reflected in the table.
Interfaces
Position on Sensor
Label on Sensor
Function
Name
Sensing
GigabitEthernet0/0
Sensing
GigabitEthernet0/1
Sensing
GigabitEthernet0/2
Sensing
GigabitEthernet0/3
MGMT
Management0/0
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
1-41
Power
Indicator
Flash
Indicator
Status
Indicator
IPS v6.01-14
The technical specifications for the Cisco IPS 4260 Sensor are as follows:
Performance: 1 Gbps
Optional interface: There are two expansion slots, which each can contain either four
10/100/1000BASE-TX monitoring interfaces or two 1000BASE-SX fiber interfaces. The
2SX Fiber card and the 4GE bypass interface card also contains hardware-bypass feature.
Form factor: 2 RU
The physical dimensions of the Cisco IPS 4260 Sensor are as follows:
1-42
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Monitoring
Interface
Command and
Control Interface
Expansion Slots
Monitoring
Interfaces
IPS v6.01-15
The back panel of the Cisco IPS 4260 Sensor is made up of the following:
Two expansion slots, each of which can hold either four 10/100/1000BASE-TX monitoring
interfaces or two 1000BASE-SX fiber, allowing nine monitoring interfaces
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
1-43
Network IPS
This topic describes network IPS and its benefits and limitations.
Network IPS
Sensors are connected to network segments. A single sensor can
monitor many hosts.
The growth of a network is easily protected. New hosts and
devices can be added to the network without additional sensors.
The sensors are network appliances tuned for intrusion
prevention analysis.
The operating system is hardened.
The hardware is dedicated to intrusion prevention analysis.
IPS v6.01-16
A network IPS involves the deployment of monitoring devices, or sensors, throughout the
network to capture and analyze the traffic as it traverses the network. The sensors detect
malicious and unauthorized activity in real time and can take action when required.
Sensors can be deployed at designated points that enable security managers to monitor network
activity while it is occurring, regardless of the location of the target of the attack.
Network IPS gives security managers real-time insight into their networks regardless of
network growth caused by adding either more hosts or new networks. Additional hosts added to
protected networks would be covered without any new sensors. Additional sensors can easily
be deployed to protect the new networks. The following are some of the factors that influence
the addition of sensors:
Exceeded traffic capacity: For example, the addition of a new gigabit network segment
requires a high-capacity sensor.
Performance capabilities of the sensor: The current sensor may not be able to perform,
given the new traffic capacity.
Network implementation: The security policy or network design may require additional
sensors to help enforce security boundaries.
Network IPS sensors are typically tuned for intrusion prevention analysis. The underlying
operating system is stripped of unnecessary network services, and essential services are
secured.
1-44
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
The hardware chosen provides the maximum intrusion prevention analysis possible for various
networks. The hardware includes the following three things:
Network interface card (NIC): Network IPSs must be able to connect into any network.
Common network IPS NICs include Ethernet, Fast Ethernet, and Gigabit Ethernet.
Memory: Intrusion prevention analysis is memory intensive. Memory directly affects the
ability of a network IPS to efficiently and accurately detect an attack.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
1-45
IPS v6.01-17
A single device can monitor many of the hosts on the network, which decreases the cost of
maintenance and deployment.
A network IPS can detect low-level attacks, as it captures raw data from the network.
A network IPS can detect attacks on many different types of operating systems, depending
on the extent of its database.
A network IPS can have a special, dedicated interface that monitors only network traffic
and is otherwise completely unresponsive to stimuli. Such a device is invisible to the
attackerwhich is not true for a host IPS device by definition, which resides on the server
and is visible by default.
1-46
There may be too much traffic on the network for the IPS to process it all in real time and
respond to it in a timely manner.
The network IPS may not interpret the data that it monitors in the same way as the end
system. An example of this behavior is the reassembly of overlapping fragmented
datagrams. The network IPS may reassemble the datagrams so that later datagrams
overwrite the data that is already in the reassembly buffer, while the end system may leave
the data that is already in the reassembly buffer unchanged. If the data comes from an
attacker, the results may not be the same.
Network encryption breaks the application layer capability of network IPS, because
payloads become hidden (Secure Sockets Layer [SSL], IPsec).
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Firewall
Switch
Switch
Router
Untrusted
Network
Sensor
Management
Server
IPS v6.01-18
The figure illustrates a typical network IPS deployment. The sensor is deployed at a network
entry point and reports to a management and monitoring server located inside the corporate
firewall.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
1-47
Host-Based IPS
This topic describes host IPS and its benefits and limitations.
Host IPS
Consists of agent software installed on each host
Provides individual host detection and protection
Does not require special hardware
IPS v6.01-19
A host IPS audits host log files, host file systems, and resources. An advantage of a host IPS is
that it can monitor operating system processes and protect critical system resources, including
files that may exist only on that specific host.
A simple form of host IPS is enabling system logging on the host. However, it can become
manpower-intensive to recover and analyze these logs. The host IPS software of today requires
agent software to be installed on each host to monitor activity performed on and against the
host. The agent software performs the intrusion detection analysis and protects the host.
The Cisco host IPS, Cisco Security Agent, complements the Cisco network IPS by protecting
the integrity of applications and operating systems. The Cisco Security Agent blocks malicious
activity before damage is done. By using behavior-based technology that focuses on the
behavior of applications, the Cisco Security Agent protects not only against known attacks but
also against new attacks for which there is no known signature.
Cisco Security Agent resides between the applications and the kernel, enabling maximum
application visibility with minimal impact to the stability and performance of the underlying
operating system. The unique architecture of the software intercepts all operating system calls
to file, network, and registry sources, and to dynamic run-time resources such as memory
pages, shared library modules, and Component Object Model (COM) objects. The agent applies
unique intelligence to correlate the behaviors of these system calls, based on rules that define
inappropriate or unacceptable behavior for a specific application or for all applications. This
correlation and subsequent understanding of the behavior of an application is what allows the
software, as directed by the security staff, to prevent new intrusions.
Note
1-48
Additional training on Cisco Security Agent is available in the Securing Hosts Using Cisco
Security Agent (HIPS) course.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
IPS v6.01-20
Host IPS software is written specifically for the host that it resides on, so it can focus only
on attacks that affect that system.
A host IPS can detect a successful attack, and can even take action after that if the system is
still stable. For example, in the event of a DoS attack, where the goal of the attacker is to
stop a specific service, the host IPS can attempt to restart the service.
As it sees the consequences of an attack on the end system, the host IPS can sometimes
catch unknown attacks by comparing their behavior to known attacks. This behavior results
in the same consequences as for known attacks, if the trigger is set to alarm on the
consequences. Therefore, it is more likely that the host IPS may react to an unknown
attack, which is usually not the case with network IPS.
If the attack requires the user to be logged in, such as an exploit to cause a local buffer
overflow that results in gaining root privileges on UNIX systems, the host IPS can log the
users that are currently logged in.
Host IPSs can observe the data or the consequences that it has on the system, after the data
has been decrypted (SSL, IPsec), which is impossible with network IPS.
If the attack is damaging enough, it can crash the entire system before the host IPS is able
to react. This is especially true with new attacks that exploit errors in the system that have
not yet been fixed.
The host IPS usually does not see the low-level network events because they are filtered
out by the device drivers and TCP/IP stack. These events include Address Resolution
Protocol (ARP)-based attacks, such as ARP spoofing, or invalid IP packets that are rejected
by the TCP/IP stack.
For a single agent, no correlation is possible because there is only one source of
information (agent) and a single target (the host). With network IPS, correlation between
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
1-49
attacks is available immediately, because a network IPS sensor usually monitors whole
networks.
1-50
If a large number of devices must be monitored, the cost of host IPS agents becomes quite
large, and the cost of deployment and maintenance increases. With a large number of hosts,
it may become impossible for one person to administer them all.
Host IPS agents may not be available for all operating systems deployed in the company, or
the applications in use on these systems may not allow an upgrade to a version of the
operating system required by the host IPS agent.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Agent
Agent
Application
Server
Firewall
Untrusted
Network
Agent
Agent
Agent
Agent
SMTP
Server
Agent
Console
Agent
Agent
Web
DNS
Server Server
IPS v6.01-21
The figure illustrates a typical host IPS deployment. Agents are installed not only on publicly
accessible servers, corporate mail servers, and application servers, but also on user desktops.
The agents report events to a central console server located inside the corporate firewall.
The Cisco host IPS, Cisco Security Agent, can correlate these events, such as scan activity from
distributed agents, and is, therefore, able to discern that a distributed port scan is taking place.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
1-51
IPS v6.01-22
Intrusion prevention can be more reliable if you use many different approaches; one type of IPS
may find intrusion attempts that another type of IPS would overlook. However, the amount of
data gathered by many different IPSs may soon outgrow the ability of the administrator to
analyze it all. The tools for such analysis, and the time or resources to create custom tools for
such a task may not be available.
It can be argued that network IPS and host IPS used together are more than a sum of their parts;
the features of one will cancel out the limitations of the other. Also, with proper correlation,
you can obtain more trustworthy data from this combination than by using multiple network
IPS sensors and host IPS agents alone.
1-52
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Network-Focused
Technology
Host-Focused
Technology
IPS v6.01-23
No single device or security technology can provide a complete security solution. A defense-indepth security solution attempts to protect network resources by providing layers of security.
You can implement intrusion detection at both the host level and the network level.
Implementing both technologies provides a defense-in-depth intrusion detection solution.
Host-focused intrusion technology includes the following:
Notice the overlap and the differences between the host-focused and network-focused intrusion
prevention technologies. The differences provide protection where the other technology is
lacking, and the overlap provides an additional layer of protection.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
1-53
Sensor Deployment
This topic discusses the factors to consider when deploying a Cisco IPS solution.
IPS v6.01-24
You should consider several factors when selecting sensors for a Cisco IPS solution:
organizational, financial, and technical. For the purposes of this discussion, the focus is on the
technical factors, which are as follows:
1-54
Network media: Sensor selection is affected by the network media and environment.
Cisco IPS sensor NICs range from Ethernet to Gigabit Ethernet.
Sensor performance: The performance for the sensors is rated by the number of bits per
second (bps) that can be captured and accurately analyzed. Cisco IPS sensor performance
ranges from 65 Mbps to 1000 Mbps.
Network design: Cisco IPS sensors are suited for networks that have speeds ranging from
10/100BASE-T Ethernet to Gigabit Ethernet. The network design can affect the choice of
sensor.
IPS design: Sensors used for broad-based analysis usually need more capacity. Sensors
that are to focus on monitoring individual servers, or applications, do not need as much
capacity.
Virtualization: If the sensor is going to be using multiple virtual sensors, more capacity
will be required.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
IDS or IPS
Deploy an IDS sensor in areas where you cannot deploy an
inline device or where you do not plan to use deny actions.
Deploy an IPS sensor in areas where you need and plan to use
deny actions.
IPS v6.01-25
You should consider several factors when deciding whether to deploy a sensor as an IPS or as
an IDS. Although the use of IPS deny actions require a well-defined security policy and a good
understanding of your overall IPS deployment, IPS is the recommended solution.
There are many benefits and risks of IPS:
IPS deny actions can stop the trigger packet, packets in a connection, or packets from an
attacker.
The sensor can use stream normalization techniques to reduce or eliminate many network
evasion techniques.
Overrunning the capabilities of an inline sensor can affect the network adversely.
Overrunning the sensor with data does not affect network traffic, although it can affect IDS
analysis.
IDS response actions cannot stop the trigger packet and are not guaranteed to stop a
connection. IDS response actions are typically better at stopping an attacker than a specific
attack.
IDS sensors are more vulnerable to evasion techniques than IPS sensors are.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
1-55
IPS v6.01-26
Deploying a Cisco IDS or IPS solution requires a well-thought-out design. Here are the
important design issues to take into consideration:
1-56
Your network topology: Knowledge of your network topology will help you determine
how many sensors are required, the hardware configuration for each sensor (such as the
size and type of NICs), and how many management workstations are needed. An inline
sensor monitors all traffic between the two devices where it is placed. A promiscuous mode
sensor monitors all traffic across a given network segment. With that in mind, you should
consider all the connections to the network that you want to protect. Before you deploy and
configure your sensors, you should understand the following about your network:
Connections between your network and other networks, including the Internet
Sensor placement: It is recommended that sensors be placed at those network entry and
exit points that provide sufficient intrusion prevention coverage. Determine the type of
location that you have to determine which parts of the network you want to protect. Keep in
mind that each appliance maintains a security policy configured for the network or
networks that it is monitoring. The security policies can be standard across the organization
or unique for each appliance. You may consider changing your network topology to force
traffic across a given protected network segment. There are always operational trade-offs
when going through this process. The result should be an estimate of the number of
appliances required to protect the desired network. You can place an appliance in front of
or behind a firewall. Each position has its benefits and drawbacks.
Management and monitoring options: Review the management and monitoring options
to select those most appropriate for your network. Keep in mind that the number of sensors
that you deploy is directly correlated to the type of management console that you select.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Cisco Catalyst
6500 Series
IDSM2
Firewall
Untrusted
Network
Sensor
Management
Server
As you examine your network topology to determine how many sensors are required, consider
all connections to the network that you want to protect. Locations that need to be protected
generally fall into these five basic categories:
Internet protection: A sensor between your perimeter gateway and the Internet
complements the firewall and VPN by monitoring traffic for malicious activity.
Extranet protection: A sensor between your network and extranet connections, such as
connections with a business partner, monitors traffic where trust is implied but not assured.
Intranet and internal protection: Sensors on your intranet protect data centers and critical
systems from internal threats.
Server farm protection: Companies are deploying Internet servers on their demilitarized
zone (DMZ) networks. These servers offer Internet services such as web access, Domain
Name System (DNS), FTP, and Simple Mail Transfer Protocol (SMTP). Cisco Security
Agent software is installed on these servers. The CiscoWorks Management Center for
Cisco Security Agent is installed on an internal network.
A complete Cisco IPS solution includes the installation of both a network IPS and a host IPS.
Network IPS sensors are installed at network entry points to provide broader coverage, and host
IPS agents are installed on critical network servers.
Sensors are deployed at network entry points to protect critical network segments. The
network segments have both internal and external corporate resources. The sensors report
to a central management and monitoring server located inside the corporate firewall.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
1-57
IPS v6.01-28
Network IPS sensors should monitor segments where the organization must prevent attacks the
most. These monitoring points usually include the following:
1-58
The most sensitive internal servers: This is where the sensitive data is kept, and many
inside users often have access to these servers. Performance requirements are usually
highest on these segments.
The most sensitive internal segments: These are the segments used for network
management or security management. Usually, the amount of traffic on these segments is
manageable; therefore, they can usually be monitored with a single sensor per segment,
with host IPS agents on the network management workstations.
Network entry points: These are the locations in a network where untrusted users could
potentially enter the network. Examples of these entry points include the Internet firewall,
VPN connections, or dialup connections. The switched network edge is also a potential
entry point for local network users who might be untrusted. The switched network should
be one of the main performance considerations for network IPS deployments, because the
amount of traffic at a busy LAN edge is often too high for a single network IPS to handle.
Exposed hosts most likely to be compromised: For example, exposed servers in the
firewall are likely to be targeted by an attacker because they can be used as a jump-off
point to the rest of the network.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Example:
Monitor only HTTP, HTTPS (the only present services)
Other attacks might be missed, but are not likely to cause damage
IPS v6.01-29
When a network IPS is monitoring sensitive internal servers, the performance of the network
IPS is likely to be an issue. The following are guidelines that you should follow when
implementing a network IPS to monitor sensitive internal servers:
Tailor the sensor to the target that it is watching. Disable nonrelevant signatures to help
improve performance.
For example, if the only available services on a destination server are HTTP and HTTPS, a
network IPS might watch only for those protocols going to that server. Other attacks or
attempts might be missed, but are not likely to cause damage.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
1-59
Untrusted
Trusted
IPS v6.01-30
Network entry points should be monitored to detect attacks in the flow of traffic from the
untrusted to the trusted side of the network. An example of this kind of protection is on the
Internet firewall. The Internet firewall typically monitors traffic coming from the outside (or
untrusted) interfaces going to the inside (or trusted) interfaces.
You generally use network IPS monitoring on the untrusted (outside) segment to monitor traffic
in the wildthat is, catch any attacks and attempts before they hit the firewall. This type of
monitoring is useful to detect new forms of attacks, new trends in attacking, and to provide raw
data, which can be correlated with other sensors. This is probably the only sensor that is not
focused, because it attempts to gather as much information as possible about anythingthis is
called broad monitoring. You typically tune this type of sensor to reduce only noise and basic
false positives.
Because the sensor is located in front of the firewall, no attacks are denied, except if there is
heavy filtering on the edge router.
1-60
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Trusted
IPS v6.01-31
You generally use network IPS monitoring on the trusted (inside) segment to detect attacks that
might pass from the untrusted to the trusted side. Basic correlation techniques might discover
this automatically, when seeing the same alarm reported by those two sensors.
Usually, this type of sensor is set to perform broad monitoring, because any type of attack must
be detected when leaking through the firewall.
You usually tune this type of sensor to reduce only the basic false positives. The firewall filters
the majority of the noise from the outside. Outbound traffic, which the IPS also usually
watches, might cause false positives, and would be the main reason for you to tune this sensor.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
1-61
netForensics Solsoft NP
CiscoWorks
Cisco Security
MARS
IPS OOB
Connection
HP
OpenView
Other Network
Management
System Servers
Network OOB
Connection
IPS v6.01-32
It is a good idea to consider a completely separate management network for IPS, separated even
from the classic management LAN or VLAN, and the security servers. The rationale is that the
IPS subnet should be the most isolated subnet, perhaps even physically separate, because it is
the only monitoring mechanism available to detect unauthorized activity in real time.
Therefore, it should be the most trusted subnet in the network, having extremely restricted
connectivity to it and from it.
Note
1-62
Using private VLANs (PVLANs) to put all sensors on isolated ports in an out-of-band (OOB)
network is recommended, because the sensors do not need to talk to each other. This
prevents the compromise of a single sensor, which helps to prevent other sensors from
being compromised.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
IPS v6.01-33
Integration standard
Collaborative standard
Adaptive standard
Integration Standard
Every element in the network acts as a point of defense, and all of the elements work together
to provide a secure and adaptive system. Routers, switches, appliances, and endpoints
incorporate security functions, including firewall protection, VPN capabilities, trust and
identity capabilities, and IPSs. In addition, this standard incorporates technologies inherent in
the secure operation of network devices, such as policing the control plane and providing
thresholds for CPU and memory.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
1-63
Collaborative Standard
Various components of the network work together to provide new means of protection, and
security becomes a system involving cooperation between endpoints, network elements, and
policy enforcement. Network Admission Control (NAC) is an example of this principle,
whereby endpoints are admitted to the network based on their adherence to security policy that
is enforced by network devices such as routers and switches.
Adaptive Standard
Adaptive security allows for automatic deployment of innovative behavioral methods to
recognize new types of threats as they arise. Mutual awareness can exist between security
services and network intelligence, thus increasing security effectiveness and providing a more
proactive response to new types of threats. This mutual awareness effectively mitigates security
risks by broadening threat recognition capabilities and addressing threats at multiple layers of
the network.
1-64
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
IPS v6.01-34
The threat control and containment solutions that Cisco offers consist of innovative, advanced
technologies that go beyond simply defending against threatsthey proactively and
collaboratively control and contain threats. The following are the benefits of the threat control
and containment solution offered by Cisco:
The Cisco confidential communications solution enables your organization to take advantage of
and enjoy the positive business benefits of data, voice, video, and wireless communications,
while ensuring the privacy and integrity of critical business communications over these media.
There are many benefits of the Cisco confidential communications solution:
Gains in productivity
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
1-65
Application availability
Customer privacy
The Cisco operational management and policy control solution is a framework of integrated,
collaborative, and adaptive security management tools. Benefits of the Cisco operational
management and policy control solution include the following:
1-66
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
IPS v6.01-35
The Cisco Self-Defending Network provides comprehensive network protection using unique
and advanced technologies. The Cisco Self-Defending Network includes the NAC framework
to systematically enforce endpoint policy compliance. The NAC framework encompasses Cisco
switches, routers, access points, VPN appliances, and NAC appliances, which enables
flexibility and consistency throughout the network. Cisco switches and wireless access points,
which are typical network entry points for campus employees, become enforcement points by
enforcing rights based on the state of the attaching device.
The Cisco NAC Appliance (formerly Cisco Clean Access) is a turnkey solution to implement
NAC. The Cisco NAC Appliance is an easily deployed NAC product that allows network
administrators to authenticate, authorize, evaluate, and remediate wired, wireless, and remote
users and their machines prior to allowing users onto the network. It identifies whether
networked devices such as laptops, desktops, and other corporate assets are compliant with the
security policies of a network, and it repairs any vulnerabilities before permitting access to the
network.
Note
Once both the device and the user are admitted onto the network, they must be protected
against outbreaks and theft. For individual protection, Cisco Security Agent deployed on each
desktop and server provides device-specific protection against numerous thefts. Cisco Security
Agent protects the device against worm and virus attacks, day-zero attacks, unauthorized
access, information theft, and some spyware and buffer overflow attacks.
To enable networkwide protection against outbreaks and theft, firewalls, IPSs, Cisco Catalyst
integrated security features within the switch, and router-based security all provide for a
consistent security level in the campus network, allowing an organization to follow a bestpractice security implementation.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
1-67
Firewalls help to segment the campus, so that if an outbreak does occur, the entire campus is
not affected. The Cisco ASA 5500 Series Adaptive Security Appliances integrate superior
firewall, VPN, IPS, and antivirus capabilities for advanced protection. You can augment this by
using the firewall feature set that integrates into Cisco IOS routers for additional controls in a
highly segmented environment.
IPSs provide more thorough threat detection through deep packet inspection, a process that
looks into the packet itself. For example, if an attack was hidden in a web request, the firewall
might not catch it, but the IPS would recognize it and prevent it from going any further in the
network. IPSs typically reside behind the firewall, so that the firewall stops all of the wellknown attacks, and the IPS inspects the traffic that makes it through the firewall. Intrusion
prevention services are integrated into the Cisco ASA 5500 Series Adaptive Security
Appliances, Cisco Catalyst 6500 Series Switches, and Cisco routers.
To increase the level of security throughout the network infrastructure, several measures can be
taken at the switches and the routers. Through Cisco Catalyst integrated security features,
switches can provide a strong defense against man-in-the-middle attacks, which commonly lead
to theft of information. Security features integrated into the access switch can quickly thwart
malicious activity.
On the router, to protect against outbreaks and theft, the Cisco NetFlow tool feeds into
aggregation and analysis tools, such as the Cisco Security Monitoring, Analysis, and Response
System (MARS). The Cisco AutoSecure feature of routers provides easy lockdown of features
and services that would provide vulnerabilities if left open. Other features protect the router
itself, such as Control Plane Policing (CoPP) and memory rate limiting. These features protect
the router availability when under attack. For more information on these integrated Cisco
Network Foundation Protection (NFP) technologies, visit http://www.cisco.com/go/nfp.
You can implement these services on all Cisco switches and routers throughout the network.
Combined with firewall, intrusion prevention, and host protection, the network provides a
comprehensive defense-in-depth security implementation. A standardized approach with Cisco
products allows for minimal complexity for security management and embedded security
within the network itself, allowing greater transparency for the protection afforded.
Cisco Security MARS is an appliance-based, all-inclusive solution that allows network and
security administrators to monitor, identify, isolate, and counter security threats.
Cisco Security Manager is a powerful but easy-to-use solution for configuring firewall, VPN,
and IPS policies on Cisco security appliances, firewalls, routers, and switch modules.
Note
1-68
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Summary
This topic summarizes the key points that were discussed in this lesson.
Summary
Cisco offers a wide variety of IPS appliances and modules.
Network IPSs provide a broad base of protection for all hosts on
selected segments.
Host IPSs provide individual host protection.
You should consider these factors when planning an IPS
deployment: network media, sensor performance, network design,
IPS design, and virtualization.
The Cisco Self-Defending Network provides the ability to
recognize suspicious activity, identify threats, and respond to
attacks in a coordinated way.
IPS v6.01-36
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
1-69
1-70
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Lesson 3
Objectives
Upon completing this lesson, you will be able describe the Cisco monitoring solutions and
suggest how to utilize them. This ability includes being able to meet these objectives:
List the Cisco IPS management products for single device management
List the Cisco IPS management products that you can use for the enterprise
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
IPS v6.01-2
Cisco IPS Sensor Software Version 6.0 runs on the Linux operating system. The following are
the primary components of the sensor architecture:
Secure Shell (SSH) and Telnet: Services SSH and Telnet requirements for the commandline interface (CLI) application (By default, SSH is enabled and Telnet is disabled.)
Note
1-72
Each application has its own configuration file in Extensible Markup Language (XML) format.
MainApp: Initializes the system, starts and stops the other applications, configures the
operating system, and performs upgrades. It contains the following components:
Event Store: This is an indexed store used to store IPS events (error, status, and
alert system messages) that is accessible through the CLI, Cisco IPS Device
Manager (IDM), Cisco Adaptive Security Device Manager (ASDM), or Remote
Data Exchange Protocol version 2 (RDEP2).
InterfaceApp: This component handles bypass and physical settings and defines
paired interfaces. Physical settings are speed, duplex, and administrative state.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
LogApp: This component writes all of the application log messages to the log file
and the application error messages to the Event Store.
ARC: The ARC was formerly known as NAC. The ARC manages remote network
devices (firewalls, routers, and switches) to provide blocking capabilities when an
alert event has occurred. ARC creates and applies access control lists (ACLs) on the
controlled network device or uses the shun command (firewalls).
Web Server (HTTP RDEP2 server): This component provides a web interface and
communication with other IPS devices through RDEP2 using several servlets to
provide IPS services.
SensorApp: SensorApp performs packet capture and analysis. Policy violations are
detected through signatures in the SensorApp, and the information about the violations is
forwarded to the Event Store in the form of an alert. Packets flow through a pipeline of
processors fed by a producer designed to collect packets from the network interfaces on the
sensor. SensorApp supports the following processors:
Analysis Engine
Alarm Channel
Sensor interfaces: Sensor interfaces serve as the traffic inspection points. Sensor
interfaces are also used for TCP resets and IP logging.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
1-73
Cisco IDM
HTTPS
(TLS and SSL)
HTTPS Client
HTTPS Server
TLS and SSL use a process called handshaking, which involves a number of
coordinated exchanges between a client and a server.
A trusted-host certificate is used by the server to verify the identity of a
connecting client.
A server certificate is used by the server to prove its identity to the client.
2007 Cisco Systems, Inc. All rights reserved.
IPS v6.01-3
The process of negotiating an encrypted session in Transport Layer Security (TLS) is called
handshaking because it involves a number of coordinated exchanges between client and server.
After a client initiates a HTTPS session, the server sends its server certificate to the client. The
client performs a three-part test on this certificate, and asks these questions:
Step 1
Is the issuer identified in the certificate trusted? Every web browser is shipped with
a list of trusted third-party certificate authorities (CAs). If the issuer identified in the
certificate is in the list of CAs trusted by your browser, the first test is passed.
Step 2
Is the date on the certificate within the range of dates during which the certificate is
considered valid? Each certificate contains a validity field, which is a pair of dates.
If the date falls within this range, the second test is passed.
Step 3
Does the common name of the subject identified in the certificate match the URL
hostname? The URL hostname is compared with the subject common name. If they
match, the third test is passed.
Note
You can use the Cisco IDM to configure the sensor to use certificates for secure
communications as follows:
1-74
Generate a server certificate on the sensor for the sensor. The sensor uses its server
certificate to prove its identity to a client. This is the certificate the sensor returns when you
direct your web browser to connect with Cisco IDM.
Configure a list of trusted hosts. The sensor can use trusted-host certificates to verify the
identity of a connecting client. Creating a list of trusted hosts configures the sensor to
accept the certificates of remote hosts. The trusted hosts list is useful in master blocking
sensor scenarios.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Event
XML
SDEE
HTTPS
Configuration
XML
Sensor
RDEP2
Cisco IDM
HTTPS
IPS v6.01-4
In Cisco IPS Sensor Software Version 6.0, management and monitoring applications use
RDEP2 to interact with the sensor, to send and receive IPS data via HTTPS. Both IPS events
and control transactions are considered IPS data. Control transactions can be diagnostic data
from an application or from session logs, or configuration data sent to or from an application.
Note
WebApp provides RDEP2 support, which enables the sensor to report security events,
receive Intrusion Detection Interchange and Operations Messages (IDIOM) transactions,
and serve IP logs.
Cisco IPS Sensor Software Version 5.x and 6.0 communicate events using the Security Device
Event Exchange (SDEE) protocol; however, Cisco IPS Sensor Software Version 5.0 still uses
Remote Data Exchange Protocol (RDEP) for communicating configuration and IP log
information.
Note
For retrieving events, the sensor is backward-compatible with RDEP even though the new
standard for retrieval is RDEP2. Cisco recommends that you use RDEP2 to retrieve events
and send configuration changes for Cisco IPS Sensor Software Version 6.0.
SDEE is a standardized IPS communication protocol developed by Cisco for the IDS
Consortium at the International Computer Security Association (ICSA). Cisco IPS Sensor
Software Version 6.0 uses SDEE to deliver a flexible, standardized application programming
interface (API) to the IPS sensor, which facilitates the integration of third-party management
and monitoring solutions with the Cisco IPS solution. This feature gives users a choice of thirdparty solutions to monitor events generated by Cisco IPS sensors.
IPS data is represented in XML format as XML documents. The sensor stores userconfigurable parameters in several XML files. RDEP2 can use either HTTP or HTTPS to
2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
1-75
transmit XML documents between the sensor and external systems. The industry standard
HTTP and HTTPS provide a standardized interface for the exchange of XML documents.
RDEP2 does not specify the schemas for the XML documents exchanged in RDEP2 messages.
The Intrusion Detection Configuration (IDCONF) data format standard defines the XML
messages used for configuration.
The SDEE standard specifies both the format of events and the protocols for communicating
the events. SDEE supports multiple protocols for communicating events but currently specifies
an HTTP-based protocol that is very similar to RDEP.
SDEE is an enhancement of RDEP. It adds extensibility features that are needed for
communicating events generated by various types of security devices. The Cisco Intrusion
Detection Event Exchange specifies Cisco IPS extensions to SDEE. The extensions add
information to the event format. Therefore, some items in an alert are specified by SDEE, and
some are Cisco Intrusion Detection Event Exchange extensions.
Both SDEE and RDEP2 use a pull communication model for event messages. The pull
communication model allows the management console to pull alerts at its own pace. In Cisco
IPS Sensor Software Version 6.0, alerts remain on the sensor until the 30-MB limit of the Event
Store is met. When that limit is met, alarms are overwritten.
1-76
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Element Management
Strengths:
Easy to deploy
No additional cost
Weakness:
Separate
Sessions
IPS v6.01-5
Element management or single device management is the basic way to configure individual
Cisco network devices. The CLI and Cisco IDM are examples of tools that you can use to
perform single device management.
Benefits
The benefit of single device management is that an organization can deploy it at no extra cost,
because all of the necessary functions are included in the network device. Additionally, the
workstation of the administrator needs only standard software such as terminal emulation,
Telnet, SSH, or a Java-capable web browser with SSL support for secure browsing.
Drawbacks
The drawbacks of single device management include the following:
The administrator must translate the per-device subpolicies into the specific language and
applicable commands or settings of the device. This configuration means a high effort and
a certain risk of inconsistencies because of different software versions throughout the
network, which might behave differently because of version-specific default values or
different implemented features or both.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
1-77
Command-Line Interface
sensorP# configure terminal
sensorP(config)#
CLI:
Device-specific commands,
version-specific commands,
feature-specific commands
Considerable amount of
typing
Best tool for troubleshooting
IPS v6.01-6
The CLI, which is the basic way to configure network devices, is also the hardest way to deploy
network policies in a complex environment. However, the CLI is a very direct way to access
devices without the need for specialized tools or programs, but it has some disadvantages.
Each type of device, such as a switch, router, firewall, or encryption device, has its own
configuration language, and in many cases even version-specific commands and default
settings. In addition to entering the commands, the administrator must have a thorough
knowledge of all the configuration languages, versions, and feature sets.
1-78
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Cisco IDM
Cisco IDM is a
web-based application
that allows you to
configure, manage, and
monitor the sensor.
IPS v6.01-7
Cisco IDM is a web-based Java application that enables you to configure and manage your
sensor using a GUI. The web server for Cisco IDM resides on the sensor. You can access it
through Internet Explorer, Netscape, or Mozilla web browsers.
Cisco IDM allows you to perform these actions remotely:
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
1-79
Enterprise Management
Strengths:
Single administration tool
Consistent policies
Single
Weaknesses:
Application
Platform-specific tools
Not always topology-aware
Policy Generated
Commands
IPS v6.01-8
Enterprise management tools allow you to manage many devices of the same type at the same
time. Their main advantage is that they provide central management with consistent policies
and topology information.
1-80
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
IPS v6.01-9
The Cisco IPS Event Viewer (IEV) offers a free monitoring solution for small-scale IPS
deployments. Monitoring individual IPS devices, the Cisco IEV is easy to set up and use, and
provides the user with the following:
Support for Cisco IPS Sensor Software Version 6 through SDEE compatibility
Customizable reporting
Visibility into applied response actions, virtual sensor ID, daylight saving time (DST),
learned operating system, and threat rating
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
1-81
IPS v6.01-10
Cisco Security Manager is part of the Cisco Security Management Suite. It delivers
comprehensive policy administration and enforcement for the Cisco Self-Defending Network.
Unlike point security products from multiple vendors, which often do not work together and
can leave vulnerable gaps, the Cisco Security Management Suite provides a comprehensive
solution for provisioning, monitoring, mitigation, and identity to keep networks safer, more
resilient, and easier to operate. The Cisco Security Management Suite also includes Cisco
Security Monitoring, Analysis, and Response System (MARS) for monitoring and mitigation.
Using powerful policy-based management techniques, Cisco Security Manager excels at
efficiently managing networks of all sizes. Its rich client GUI provides superior ease of use.
Cisco Security Manager provides multiple views into the application to accommodate different
tasks and user experience levels.
Cisco Security Manager can be used to centrally provision all aspects of device configurations
and security policies for Cisco firewalls, virtual private networks (VPNs), and IPSs. The
solution is effective for managing even small networks consisting of fewer than 10 devices, but
also scales to efficiently manage large-scale networks composed of thousands of devices.
Scalability is achieved through intelligent policy-based management techniques that can
simplify administration.
1-82
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
IPS v6.01-11
Cisco Security MARS recognizes and correlates real network attacks and then defines how to
stop them. This ability allows you to free more network resources by reducing false positives
and simplifying audit compliance.
Going beyond first- and second-generation security information management systems, Cisco
Security MARS more efficiently aggregates and reduces massive amounts of network and
security data from popular network devices and security countermeasures. By gaining network
intelligence, Cisco Security MARS effectively identifies network and application threats
through sophisticated event correlation and threat validation. Verified attacks are visualized
through an intuitive, drill-down topology map to augment incident identification, investigation,
and workflow. Upon attack discovery, it allows the operator to prevent, contain, or stop an
attack in real time by pushing specific mitigation commands to network enforcement devices.
The system supports customer-centric rule creation, threat notification, incident investigation,
and a host of security posture and trend reports.
Cisco Security MARS provides security monitoring for Cisco devices and devices from other
vendors. It helps with the following:
Make precise recommendations for removal of threats, including the ability to visualize the
attack path and identify the source of the threat
Each signature now contains a new parameter, Cisco Security MARS category, which contains
the list of the Cisco Security MARS attack categories associated with the signature. This
category is included in the signature alerts. You can modify the Cisco Security MARS category
for custom signatures but not for built-in signatures.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
1-83
Summary
This topic summarizes the key points that were discussed in this lesson.
Summary
RDEP2 is used for legacy communications between IPS
applications. SDEE is a standards-based communications
protocol used by the latest Cisco IPS products.
Element management is used to administer a single Cisco IPS
sensor at a time.
Cisco Security Manager can be used to centrally provision all
aspects of device configurations and security policies for Cisco
firewalls, VPNs, and IPSs. Cisco Security MARS recognizes and
correlates real network attacks and then defines how to stop
them.
1-84
IPS v6.01-12
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Lesson 4
Objectives
Upon completing this lesson, you will be able define major evasion techniques in order to
justify several intrusion prevention system (IPS) features. This ability includes being able to
meet these objectives:
Explain how attackers use string match attacks to avoid detection by intrusion detection
and intrusion prevention products
Explain how attackers use fragmentation attacks to avoid detection by intrusion detection
and intrusion prevention products
Explain how attackers use session attacks to avoid detection by intrusion detection and
intrusion prevention products
Explain how attackers use insertion attacks to avoid detection by intrusion detection and
intrusion prevention products
Explain how attackers use evasion attacks to avoid detection by intrusion detection and
intrusion prevention products
Explain how attackers use TTL-based attacks to avoid detection by intrusion detection and
intrusion prevention products
Explain how attackers use resource exhaustion attacks to avoid detection by intrusion
detection and intrusion prevention products
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Evasive Techniques
This topic describes what an evasive technique is and provides examples of common evasive
techniques.
Evasive Techniques
Attempts to elude intrusion prevention and detection use evasive
techniques such as:
Obfuscation
Fragmentation
Encryption
Flooding
There are many hacker tools designed to evade detection.
Examples of such script kiddie products are:
Snot
Stick
Fragroute
Whisker
2007 Cisco Systems, Inc. All rights reserved.
IPS v6.01-2
The hacker community is aware of the various intrusion detection system (IDS) and IPS
technologies and has identified ways to evade them. Here are common, general, evasive
techniques:
1-86
Flooding
Fragmentation
Encryption
Obfuscation
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
IPS v6.01-3
Black hats, security researchers, and IPS developers have continually played a game of back
and forth when it comes to intrusion detection. The black hats are continually developing
methods to evade detection while the vendors continually attempt to counter with patches,
service packs, and new releases.
One common form of attack is the string match attack. By changing strings in minor ways, an
attacker can sometimes easily evade detection. The following are common types of string
match attacks:
Obfuscation
Change of case
For more information, refer to IDS Evasion Techniques and Tactics by Kevin Timm at
http://www.securityfocus.com/infocus/1577.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
1-87
Obfuscation
Disguising an attack by using special characters to
conceal it from a sensor is commonly referred to as
obfuscation. Various types of obfuscation are:
Control characters
Hexadecimal representation
Unicode representation
IPS v6.01-4
In the past, intrusion detection was easily evaded by using special characters to disguise an
attack. The term used to describe this evasive technique is obfuscation. Obfuscation is now
once again becoming popular. Different forms of obfuscation include the following:
1-88
Control characters: These include space, tab, backspace, and delete characters.
Unicode representation: Unicode provides a unique value for every character, regardless
of platform, program, or language. For example, the slash character (/) is represented by the
value c1.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Control Characters
Spaces can be changed into other characters to avoid detection:
One space can become two spaces.
One space can become one tab or two tabs.
One space can become a soft carriage return.
Many applications treat each of these variations the same.
IPS v6.01-5
One of the difficulties in writing string signatures is dealing with the different variations into
which the attack can evolve. Control characters, such as spaces or tabs, are interpreted by many
applications identically. This presents the writer of a string match with a challenge; how to
write one signature that addresses the original attack and all reasonably expected mutations of
that same attack without having to write a new signature for every variation.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
1-89
Change of Encoding
The slash character (/) can be represented a number of ways by
changing the encoding. All of the following represent the same
character:
\
%5c
%255c
%%35c
%%35%63
%25%35%63
It is important that signatures anticipate such modifications of
malicious strings.
IPS v6.01-6
Unicode was developed to make allowances for languages that are more complex than the 26character alphabet of English. Characters in Unicode can be single byte, double byte, triple
byte, or quadruple byte. This flexibility in the standard can be exploited by attackers because
many different strings can be used to represent data.
Note
For more information, refer to RFC 2279, UTF-8, a Transformation Format of ISO 10646, and
visit http://www.unicode.org.
1-90
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Change of Case
Phase 1 of attack:
Malicious string is attack
Phase 2 of attack:
Malicious string is AtTaCk
Phase 3 of attack:
Malicious string is ATTACK
IPS v6.01-7
Many applications are not case-sensitive. Therefore, the custom signature writer has to be
prepared for the morphing of an attack by a simple change of case. Well-written signatures
anticipate such evolution and are able to detect and prevent future versions of attacks.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
1-91
Fragmentation Attacks
This topic describes how attackers use fragmentation attacks to avoid detection by intrusion
detection and intrusion prevention products.
Fragmentation
IPS v6.01-8
Networks are connected using various media types, such as Ethernet, FDDI, Token Ring, and
ATM. Each of these technologies specifies the allowed maximum transmission unit (MTU).
The MTU value is different for each technology. Consequently, fragmentation of these
transmission units (packets, cells) is allowed to accommodate differing MTU sizes.
Fragmentation adds a level of complexity that sensors must address. The sensor now must keep
track of the fragmented packets and perform reassembly. Reassembly is highly processorintensive and requires sufficient memory.
In the figure, the attacker is splitting malicious packets into smaller packets that are transmitted
to the target host in an attempt to elude intrusion detection and prevention and make the target
host reassemble the packets.
1-92
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Fragment
Reassembly
Timeout = 15 sec.
0 seconds
Frag 1
15 seconds
25 seconds
Fragment
Reassembly
Timeout = 30 sec.
Frag 1
Frag 1
Waiting
Dropped
Frag 1
Frag 2
Frag 2
Frag 2
Frag 1
Attack
2007 Cisco Systems, Inc. All rights reserved.
IPS v6.01-9
If the fragment reassembly timer of the sensor is less than the fragment reassembly timer of the
hosts that it is protecting, the sensor is vulnerable to a specific fragment attack.
In the figure, the attacker sends the first fragment and then waits 25 seconds before sending the
second fragment, which completes the packet. After 15 seconds, the sensor drops the first
fragment because of the fragment reassembly timer on the sensor, and misses detecting the
malicious code when the second fragment arrives.
Because the fragment reassembly timer of the victim was 30 seconds, it received both
fragments, reassembled them, and processed them leaving the victim vulnerable, and the IPS
sensor silent.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
1-93
Fragment
Reassembly
Timeout = 30 sec.
Fragment
Reassembly
Timeout = 60 sec.
0 seconds
Frag 2
Frag 4
Waiting
35 seconds
Frag 2
Frag 4
Frag 2
Frag 4
Frag 2
Frag 4
Dropped
45 seconds
65 seconds
Frag 1
Frag 2
Frag 3
Frag 4
Frag 4
Frag 3
Frag 2
Frag 2
Frag 4
Frag 1
Frag 4
Frag 1
Frag 3
Frag 3
Frag 2
Frag 1
Attack
2007 Cisco Systems, Inc. All rights reserved.
IPS v6.01-10
A similar problem can occur if the fragment reassembly timer of the IPS sensor is longer than
the fragment reassembly timer of the host that it is protecting.
In the figure, the timer of the sensor is longer than the timer of the protected host. The attacker
sends fragments 2 and 4, with a false payload, from a packet that it has been split into four
fragments. Both the sensor, and intended victim, buffer these two packets and wait for packets
1 and 3. After 30 seconds, the intended victim drops fragments 2 and 4, but the sensor retains
them in memory. Because the victim has not received fragment 1, it quietly drops fragments 2
and 4 and does not generate an Internet Control Message Protocol (ICMP) error message.
After 45 seconds, the attacker sends fragments 1 and 3, which complete the packet for the IPS
sensor. The intended victim sees these as the first two fragments of a packet, and buffers them.
When the attacker sends fragments 2 and 4 again at the 65-second mark, the sensor sees them
as the beginning of a new series of fragments, and the victim sees them as the conclusion of a
series of fragments which complete a packet. The sensor has been evaded.
1-94
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Resent Fragments
Attacker
Microsoft Windows XP
Frag 3
Frag 2
Frag 1
Frag 4
Frag 3
Frag 2
Frag 3
Frag 4
Frag 2
Frag 3
Frag 1
Frag 2
Frag 1
UNIX Server
Frag 3
Frag 4
Frag 2
Frag 3
Frag 1
Frag 2
Frag 1
IPS v6.01-11
In their paper Active Mapping: Resisting NIDS Evasion Without Altering Traffic, Paxson and
Shankar indicate that different operating systems perform fragmentation reassembly differently.
They conclude that there are five different reassembly approaches.
In the example, the attacker carries out the attack by first breaking the malicious code into four
fragments. Fragments 1, 2, and 3 are sent and accepted by all operating systems.
The attacker then sends fragments 2, 3, and 4. Fragments 2 and 3 are different, but are marked
as if they are the same. The fragment offset, the packet length, and most of the other fields in
the IP header are not changed.
Different operating systems handle this situation differently. The Microsoft Windows operating
systems gives preference to the first fragments labeled 2 and 3 and will process them along
with the uncontested fragments 1 and 4.
UNIX servers handle these situations differently. UNIX gives preference to the retransmitted
fragments labeled 2 and 3, and therefore, will process a completely different payload. If an IPS
sensor in the path takes the Microsoft Windows approach to fragment reassembly, it will miss
the attack against devices that use Cisco IOS Software. If the sensor takes the Cisco IOS
Software approach to fragment reassembly, it will miss the attacks against Microsoft Windows
devices.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
1-95
Overlapping Fragments
Frag 2 a.?
Attack
2007 Cisco Systems, Inc. All rights reserved.
IPS v6.01-12
In addition to the class of fragmentation attacks that have been discussed, there is a class of
attacks involving overlapping fragments. In this class of attack, the offset values in the IP
header do not match up as they should, and therefore one fragment overlaps another. Once
again, different operating systems handle this situation differently.
In the example, the first fragment is received normally but the offset in the second fragment
overwrites the last byte of the first fragment. Therefore, the intended victim gets the HTTP
string: GET script.ida? (buffer overflow). If the IPS sensor in the path does not reassemble the
overlapping fragments in the same manner that the intended victim does, the IPS sensor will
miss the attack.
Note
1-96
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Session Attacks
This topic describes how attackers use session attacks to avoid detection by intrusion detection
and intrusion prevention products.
Session Splicing
Attackers spread the malicious string across a number of packets,
without utilizing IP fragmentation.
This is usually done slowly, splicing the session into many more
packets than would ordinarily be required.
TCP segment reassembly is helpful in countering session
splicing.
IPS v6.01-13
Not all attempts at evasion leverage the fragmentation capabilities of the IP protocol.
Sometimes, hackers attempt to evade detection by fragmenting data at the application or
transport layer. An example of this type of fragmentation is session splicing.
An example of session splicing would be an application that sends unusually small datagrams
of one byte. By splintering the malicious code into multiple datagrams, any IPS sensor in the
path would have to be aware of the entire session to recognize the malicious code. The
challenge in defending against this type of attack is similar to defending against fragmentation
attacks at the network layer; the IPS sensor has to be aware of all of the traffic in the session,
buffer it, and then process it as a whole to detect the malicious behavior.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
1-97
Insertion Attacks
This topic describes how attackers use insertion attacks to avoid detection by intrusion
detection and intrusion prevention products.
Insertion Attack
The attacker attempts to insert data that is read only by the IPS
sensor.
Malicious data is sent, along with additional, harmless characters.
The combined data appears to be acceptable because it does not
match any of the IPS signatures.
The harmless characters are then dropped by the end system.
This leaves only the malicious data to be processed, and evades
detection by the IPS sensor.
IPS v6.01-14
An IPS sensor can accept a packet that an end system rejects. The sole purpose of this insertion
of data is to evade detection by the IPS system. In general, insertion attacks occur whenever an
IPS sensor is less strict in processing a packet than an end system. An obvious reaction to this
problem might be to make the IPS sensor as strict as possible in processing packets; this
minimizes insertion attacks.
1-98
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
IPS sees
AXCTTXAKX
IPS v6.01-15
In the figure, the attacker sends each packet with a single byte of data, with the User Datagram
Protocol (UDP) checksum on the packets, which contain the X wrong on purpose. The IPS
allows the packet through, but the end system rejects the X when the UDP checksum fails, and
then the malicious string executes.
Note
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
1-99
Evasion Attacks
This topic describes how attackers use evasion attacks to avoid detection by intrusion detection
and intrusion prevention products.
Evasion Attack
An evasion attack is similar to an insertion attack.
An evasion attack causes the IPS sensor to miss packets
that are intended for the end system.
Similar to the insertion attack, the IPS sensor sees a
different data stream than the end system.
This attack is done to bypass IPS sensors that are too strict
about processing.
IPS v6.01-16
Similar to an insertion attack, an evasion attack also attempts to have the IPS sensor see
different traffic than the intended victim. However, this time the sensor has to be tricked into
rejecting packets that the victim does not.
If a sensor is vulnerable to an evasion attack, either by configuration or flaw, it can be
devastating to the accuracy of a sensor. Entire sessions can be carried back and forth between
attacker and victim, and the sensor never sees any of it.
1-100
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
IPS sees
ATTCK
IPS v6.01-17
Evasion attacks are designed to get around signature-based solutions in a manner similar to
insertion attacks. The goal of the attacker is to cause the sensor to see a different data stream
than the intended victim, but this time the end system sees more data than the sensor.
In the example, the attacker sends a series of packets designed to have one or more packets
rejected by the sensor, but accepted by the intended victim. If successful, the sensor sees a
different data stream than the end system.
Note
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
1-101
TTL-Based Attacks
This topic describes how attackers use Time to Live (TTL)-based attacks to avoid detection by
intrusion detection and intrusion prevention products.
TTL-Based Attacks
Frag 1
Frag 1
Frag 2
TTL=1
Frag 2
TTL=1
Frag 1
Frag 1
Frag 1
Dropped
Waiting
Frag 3
Frag 3
Frag 2
Frag 2
TTL=1
Frag 3
Frag 1
Frag 2
Frag 3
Frag 2
Frag 1
Frag 1
Attack
2007 Cisco Systems, Inc. All rights reserved.
IPS v6.01-18
If an attacker has knowledge of the topology of the network of an intended victim, the attacker
can cause the IPS sensor to see a different data stream than the end system by manipulating the
TTL field in the IP header.
In the figure, the attacker sends a frame that the attacker does not want the end system to
receive. To accomplish this, the attacker sends a frame with a TTL set to a value that causes the
TTL to be 1 when the sensor receives it. If the TTL is 1 when the sensor receives the frame, the
frame expires on the next router, and the end system never receives it. In this way, the sensor
sees a different data stream than the end system. In our example, the Frag 2 packet with a TTL
of 1 is processed by the IPS sensor and then dropped by the router. Therefore, the receiving end
host does not see the Frag 2 TTL=1 packet and cannot perform packet reassembly until the
second Frag 2 packet arrives.
This strategy can be used in an insertion attack.
Note
1-102
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Encryption-Based Attacks
This topic describes how attackers use encryption-based attacks to avoid detection by intrusion
detection and intrusion prevention products.
Encryption
SSL Session
IPS v6.01-19
Sensors monitor the network and capture the packets as they traverse the network. Networkbased sensors rely on the data being transmitted in plaintext. When packets are encrypted, the
sensor captures the data but is unable to decrypt it and cannot perform meaningful analysis.
This type of evasive technique assumes that the attacker has already established a secure
session with the target network or host. Here are some examples of secure sessions that can be
used:
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
1-103
IPS v6.01-20
A less subtle method of evading detection is through denial of service (DoS); it does not matter
if the DoS is against the device or the personnel managing the device. Tools such as Stick and
Snot can be used to create a tremendous number of alarms that consume the resources of the
IPS device and prevent attacks from being logged. Sometimes, these attacks can overwhelm the
management systemserver, database server, or out-of-band (OOB) network. These attacks
can also be successful if the only thing they overwhelm is the administrative staff that does not
have the time or skill necessary to investigate the numerous false alarms that have been
triggered.
1-104
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Flooding
IPS v6.01-21
Intrusion detection and prevention systems rely on their ability to capture packets off the wire
and analyze them as quickly as possible. This ability requires the sensor to have adequate
memory capacity and processor speed. By flooding the network with noise traffic and causing
the sensor to capture unnecessary packets, the attacker can cause an attack to go undetected. If
the attack is detected, the sensor resources may be exhausted and thus unable to respond in a
timely manner. In the figure, the attacker is sending large amounts of traffic, as signified by the
larger pipe. Meanwhile, the actual attack is being sent to the target host, as represented by the
thin pipe that reaches the target host.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
1-105
Summary
This topic summarizes the key points that were discussed in this lesson.
Summary
Hackers employ a number of evasive techniques to avoid detection.
String matches are evaded by changing the string in a variety of ways such as
encoding changes, obfuscation, and encryption.
If the fragment reassembly timer of the sensor is either too long or too short, the
sensor can be vulnerable to fragmentation attacks.
Session splicing is an example of a session attack that splinters malicious code
into multiple, smaller datagrams to avoid detection.
Insertion attacks attempt to avoid detection by causing the sensor to see more
data than the end system.
Evasion attacks attempt to avoid detection by slipping packets past the sensor.
For TTL-based attacks to be effective, the attacker must have knowledge of the
network of the intended victims.
When a sensor captures encrypted data, it cannot perform meaningful analysis.
Flooding is an effective method to consume system resources and overwhelm
personnel with excessive alarms.
1-106
IPS v6.01-22
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Module Summary
This topic summarizes the key points that were discussed in this module.
Module Summary
IDS systems passively observe traffic and alert on malicious traffic, while
IPS systems observe the same traffic but have the capability of denying
malicious traffic. Both IDS and IPS technologies can take a number of
strategies including anomaly-based, policy-based, signature-based, and
protocol analysis.
Cisco offers two types of IPS solutions, network-based and host-based,
which are complementary to each other.
SDEE is a standards-based communications protocol used by the latest
IPS products. RDEP2 is used for legacy communications between IPS
applications. Element management administers a single IPS sensor at a
time, while enterprise management administers multiple IPS sensors
simultaneously.
Attackers employ a variety of strategies to avoid detection including
fragmentation, resource exhaustion, encryption, insertion, attacks against
sessions, and string matches.
IPS v6.01-1
Intrusion prevention system (IPS) solutions are superior to intrusion detection system (IDS)
solutions because of the capability of IPS solutions to deny malicious traffic. IPS solutions can
take a number of approaches, which are different, and not equal. Policy-based solutions are the
most effective when configured correctly. The challenge comes in defining the policy.
Signature-based solutions are the least effective, but the easiest to deploy.
References
For additional information, refer to these resources:
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
1-107
1-108
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Module 2
Module Objectives
Upon completing this module, you will be able to install and configure the basic settings on a
Cisco IPS 4200 Series Sensor. This ability includes being able to meet these objectives:
Install and initialize a Cisco IPS sensor appliance in the network using the CLI
Use the Cisco IDM to launch, navigate, manage, and monitor an IPS device
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
2-2
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Lesson 1
Objectives
Upon completing this lesson, you will be able to install and initialize a Cisco IPS sensor
appliance in the network using the CLI. This ability includes being able to meet these
objectives:
Explain some of the administrative tasks that are done from the CLI
Explain some of the additional commands that are available from the CLI
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
IPS v6.02-2
The Cisco IPS Sensor Software Version 6.0 includes a full CLI. The IPS CLI resembles the
Cisco IOS Software CLI; however, it has fewer Cisco IOS configuration commands than the
Cisco IOS Software. It also has additional configuration modes and commands.
You can access the CLI of a sensor appliance via Telnet, Secure Shell (SSH), or a serial
interface connection. Enter your username and password at the login prompt. The default
username is cisco; and the default password is cisco. When you log in for the first time,
you are prompted to change the default password.
Note
The number of concurrent CLI sessions is limited, based on the platform. The Cisco IDS 4215
Sensor is limited to three concurrent CLI sessions. All other platforms allow 10 concurrent
sessions.
The CLI for Cisco IPS Sensor Software Version 6.0 permits multiple users to log in at one
time. You can create and remove users from the local sensor. You can modify only one user
account at a time. Each user is associated with a role that controls what that user can and cannot
modify.
The CLI supports four user roles: administrator, operator, viewer, and service. The privilege
levels for each role are different; therefore, the menus and available commands vary for each
role. More detail about the privileges of each user role is provided in the Configuring Basic
Sensor Settings lesson.
2-4
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
CLI Features
The Cisco IPS Sensor Software
Version 6.0 CLI includes the
following features:
Help
Tab completion
Command abbreviation
Command history
User interactive prompts
IPS v6.02-3
Help: Enter ? after the command to display command help. Help displays only commands
available in the current mode.
Tab completion: If you are unsure of the complete syntax for a command, enter a portion
of the command and press Tab to complete the command. If multiple commands match for
tab completion, nothing is displayed. The terminal repeats the line you entered. Only
commands available in the current mode will display by tab completion.
Command history: Use the Up Arrow or Down Arrow keys or press Ctrl-P or Ctrl-N to
recall the commands entered in a mode. The recall list does not report Help and tab
complete requests.
User interactive prompts: The CLI displays user interactive prompts when the system
displays a question and waits for user input. The default input is displayed within brackets.
Press Enter to accept the default input.
The CLI is not case-sensitive, but it does echo the text exactly as you entered it. These steps
provide an example:
Step 1
Step 2
An interactive prompt, More, indicates that the terminal output exceeds the allotted
display space. Press the spacebar to display the next page of output, or press Enter to display
2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
2-5
the output one line at a time. Press Ctrl-C to clear the contents of the current command line and
return to a blank command line.
You can usually disable features or functions by using the no form of a command. Use the
command without the keyword no to enable a disabled feature or function. For example, the
command ssh host-key ip_address adds an entry to the known hosts table while the command
no ssh host-key ip_address removes the entry from the known hosts table. Refer to the
individual commands for a complete explanation of the no form of that command.
Configuration commands that specify a default value in the configuration files can have a
default form of the command. The default form of a command returns the command setting to
the default value.
2-6
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
CLI Editing
Command
Ctrl-A
Ctrl-B
Ctrl-D
Ctrl-E
Ctrl-F
Ctrl-L
Ctrl-V
Ctrl-W
Esc-B
Esc-D
Esc-F
Description
Moves the cursor to beginning of line
Moves the cursor back one character
Deletes the character at the cursor
Moves the cursor to the end of the line
Moves the cursor forward one character
Clears the screen
Inserts a code to indicate to the sensor that the next
keystroke is a command entry, not an editing key
Deletes the word to the left
Moves the cursor back one word
Deletes from the cursor to the end of the word
Moves the cursor forward one word
IPS v6.02-4
The CLI provides many editing capabilities. This table lists the editing keys available at the
CLI of a Cisco IPS.
CLI Editing Keys
Keys
Description
Tab
This key completes a partial command name entry. When you type a unique set of
characters and press Tab, the system completes the command name. If you enter a
set of characters that could indicate more than one command, the system beeps to
indicate an error. Enter a question mark (?) immediately following the partial command
(no space). The system provides a list of commands that begin with that string.
Backspace
Enter
At the command line, pressing Enter processes a command. At the ---More--prompt on a terminal screen, pressing Enter scrolls down a line.
Spacebar
The spacebar enables you to see more output on the terminal screen. Press the
spacebar when you see the line ---More--- on the screen to display the next screen.
Left Arrow
This key moves the cursor one character to the left. When you enter a command that
extends beyond a single line, you can press the Left Arrow key repeatedly to scroll
back toward the system prompt and verify the beginning of the command entry.
Right Arrow
Up Arrow or
Ctrl-P
This recalls commands in the history buffer, beginning with the most recent command.
Repeat the key sequence to recall successively older commands.
Down Arrow or
Ctrl-N
This returns to more recent commands in the history buffer after recalling commands
with the Up Arrow or Ctrl-P. Repeat the key sequence to recall successively more
recent commands.
Ctrl-A
Ctrl-B
Ctrl-D
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
2-7
2-8
Keys
Description
Ctrl-E
This key moves the cursor to the end of the command line.
Ctrl-F
Ctrl-K
This key deletes all characters from the cursor to the end of the command line.
Ctrl-L
This key clears the screen and redisplays the system prompt and command line.
Ctrl-T
This key transposes the character to the left of the cursor with the character located at
the cursor.
Ctrl-U
This key deletes all characters from the cursor to the beginning of the command line.
Ctrl-V
This key inserts a code to indicate to the system that the keystroke immediately
following should be treated as a command entry, not as an editing key.
Ctrl-W
Ctrl-Y
This key recalls the most recent entry in the delete buffer. The delete buffer contains
the last 10 items you deleted or cut.
Ctrl-Z
This key ends configuration mode and returns you to the EXEC prompt.
Esc-B
Esc-C
Esc-D
This key deletes from the cursor to the end of the word.
Esc-F
Esc-L
Esc-U
This key capitalizes from the cursor to the end of the word.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
CLI Uses
The CLI can be used to perform
the following :
Sensor initialization tasks
Configuration tasks
Administrative tasks
Troubleshooting
IPS v6.02-5
Sensor initialization tasks: These include such tasks as assigning the sensor IP address,
specifying trusted hosts, and creating user accounts.
Configuration tasks: These include such tasks as tuning signature engines and defining
the ports where web servers are running.
Administrative tasks: These include such tasks as backing up and restoring the current
configuration file.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
2-9
CLI Modes
Mode
Description
Service Mode
IPS v6.02-6
The CLI supports the following command modes. Each command mode provides access to a
subset of commands:
Privileged EXEC mode: Privileged EXEC mode is the first level of the CLI. You enter
privileged EXEC mode by logging into the CLI. The prompt sensorP# denotes privileged
EXEC mode.
Global configuration mode: Global configuration mode is the second level of the CLI.
You enter global configuration mode by first logging into the CLI and then typing
configure terminal. The prompt sensor(config)# denotes global configuration mode .
Service mode: Service mode is a generic command mode used to edit the configuration of
a service. A service is a related set of functionality provided by an IPS application. An IPS
application may provide more than one service. You can enter service mode from global
configuration mode by typing service <serviceName>, where serviceName identifies the
actual service that you are trying to access. The prompt sensor(config-ser)# denotes service
mode, where ser is the first three characters of the service name.
Multi-instance service mode: The signature definition service, event action rules service,
and anomaly detection service are multi-instance services. Their respective configuration
modes are as follows:
You can enter these modes from global configuration mode by typing service service-name
log-instance-name. The prompt sensor(config-log)# denotes the multi-instance service
mode, where log is the first three characters of the logical instance name. For example, this
command enters configuration mode for the logically named configuration, rules0:
sensorP(config)# service event-action-rules rules0
sensorP(config-rul)#
2-10
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Note
There are currently only two valid logical instance names: rules0 for event action rules and
sig0 for signature definition.
You can use the exit command to exit any configuration mode or close an active terminal
session and terminate privileged EXEC mode. When you exit a service mode, you are
prompted to apply any modifications you have made within the service mode or any submodes
contained within it. If you answer yes, your changes are applied to the service immediately.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
2-11
IPS v6.02-7
The first level of the CLI is the privileged EXEC mode. This mode enables you to perform such
tasks as initializing the sensor and displaying system settings. The example shows the
commands available in privileged EXEC mode to a user with administrator privileges:
sensorP# ?
anomaly-detection Perform an action on the anomaly detection
application
2-12
clear
clock
configure
copy
erase
exit
iplog
iplog-status
more
no
packet
ping
reset
setup
show
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Note
ssh
terminal
tls
trace
The CLI supports the administrator, operator, service, and viewer user roles. The privilege
levels for each role are different; therefore, the menus and available commands vary for
each role. All help command output in this topic shows the commands available when you
are logged in as a user with the administrator role.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
2-13
IPS v6.02-8
The second level of the CLI is global configuration mode. This mode enables you to perform
global configuration tasks such as creating user accounts. The example shows the commands
available in global configuration mode:
sensorP(config)# ?
2-14
banner
default
downgrade
end
exit
no
Remove configuration
password
privilege
recover
service
show
ssh
tls
upgrade
username
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Note
The Transport Layer Security (TLS) protocol is closely related to the Secure Sockets Layer
(SSL) protocol.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
2-15
Service Mode
sensorP(config)# service ?
analysis-engine
anomaly-detection
authentication
event-action-rules
external-product-interface
host
interface
logger
--MORE--
IPS v6.02-9
The service mode is a generic command mode. It enables you to enter configuration mode for
various services. The example shows the services that you can configure via their respective
service modes:
sensorP(config)# service ?
2-16
analysis-engine
anomaly-detection
authentication
event-action-rules
external-product-interface
host
interface
logger
network-access
notification
signature-definition
ssh-known-hosts
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
trusted-certificates
web-server
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
2-17
IPS v6.02-10
Within the service signature definition mode, you can perform such tasks as modifying
signatures and using the default command to reset signature settings to the default settings. The
example shows the commands available in service signature definition mode:
sensor(config)# service signature-definition sig0
sensor(config-sig)# ?
application-policy
default
exit
fragment-reassembly
ip-log
IP log configuration
no
show
2-18
signatures
Signature definitions
stream-reassembly
variables
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Management Access
You can use these methods
to gain management access
to a Cisco IPS sensor:
Console port (cable provided)
Telnet
SSH
HTTPS
IPS v6.02-11
The methods that you can use to gain management access to a sensor are as follows:
Console port: Requires the use of the RS-232 cable provided with the sensor and a
terminal emulation program such as HyperTerminal.
Telnet: Requires an IP address that has been assigned to the command and control
interface via the CLI setup command. You must enable this IP address to allow Telnet
access. Telnet is disabled by default.
SSH: Requires an IP address that has been assigned to the command and control interface
via the CLI setup command and uses a supported SSH client. The SSH server in the sensor
is enabled by default.
HTTPS: Requires an IP address that has been assigned to the command and control
interface via the CLI setup command and uses a supported web browser. HTTPS is
enabled by default but can be disabled.
Note
You can perform the initial sensor appliance setup only via a console connection. After you
configure network settings, SSH and Telnet are available.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
2-19
IPS v6.02-12
You perform sensor initialization tasks by using an interactive dialog that you initiated with the
setup command. The initialization tasks are as follows:
Assign an IP address and a subnet mask to the command and control interface
Add and remove access control list (ACL) entries that specify which hosts are allowed to
connect to the sensor
Note
2-20
If you later change the IP address of the sensor, you must generate a self-signed X.509
certificate. HTTPS communications need this certificate.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
setup Command
IPS v6.02-13
You accomplish most of the initialization tasks by using the setup command of the sensor. It
walks you through the configuration of the hostname, IP address, netmask, gateway, and
communications options. After you enter the setup command, the default settings are
displayed. Press the spacebar to continue.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
2-21
IPS v6.02-14
Enter yes to continue with the configuration dialog. Enter no to cancel the setup.
The figure shows the configuration dialog presented by the setup command. The configuration
dialog is a series of interactive prompts that enables you to configure these settings:
Note
2-22
The CLI prompt of the current session and other existing sessions do not update with the
new hostname. Subsequent CLI login sessions will reflect the new hostname in the prompt.
Telnet server status: You can disable or enable Telnet services. The default is disabled.
Web server port: The web server port is the TCP port used by the web server (1 to
65535). The default is 443. If you change the web server port, you must specify the port in
the URL address of your browser when you connect to Cisco IPS Device Manager (IDM),
in the format https://sensor_ ip_address: port (for example, https://10.1.9.201:1040).
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Network access lists: The network ACL specifies networks that are allowed to access the
sensor. If you answer yes when prompted to modify the network ACL, the current ACL
entries are displayed. You are then prompted to delete any existing entries. Enter the
number corresponding to the entry you want to delete. Repeat this step until you have
deleted all of the entries that you want to delete from the ACL. Pressing Enter without
entering a number retrieves the Permit prompt. You can then add entries to the list to
enable other hosts or networks to access the sensor. Enter the IP address and number of bits
in the netmask in the form X.X.X.X/nn to add a network address to the list. To add a single
host address, enter the IP address and use /32 for the netmask. Repeat this step until you
have entered all of the addresses that you want to add to the ACL. Pressing Enter at this
point without entering a number retrieves the prompt to modify the system clock settings.
System clock settings: Answering yes when prompted to modify the system clock
settings enables you to configure Network Time Protocol (NTP), summertime settings, and
the system time zone.
Note
You can also use the Cisco IDM to configure the system clock settings and the sensor
interfaces later.
Virtual sensor configuration: The virtual sensor interactive prompts enable you to
configure promiscuous interfaces and, if your platform supports inline functionality, inline
interface pairs.
Threat prevention configuration: There is an event action override that denies high-risk
network traffic with a risk rating of 90 to100. Choosing this option gives you the ability to
disable this feature.
Note
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
2-23
IPS v6.02-15
After you respond to the virtual sensor and threat prevention prompts, your configuration is
displayed. After the configuration displays, you are presented with these options:
If you choose [2] to save your configuration, you are prompted to modify the system date and
time. If you answer yes when prompted to modify the system date and time, the local date
prompt is displayed. Enter the date in the format YYYY-MM-DD. When presented with the
local time prompt, enter the time in 24-hour format.
2-24
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
IPS v6.02-16
You can use the ping command to diagnose basic network connectivity.
The syntax for the ping command is ping address [count].
ping Parameters
Command
Description
address
count
Caution
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
2-25
2-26
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Tracing a Route
sensorP#
IPS v6.02-17
You can use the trace command to display the route that an IP packet takes to a destination.
The syntax for the trace command is trace address [number_of_hops].
trace Parameters
Command
Description
address
number of hops
Caution
There is no command interrupt available for this command. It must run to completion.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
2-27
banner login
IPS v6.02-18
You can use the banner login command to create a login banner that is displayed before the
user and password login prompts. The maximum message length is 2500 characters. Use the no
banner login command to remove the banner.
Follow these steps to create a login banner:
Step 1
Step 2
Step 3
Step 4
Note
2-28
To insert a carriage return in the message, press Ctrl-V and then press Enter. The carriage
return is represented in the message by the characters ^M as you enter the message. The
characters ^M do not appear when the message is displayed at login.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
show version
Displays version information for all installed operating system
packages and signature packages
IPS v6.02-19
Use the show version command to display version information for all installed operating
system packages and signature packages. The show version command also displays this
information, which can be useful for troubleshooting:
Platform
Serial number
License information
Memory usage
Upgrade history
The recovery partition information is available for appliances only. The license information
follows the serial number and can be one of the following:
No license present
Note
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
2-29
key1.0
Signature Definition:
Signature Update
S243.0
2006-08-28
Virus Update
V1.2
2005-11-04
OS Version 2.4.30-IDS-smp-bigphys
Platform: IDS-4215
Serial Number: 88807464958
No license present
Sensor up-time is 1:37.
Using 202260480 out of 460161024 bytes of available memory
(43% usage)
system is using 17.3M out of 29.0M bytes of available disk
space (59% usage)
application-data is using 33.5M out of 166.8M bytes of
available disk space (21% usage)
boot is using 35.4M out of 68.6M bytes of available disk space
(54% usage)
application-log is using 528.6M out of 2.8G bytes of available
disk space (20% usage)
MainApp
2006_Oct_31_15.11
31T16:01:42-0600
Running
(Release)
2006-10-
AnalysisEngine
2006_Oct_31_15.11
31T16:01:42-0600
Running
(Release)
2006-10-
CLI
2006_Oct_31_15.11
31T16:01:42-0600
(Release)
2006-10-
Upgrade History:
IDS-K9- 6.0-0.222-E0.1
2-30
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
IPS v6.02-20
You can use the copy command to make a snapshot of a good configuration. This practice
allows you to copy the current configuration to a backup configuration and to restore the
current configuration from a backup.
The syntax for the copy command is as follows:
copy [/erase] source-url destination-url
copy iplog log-id destination-url
copy Parameters
Command
Description
/erase
source-url
destination-url
log-id
You can use keywords to designate the file location on the sensor. The keywords listed in the
table are supported.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
2-31
Description
current-config
backup-config
iplog
Transfer a configuration to or from another host system using FTP or Secure Copy Protocol
(SCP).
Note
See the CLI reference document for the complete copy command specification.
Follow these steps to back up and restore the configuration of the sensor:
2-32
Step 1
Step 2
Enter the command more backup-config to verify the backed up configuration file.
Step 3
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
IPS v6.02-21
You can use the more command to display the entire sensor configuration. You can also use
the more begin, more exclude, or more include commands to limit the output of the more
command.
The syntax for the more commands is more keyword | [begin | exclude | include filter].
more Parameters
Command
Description
keyword
begin
Causes the output to start with the first line that matches the filter
exclude
Causes the output to exclude all lines that match the filter
include
Causes the output to include only lines that match the filter
filter
A regular expression
The example shows a partial output from the more current-config command when you use the
command with no options:
sensorP# more current-config
! -----------------------------! Current configuration last modified Wed Dec 13 11:46:29 2006
! -----------------------------! Version 6.0(0.222)
! Host:
!
Realm Keys
key1.0
2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
2-33
! Signature Definition:
!
Signature Update S243.0
!
Virus Update
V1.2
! -----------------------------service interface
exit
! -----------------------------service authentication
exit
! -----------------------------service event-action-rules rules0
exit
! -----------------------------service host
network-settings
host-ip 10.0.1.4/24,10.0.1.2
host-name sensorP
exit
exit
! -----------------------------service logger
exit
! -----------------------------service network-access
exit
! -----------------------------service notification
exit
! -----------------------------service signature-definition sig0
exit
! -----------------------------service ssh-known-hosts
exit
! -----------------------------service trusted-trusted certificates
exit
! -----------------------------service web-server
exit
! -----------------------------service anomaly-detection ad0
exit
! -----------------------------service external-product-interface
exit
! -----------------------------service ssh-known-hosts
exit
! -----------------------------service analysis-engine
2-34
2006-08-28
2005-11-04
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
exit
Note
You can also use the show configuration command to display the configuration.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
2-35
Displaying Settings
sensorP(config-hos)#
IPS v6.02-22
Use the show settings command to display the contents of the configuration contained in the
current mode. This command is available in all of the service modes and is useful for
troubleshooting. For example, it facilitates the troubleshooting of blocking by enabling you to
view all settings for the Attack Response Controller (ARC).
The syntax for the show settings command is show settings [terse] [ begin | exclude | include
filter].
show Parameters
Command
Description
terse
begin
Causes the output to start with the first line that matches the filter
exclude
Causes the output to exclude all lines that match the filter
include
Causes the output to include only lines that match the filter
filter
A regular expression
2-36
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
----------------------------------------------network-address: 10.0.2.0/24
--------------------------------------------------------------------------------------------ftp-timeout: 300 seconds <defaulted>
login-banner-text:
<defaulted>
----------------------------------------------time-zone-settings
----------------------------------------------offset: 0 minutes default: 0
standard-time-zone-name: UTC default: UTC
----------------------------------------------ntp-option
----------------------------------------------disabled
------------------------------------------------------------------------------------------------------------------------------------------summertime-option
----------------------------------------------disabled
------------------------------------------------------------------------------------------------------------------------------------------auto-upgrade-option
----------------------------------------------disabled
-------------------------------------------------------------------------------------------------------------------------------------------
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
2-37
Displaying Events
sensorP#
IPS v6.02-23
Events are the data generated by the sensor applications, such as the alerts produced by the
SensorApp or errors caused by an application. There are currently four types of events:
All events are stored in the sensor Event Store. Events remain in the Event Store until they are
overwritten by newer events. It takes 30 MB of newer events to overwrite an existing event.
You can view events from the top-level prompt of the CLI using the show events command.
You can display new events, events from a specific time, and events of a specific severity.
The show events command displays the requested event types beginning at the requested start
time. If no start time is entered, the selected events are displayed beginning at the current time.
If no event types are entered, all events are displayed. Events are displayed as a live feed. You
can cancel the live feed by pressing Ctrl-C.
This command is helpful for troubleshooting event capture issues in which you are not seeing
events in the CiscoWorks Monitoring Center for Security, and you are trying to determine
which events are being generated on the sensor. A user with the administrator privilege can use
the clear events command to remove all events from the Event Store.
The syntax for the show events command is as follows:
show events [ { [alert [informational] [low] [medium] [high] [include-traits traits] [minthreat-rating min-rr] [max-threat-rating max-rr] [exclude-traits traits] | error [warning]
[error] [fatal] | log | NAC | status} ] [hh:mm:ss month day [year] | past hh:mm:ss ]
2-38
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Note
The traits option is useful only if you configure the alert traits attribute for signatures. An
alert trait is a user-defined number for custom categorization of signatures.
Description
alert [informational]
[low] [medium] [high]
Displays alerts
include-traits
exclude-traits
traits
min-threat-rating min-rr
Displays events with a threat rating above or equal to the minrr value
max-threat-rating max-rr
Displays events with a threat rating below or equal to the maxrr value
The valid range is 0 to 100. The default is 100.
log
NAC
status
hh:mm:ss
month
day
year
past
) in the month
The example shows the output from the show events command:
sensorP# show events 10:00:00 jan 5 2007
evIdsAlert: eventId=1104929403483006063 severity=informational
vendor=Cisco
2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
2-39
originator:
hostId: sensorP
appName: sensorApp
appInstanceId: 374
time: 2005/01/05 17:40:21 2005/01/05 17:40:21 UTC
signature: description=ICMP Echo Req id=2004 version=1.0
subsigId: 0
sigDetails: empty
interfaceGroup:
vlan: 0
participants:
attacker:
addr: locality=OUT 10.0.2.11
target:
addr: locality=OUT 10.0.1.11
riskRatingValue: 23
interface: fe0_1
protocol: icmp
You can use the default command to reset the entire configuration for a service back to factory
defaults.
The syntax for the default command is as follows:
default service { analysis-engine | anomaly-detection | authentication | event-action-rules |
external-product-interface | host | interface | logger | network-access | notification |
signature-definition | ssh-known-hosts | trusted-certificates | web-server }
2-40
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Description
analysis-engine
anomaly-detection
authentication
event-action-rules
external-product-interface
host
interface
logger
network-access
notification
signature-definition
ssh-known-hosts
trusted-certificates
web-server
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
2-41
Invalid Platforms
IDSM-2, AIP-SSM-10, AIP-SSM-20, IPS-4215,
IPS-4240 DC, IPS-4255
IDSM-2, AIP-SSM-10, AIP-SSM-20
IDSM-2, AIP-SSM-10, AIP-SSM-20, IPS-4235,
IPS-4250 XL
IDSM-2, AIP-SSM-10, AIP-SSM-20, IPS-4215,
IPS-4235, IPS-4250 XL
IPS v6.02-24
Use the command display-serial to view messages on a remote console, using the serial port,
during the boot process. The local console is not available as long as this option is enabled.
Unless you set this option when you are connected to the serial port, you do not get any
feedback until Linux has fully booted and enabled support for the serial connection.
Use the clock set command to set the clock of the IPS device. You cannot set the clock of a
Cisco Catalyst 6500 Series Intrusion Detection System Module 2 (IDSM-2), Cisco Adaptive
Security Appliance Advanced Inspection and Prevention Security Services Module (ASA AIPSSM)-10, and ASA AIP-SSM-20, because these devices acquire their clock settings from the
Cisco Catalyst 6500 Series Switch or Cisco adaptive security appliance to which they are
attached. Alternatively, these devices can get their clock settings from an NTP server, but they
cannot have their clocks set manually separate from the parent device.
Use the show inventory command to display Cisco Product Evolution Program information.
This command displays the Unique Device Identifier (UDI) information that consists of
product identifier (PID), version identifier (VID), and serial number (SN) of the sensor.
To display statistics for the management interface, use the show interfaces management
command in privileged EXEC mode. This command works only with platforms that have an
external interface marked as Management. For all other platforms, use the show interfaces
command.
2-42
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
IPS v6.02-25
All of these new commands relate to the features that were added to the Cisco IPS Sensor
Software Version 6.0such as anomaly detection, operating system fingerprinting, and virtual
sensor configurations.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
2-43
Summary
This topic summarizes the key points that were discussed in this lesson.
Summary
Cisco IPS Sensor Software Version 6.0 includes a full CLI, which
uses syntax similar to that of the Cisco IOS Software.
You can obtain management access to a sensor appliance by
attaching a console cable, or by using Telnet or SSH.
You can use the ping and trace commands from the CLI to test
network connectivity.
The CLI provides all of the necessary functionality to configure
and manage the sensor. It provides commands to verify the
configuration and system information, perform maintenance on
the sensor, and troubleshoot the sensor.
2-44
IPS v6.02-26
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Lesson 2
Objectives
Upon completing this lesson, you will be able to use the Cisco IDM to launch, navigate,
manage, and monitor a Cisco IPS device. This ability includes being able to meet these
objectives:
Explain the features, benefits, and system requirements of the Cisco IDM
Configure SSH
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Cisco IDM
Cisco IDM is a
web-based application
that enables you to
configure, manage, and
monitor the sensor.
The Cisco IDM web
server resides on the
sensor and can be
accessed via your web
browser.
IPS v6.02-2
Cisco IDM is a web-based Java application that enables you to configure and manage your
sensor. The web server for Cisco IDM resides on the sensor. You can access it through the
Internet Explorer, Netscape, or Mozilla web browsers.
Cisco IDM enables you to perform these actions remotely:
2-46
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
IPS v6.02-3
The Cisco IDM GUI was designed to simplify sensor configuration, management, and
monitoring tasks. For example, you can use Cisco IDM to easily sort and view all signatures
currently stored on the sensor. You can sort by attack type, protocol, service, operating system,
action to be performed, engine, signature ID, or signature name.
The Cisco IDM also has a Custom Signature Wizard to assist you in creating new signatures.
The wizard guides you through the parameters that you must select to configure a custom
signature, including selection of the appropriate signature engine.
To provide security, the web server for Cisco IDM uses an encryption protocol known as
Transport Layer Security (TLS), which is closely related to the Secure Sockets Layer (SSL)
protocol. Cisco IDM is enabled by default to use TLS. When you enter a URL into your web
browser that starts with https://<sensor_ip_address>, the web browser responds by using the
TLS protocol to negotiate an encrypted session with the sensor. Although you can disable the
use of TLS, it is highly recommended that you use TLS because it provides security for
communications between the sensor and external systems. A secure TLS session begins with a
client initiating a TCP connection to an HTTPS server on the target host. TCP provides a
reliable stream transport, while TLS provides cipher and secret key negotiation, session privacy
and integrity, server authentication, and optional client authentication.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
2-47
Cisco
IDM
HTTPS
(TLS and SSL)
HTTPS Client
HTTPS Server
TLS and SSL use a process called handshaking, which involves a number of
coordinated exchanges between a client and a server.
A trusted host certificate is used by the server to verify the identity of a
connecting client.
A server certificate is used by the server to prove its identity to the client.
2007 Cisco Systems, Inc. All rights reserved.
IPS v6.02-4
Note
You can use the Cisco IDM to configure the sensor to use certificates for secure
communications as follows:
2-48
Generate a server certificate on the sensor for the sensor. The sensor uses its server
certificate to prove its identity to a client. This is the certificate the sensor returns when you
direct your web browser to connect with Cisco IDM.
Configure a list of trusted hosts. The sensor can use trusted host certificates to verify the
identity of a connecting client. Creating a list of trusted hosts configures the sensor to
accept the certificates of remote hosts. The trusted hosts list is useful in master blocking
sensor scenarios. Master blocking sensors are discussed in the Configuring Blocking
lesson in the Advanced Cisco IPS Configuration module.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Event
XML
SDEE
HTTPS
Configuration
XML
RDEP
Cisco IDM
HTTPS
Sensor
IPS v6.02-5
In Cisco Intrusion Detection System (IDS) Sensor Software Version 4.x, management and
monitoring applications interface with the sensor, using the Remote Data Exchange Protocol
(RDEP) to send and receive IDS data via HTTPS. Both IDS events and control transactions are
considered IDS data. Control transactions can be diagnostic data from an application or session
logs, or configuration data sent to or from an application.
Cisco IPS Sensor Software Version 6.0 communicates events using the Security Device Event
Exchange (SDEE) protocol; however, it still uses RDEP version 2 (RDEP2) for communicating
configuration and IP log information.
SDEE is a standardized IPS communications protocol developed by Cisco for the IDS
Consortium at the International Computer Security Association (ICSA) Labs. Through SDEE,
Cisco IPS Sensor Software Version 6.0 delivers a flexible, standardized application
programming interface (API) to the IPS sensor, facilitating the integration of third-party
management and monitoring solutions with the Cisco IPS solution. This feature gives users a
choice of third-party solutions to monitor events generated by Cisco IPS sensors.
IPS data is represented in Extensible Markup Language (XML) format as XML documents.
The sensor stores user-configurable parameters in several XML files. RDEP2 can use either
HTTP or HTTPS to transmit XML documents between the sensor and external systems. The
industry standards HTTP and HTTPS provide a standardized interface for the exchange of
XML documents. RDEP2 does not specify the schemas for the XML documents exchanged in
RDEP2 messages. The Intrusion Detection Configuration (IDCONF) data format standard
defines the XML messages used for configuration.
The SDEE standard specifies both the format of events and the protocols for communicating
the events. SDEE supports multiple protocols for communicating events but currently specifies
an HTTP-based protocol that is very similar to RDEP.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
2-49
SDEE is an enhancement of RDEP. It adds extensibility features that are needed for
communicating events generated by various types of security devices. The Cisco Intrusion
Detection Event Exchange specifies Cisco IPS extensions to SDEE. The extensions add
information to the event format. Therefore, some items in an alert are specified by SDEE, and
some are Cisco Intrusion Detection Event Exchange extensions.
Both SDEE and RDEP2 use a pull communication model for event messages. The pull
communication model allows the management console to pull alerts at its own pace. In Cisco
IPS Sensor Software Version 6.0, alerts remain on the sensor until the 30-MB limit is met.
When the limit is met, alarms are overwritten.
The figure illustrates the following:
Events being pulled from the sensor to the Cisco IDM management console
Configuration files being transmitted between the sensor and the Cisco IDM management
console
Note
2-50
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
IPS v6.02-6
Browser
Mozilla 1.7
Mozilla 1.7
System Requirements
1024 x 768
resolution and 256
colors (minimum)
Cisco IDM runs in Java Plug-in, which by default allocates 64 MB of memory to Cisco IDM.
To ensure adequate memory for Cisco IDM, change the memory settings of Java Plug-in to 256
MB before using Cisco IDM. For detailed instructions on changing the Java Plug-in memory
size, refer to
http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_configuration_guide_chap
ter09186a0080618948.html#wp1048697.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
2-51
Note
2-52
The list of supported web browsers and operating systems does not imply that other
browsers and operating systems will not work. Check Cisco.com for the latest list of
supported operating systems and browsers.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
IPS v6.02-7
Open a web browser and enter the sensor IP address. The default address is
10.1.9.201. Change this address to reflect your network environment when you
initialize the sensor.
https://<sensor_ip_address>
When you direct your browser to Cisco IDM, the sensor presents you with its server certificate
to prove its identity. The server certificate fails because the sensor issues its own server
certificate. The sensor is its own CA, and the sensor is not already in the list of CAs trusted by
your browser. When you receive the Security Alert message from your browser, you have three
options:
Click Yes to accept the certificate for the remainder of the web browsing session.
Click View Certificate to view the certificate and add the issuer identified in the certificate
to the list of trusted CAs of the web browser and trust the sensor server certificate until it
expires.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
2-53
The most convenient option is to permanently trust the issuer. However, before you add the
issuer, use out-of-band (OOB) methods to examine the fingerprint of the certificate. This step
prevents you from being victimized by an attacker posing as a sensor. Confirm that the
fingerprint of the certificate appearing in your web browser is the same as the one on your
sensor. You can view the certificate fingerprint of the sensor by using the show tls fingerprint
command in the command-line interface (CLI) privileged EXEC mode. See Installing and
Using the Cisco Intrusion Prevention System Device Manager Version 6.0 at
http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_configuration_guide_boo
k09186a00807a8a2a.html for instructions on validating the certificate fingerprint for your web
browser.
Step 2
2-54
Type your username and password at the prompt. The default username and
password are both cisco. You are prompted to change the password during sensor
initialization.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
IPS v6.02-8
If you accept the certificate for the remainder of the web browsing session and log in, you are
presented with another security warning window, informing you that the sensor asserts that the
content is safe. Click Yes to continue, click No to abort the session, or click Always to always
trust the sensor. If you choose Always, this warning is not presented the next time that you log
into the Cisco IDM on this sensor.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
2-55
Trusting Cisco
IPS v6.02-9
If you click Yes to continue, you are presented with another security warning window
informing you that Cisco asserts that the content is safe. Click Yes to continue, click No to
abort the session, or click Always to always trust Cisco. If you choose Always, this warning
does not appear the next time that you log into the Cisco IDM on this sensor.
If you change the hostname of the sensor, a new certificate is generated the next time that the
sensor is rebooted. The next time that your web browser connects to Cisco IDM, you will
receive the security warning dialog boxes and you will need to perform the certificate
fingerprint validation for Internet Explorer, Netscape, and Mozilla.
2-56
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Refresh
Back
Help
IPS v6.02-10
The Cisco IDM user interface consists of File and Help menus, Configuration and Monitoring
buttons, whose menus open in the left-hand table of contents (TOC) pane, and the
Configuration panel on the right-hand side of the page. These four right-hand buttons appear
next to the Configuration and Monitoring buttons:
Forward: Returns you to the page that you were viewing when you clicked the Back
button
To configure the sensor, click Configuration and use the TOC in the left-hand pane to choose
the component that you want to configure. To monitor the sensor, click Monitoring and use the
TOC in the left-hand pane to choose the component that you want to monitor.
New configurations do not take effect until you click Apply on the panel you are configuring.
Click Reset to discard current changes and return settings to their previous state for that panel.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
2-57
IPS v6.02-11
The Cisco IDM provides online documentation to assist in the configuration of the sensor. To
access online help, choose Help from the Cisco IDM toolbar. The Cisco IDM help content
displays in a new window.
2-58
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Hostname
IP Address
Network
Mask
Network
Default
Route
Remote
Access
Reset
Web
Server
Settings
IPS v6.02-12
You must initialize the sensor by using the CLI setup command before you can use
Configuration > Sensor Setup in the Cisco IDM to further configure the sensor. After you
initialize the sensor, you will be able to communicate with the Cisco IDM, and the network and
communication parameter values will appear on the Network panel. If you must change these
parameters, you can do so from the Network panel, which you can access as follows: choose
Configuration > Sensor Setup > Network. The following fields and check boxes are available
on the Network panel.
Hostname: This is the name of the sensor. The hostname can be a string of one to 64
characters that matches the pattern ^[A-Za-z0-9_/-]+$. The default is sensor. You receive
an error message if the name contains a space or exceeds 64 alphanumeric characters.
Network Mask: This is the mask corresponding to the IP address. The default is
255.255.255.0.
Default Route: This is the default gateway address. The default is 10.1.9.1.
Enable TLS/SSL: This enables TLS and SSL in the web server. The default is enabled.
Web Server Port: This is the TCP port used by the web server. The default is 443 for
HTTPS. You receive an error message if you enter a value out of the range of 1 to 65535.
Enable Telnet: This enables or disables Telnet for remote access. Telnet is not a secure
access service and, therefore, is disabled by default. However, Secure Shell (SSH) is
always running on the sensor and is a secure service.
If you want to undo your changes, click Reset. This action refreshes the panel by replacing any
edits that you made with the previous value. Click Apply to apply your changes and save the
revised configuration.
Note
Changing the network settings can disrupt your connection to the sensor and force you to
reconnect.
Installation of a Cisco IPS 4200 Series Sensor
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
2-59
SSH Communications
The client key (SSH authorized key) enables the client to connect
without password authentication.
The server key (SSH host key) is used by the sensor to prove its
identity to the client.
CLI
SSH
SSH
Client
SSH
Server
IPS v6.02-13
SSH is one method that you can use to connect to the CLI in the sensor. SSH provides strong
authentication and secure communications over channels that are not secure. SSH provides
protection from the following:
IP spoofing
IP source routing
Note
Here are ways that you can configure the sensor to use SSH-secured communications:
2-60
Define SSH authorized keys: SSH can authenticate hosts by using passwords or Rivest,
Shamir, and Adleman (RSA) public keys. You can use the Cisco IDM to define public keys
used by clients to log into the sensor with RSA authentication. These are the public keys of
SSH clients permitted access to the sensor.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Generate an SSH host key for the sensor: The sensor uses its SSH host key to prove its
identity to connecting SSH clients. When connecting to the sensor, the SSH client uses the
host key of the sensor to ensure that it is connecting to the sensor rather than a device
impersonating the sensor to capture your password when you log in. The sensor generates
an SSH host key the first time that it starts up. However, you might want to generate a new
key to prevent SSH connections from certain clients.
Define SSH known host keys: The sensor uses SSH known host keys when using SSH to
log into a blocking device. Blocking is discussed in the Configuring Blocking lesson in
the Advanced Cisco IPS Configuration module.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
2-61
Sensor
Key
Generate
Key
IPS v6.02-14
To display the SSH host key of the sensor, choose Configuration > Sensor Setup > SSH >
Sensor Key. The Sensor Key panel displays the sensor SSH host key. To generate a new sensor
SSH host key, complete these steps:
Step 1
Caution
2-62
The new key replaces the existing key, which requires you to update the known hosts tables
on remote systems with the new host key so that future connections succeed. You can
update the known hosts tables on remote systems from the Known Host Keys panel.
Step 2
Click OK to continue. A new host key is generated, and the old host key is deleted.
You are prompted to reboot the sensor.
Step 3
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Reboot
Sensor
Reboot
Sensor
IPS v6.02-15
Step 2
Step 3
Click OK to shut down and restart the sensor. The sensor applications shut down,
and the sensor reboots. After the reboot, you must log back in.
There is a 30-second delay during which users who are logged into the CLI are notified that the
sensor applications are going to shut down.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
2-63
Shut Down
Sensor
Shut Down
Sensor
IPS v6.02-16
Shutting down the sensor shuts down the IPS applications and puts the sensor in a state in
which it is safe to power it off. Complete these steps to shut down the sensor:
Step 1
Choose Configuration > Shut Down Sensor. The Shut Down Sensor panel is
displayed.
Step 2
Click Shut Down Sensor. The Shut Down Sensor dialog box appears.
Step 3
Click OK. When you click OK, the sensor applications shut down, and any open
connections to the sensor are closed.
There is a 30-second delay during which users who are logged into the CLI are notified that the
sensor applications are going to shut down.
2-64
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Summary
This topic summarizes the key points that were discussed in this lesson.
Summary
The Cisco IDM is a web-based Java application that enables you
to configure and manage your sensor.
You can access the web server for the Cisco IDM via Internet
Explorer, Netscape, or Mozilla web browsers.
You can use the Cisco IDM to configure and manage both TLS
certificates and SSH keys. SSH can be used to securely connect
to the sensor CLI.
You can use the Cisco IDM to reboot the sensor.
IPS v6.02-17
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
2-65
2-66
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Lesson 3
Objectives
Upon completing this lesson, you will be able to use the Cisco IDM to configure basic sensor
settings. This ability includes being able to meet these objectives:
Configure the interfaces of a Cisco IPS sensor in promiscuous and inline mode
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Sensor
Setup
Add
Allowed
Hosts
IPS v6.02-2
The setup command interactive dialog prompts you to permit hosts or networks to access the
sensor. If you do not permit hosts or networks, no hosts are able to communicate with your
sensor. In Cisco IPS Sensor Software Version 6.0, all inbound packets on the command and
control interface are denied except for the following:
After using the setup command to initialize the sensor and permit a management host to access
it, you can use the Cisco IDM to permit additional hosts or networks to access the sensor. This
process creates an access list and is referred to as creating allowed hosts.
Complete these steps to specify hosts and networks that have permission to access your sensor:
2-68
Step 1
Click Configuration and choose Sensor Setup > Allowed Hosts. The Allowed
Hosts panel is displayed.
Step 2
Click Add to add a host or network to the list. The Add Allowed Host window
opens. You can add up to 512 allowed hosts.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
IPS v6.02-3
Step 3
Enter the IP address of the host or network in the IP Address field. You receive an
error message if the IP address is already included as part of an existing list entry.
Step 4
If you are adding a host as an allowed host, choose 255.255.255.255 from the
Network Mask drop-down menu. If you are adding a network, choose the mask that
corresponds to the network IP address from the Network Mask drop-down menu.
You receive an error message if the network mask does not match the IP address.
Step 5
Click OK. The new host or network appears in the allowed hosts list on the Allowed
Hosts panel.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
2-69
Time Considerations
The sensor must have a reliable time source so that events
display correct time stamps. Otherwise, you cannot correctly
analyze the logs after an attack.
For sensor appliances, you can set the time in two ways:
Manually
By using NTP (recommended)
For the Cisco Catalyst 6500 Series IDSM-2, the time setting must
be configured from a parent device or NTP. Manually setting the
time is not allowed.
For AIP-SSM-10 and AIP-SSM-20, the time setting must be
provided by the Cisco ASA adaptive security appliance or NTP.
Manually setting the time is not allowed.
IPS v6.02-4
The sensor requires a reliable time source. All events must have the correct Coordinated
Universal Time (UTC) and local time stamp. Otherwise, you cannot correctly analyze the logs
after an attack. For sensor appliances, there are two ways to set the time:
Use the clock set command from the Cisco IDM command-line interface (CLI) to
manually set the time
Use NTP
It is recommended that you configure your sensor to get its time from an NTP time
synchronization source. If you use NTP, you will need the NTP server IP address, the NTP key
ID, and the NTP key value. You can set up NTP on the appliance during initialization, or you
can configure NTP on the Time panel in the Cisco IDM.
Note
2-70
The Cisco Catalyst 6500 Series Intrusion Detection System Services Module 2 (IDSM-2)
and the Cisco Adaptive Security Appliance Advanced Inspection and Prevention Security
Services Module 10 and 20 (Cisco ASA AIP-SSM-10 and Cisco ASA AIP-SSM-20) must
obtain their time from the switch or firewall in which they are installed, or from an NTP
server.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
The sensor does not allow you to save a bad NTP configuration because the ntpdate utility of
the sensor tests the NTP authentication keys when you attempt to apply an NTP configuration.
If the ntpdate utility produces an error, MainApp reruns ntpdate with a debug option.
MainApp then parses the debug output and returns a meaningful error such as one of the
following:
After configuring NTP, you can use the show statistics host command to confirm your NTP
configuration and see if the sensor is synchronized with the NTP server. It can take a few
minutes for the sensor to synchronize with the NTP server. The example shows output of the
show statistics host command:
sensor# show statistics host
. . .
NTP Statistics
remote
11.22.33.44 CHU_AUDIO(1) 8 u 36 64 1
LOCAL(0) 73.78.73.84
5 l
35
0.536 0.069
64 1 0.000
0.000
0.001
0.001
f014
yes
yes
ok
reject
reachable
2 10373
9014
yes
yes
none
reject
reachable
After a few minutes, the output should show the status synchronized as seen in the following
output:
sensor# show statistics host
...
NTP Statistics
remote
refid
delay offset
22 64
377
f624
yes
yes
ok
2 10373
9024
yes
yes
none
33.465
0.000 0.000
jitter
0.001
last_event cnt
sys.peer
reachable
reject
reachable
status = Synchronized
The show clock command displays the system clock. The system clock indicates whether the
time is authoritative or believed to be accurate. If the system clock has been set by NTP, the
time is believed to be accurate. In the following output, the asterisk indicates that the time is not
authoritative:
sensor# show clock
*12:19:22 CST Sat Dec 04 2004
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
2-71
Standard
Time Zone
Time
Summertime
NTP
Server
Apply
Reset
Apply Time to
Sensor
IPS v6.02-5
You can use the Time panel to configure the date, time, time zone, and summertimeor
daylight saving time (DST)settings. You can also use the Time panel to specify whether the
sensor uses an NTP server for its time source. Complete these steps to configure time on the
sensor:
Step 1
Click Configuration and choose Sensor Setup > Time. The Time panel is
displayed.
Step 2
Under Time, use the Date drop-down menus to choose the current month, day, and
year. Date indicates the current date on the sensor. The default is January 1, 1970.
You receive an error message if the day value is out of range for the month.
Note
Step 3
Caution
Step 4
The Date and Time fields are disabled if the sensor does not support these fields, or if you
have configured NTP settings on the sensor.
Under Time, enter the current time in the Time fields in the format hh:mm:ss. Time
indicates the current time on the sensor. The default is 00:00:00. You receive an
error message if the hours, minutes, or seconds are out of range.
If you accidentally specify the incorrect time, stored events will have the wrong time stamp.
2-72
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Step 5
If you want to configure the sensor to use an NTP server as its time source, complete
these substeps by entering the required information under NTP Server:
1. Enter the IP address of the NTP server in the IP Address field.
2. Enter the key of the NTP server in the Key field.
3. Enter the key ID of the NTP server in the Key ID field. This is a value from 1 to
65535, used to authenticate with the NTP server. You receive an error message
if the key ID is out of range.
Note
Step 6
If you define an NTP server, an NTP server sets the time on the sensor. The CLI clock set
command will produce an error, but time zone and DST parameters are valid.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
2-73
End Time
Summertime
Duration
IPS v6.02-6
If you choose Enable Summertime and then click Configure Summertime in the Time panel,
the Configure Summertime window opens. To continue configuring summertime settings,
complete these steps:
Step 7
Choose a Summer Zone Name from the drop-down menu, or enter one that you have
created. This name displays when DST is in effect. You receive an error message if
the name exceeds 2047 alphanumeric characters or contains <, &, , or . The default
Summer Zone Name is UTC.
Step 8
In the Offset field, enter the number of minutes to add during summertime. The
default is 0. If you choose a predefined summer zone name, this field is
automatically populated.
Step 9
In the Start Time field, enter the time at which you want to begin applying
summertime settings. The value is hh:mm. You receive an error message if the hours
or minutes are out of range.
Step 10
In the End Time field, enter the time at which you want to stop using summertime
settings. The value is hh:mm. You receive an error message if the hours or minutes
are out of range.
Step 11
Complete these substeps by using the Summertime Duration radio buttons and dropdown menus:
1. Choose one of these radio buttons:
2. Use the Start and End drop-down menus to choose the start and end days. If you
chose the Recurring radio button, the default is the first Sunday in April and the
last Sunday in October. If you chose the Date radio button, the default is January
1 for the start and end time.
2-74
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Step 12
Note
Step 13
Click Apply to save your settings. This action applies changes to all fields on the
Time panel except the date and time. If you changed the time and date settings, you
must also click Apply Time to Sensor to save the time and date settings on the
sensor.
If you set the time incorrectly when you first configure the options in the time page, your stored
events will have the incorrect time because they are stamped with the time that the event was
created. The Event Store time stamp is always based on UTC. If, during the original sensor
setup, you set the time incorrectly by specifying 8:00 p.m. rather than 8:00 a.m., when you do
correct the error, the corrected time will be set backward. New events could have times older
than old events.
For example, if, during the initial setup, you configure the sensor as central time with
summertime enabled and the local time is 8:04 p.m., the time is displayed as 20:04:37 Central
Daylight Time (CDT) and has an offset from UTC of minus 5 hours (01:04:37 UTC) the next
day. A week later at 9:00 a.m., you discover the error: the clock shows 21:00:23 CDT. You
then change the time to 9:00 a.m., and now the clock shows 09:01:33 CDT. Because the offset
from UTC has not changed, it requires that the UTC time now be 14:01:33 UTC, which creates
the time-stamp problem.
To ensure the integrity of the time stamp on the event records, you must clear the event archive
of the older events by using the clear events command from the CLI.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
2-75
Server Certificate
Certificates
Server
Certificate
Generate
Certificate
IPS v6.02-7
The sensor generates a server certificate when it first starts. The Server Certificate panel in
Cisco IDM displays the self-signed X.509 certificate. You can generate a new self-signed
X.509 server certificate from this panel. To display the server certificate of the sensor, click
Configuration and choose Sensor Setup > Certificates > Server Certificate. The server
certificate displays in the Server Certificate panel.
To generate a new certificate, complete these steps:
Step 1
Click the Generate Certificate button within the Server Certificate panel. A dialog
box containing this warning is displayed:
Generating a new server certificate requires you to verify the
new fingerprint the next time you connect or when you add the
sensor as a trusted host. Do you want to continue?
Caution
Step 2
Note
2-76
Write down the new fingerprint. You will need it later to verify what displays in your web
browser when you connect, or when you are adding the sensor as a trusted host.
Click OK to continue. A new server certificate is generated, and the old server
certificate is deleted.
The IP address of the sensor is included in its server certificate. If you change the IP
address of the sensor, you must generate a new server certificate.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Trusted Hosts
Trusted
Hosts
Add
IPS v6.02-8
The Trusted Hosts panel lists all of the trusted host certificates. You can add entries to the list,
or delete them, but you cannot edit them.
Complete these steps to add trusted hosts:
Step 1
Click Configuration and choose Sensor Setup > Certificates > Trusted Hosts.
The Trusted Hosts panel is displayed.
Step 2
Click Add to add a trusted host to the list. The Add Trusted Host window opens.
Step 3
Enter the IP address of the trusted host you are adding in the IP Address field.
Step 4
(Optional) Use the Port field to specify the port number where the trusted host
certificate can be obtained.
Step 5
Click OK. The Cisco IDM retrieves the certificate from the host whose IP address
you entered. The new trusted host appears in the trusted hosts list within the Trusted
Hosts panel.
Verify that the fingerprint is correct by comparing the displayed values with values you obtain
via a secure connection to the trusted host. If you find any discrepancies in the values, delete
the trusted host immediately.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
2-77
User Accounts
Users access a sensor by logging into a user account.
Multiple user accounts can be created on a sensor.
Each user account is associated with a role that determines the
privileges of the user.
The following roles can be assigned to an account:
Administrator
Operator
Viewer
Service
IPS v6.02-9
You must log into a user account to access a sensor. You can create and remove users from the
sensor. Each user is associated with a role that controls what that user can and cannot modify
on the sensor. You can assign these roles to an account:
2-78
Administrator: This user role has the highest level of privileges. Users with the
administrator role have unrestricted view access and can perform these functions:
Tuning signatures
Operator: This user role has the second highest level of privileges. Users with the operator
role can view all configuration and events and perform these functions:
Tuning signatures
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Viewer: This user role has the lowest level of privileges. Users with the viewer role can
view configuration and events; however, they cannot modify any configuration data except
their own passwords.
Service: This is a special role that allows the user to log into a native operating system
shell.
Note
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
2-79
Caution!
Do not make modifications to the
sensor through the service account
except under the direction of the TAC.
2007 Cisco Systems, Inc. All rights reserved.
IPS v6.02-10
The service role is a special one that allows the Cisco Technical Assistance Center (TAC) to
log into a native operating system shell for troubleshooting purposes. The service role is
intended to support troubleshooting only and is not intended to support configuration.
The sensor allows only one user account to have the service role. By default, the service
account does not exist on a sensor; you must create it, and you should create it for the TAC to
use during troubleshooting. Only a user with administrator privileges can create and edit the
service account.
The user with the service role cannot log into the Cisco IDM and does not have direct access to
the CLI. At the CLI login prompt, the user with the service role is logged directly into a bash
shell. Root access to the sensor is possible only if you log into the service account and use the
su command to access the root account. When the password of the service account is set or
reset, the password of the root account is automatically set to the same password. This enables
the service account user to use the su command to access the root using the same password.
When the service account is removed, the password of the root account is locked.
Do not make modifications to the sensor through the service account except under the direction
of the TAC. Modifications to the sensor via the service account are considered unauthorized
modifications, are not supported, and require the sensor to be reimaged to guarantee proper
operation.
2-80
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
IPS v6.02-11
Click Configuration and choose Sensor Setup > Users. The Users panel is
displayed.
Step 2
Step 3
Step 4
Choose one of these options from the User Role drop-down menu:
Administrator
Operator
Viewer
Service
Step 5
Enter the password for the user in the Password field. A valid password is 6 to 32
characters long. All characters except a space and a question mark (?) are allowed.
Step 6
Step 7
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
2-81
Delete
Apply
Reset
IPS v6.02-12
When you click OK in the Add User window, the new user account is displayed in the Users
panel. The Role column displays the role of the user, and the Status column displays the
account status, such as active, expired, or locked.
Step 8
Click Apply to apply your changes and save the revised configuration.
To delete an existing account from the user list, choose the account and click Delete. To edit an
existing user account, choose the account from the users list and click Edit. The Edit User
dialog box appears, enabling you to change the user role and password. To change the
password, you must first choose Change the Password to access the sensor, which is available
only in the Edit User window.
Note
2-82
If you want to undo your changes, click Reset. Reset refreshes the panel by replacing any
edits that you made with the previously configured value.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
IPS v6.02-13
Each sensor has only one command and control interface, but you can configure up to nine
monitoring interfaces, depending on the type of sensor that you have. Multiple interfaces enable
simultaneous protection of multiple network subnets.
By default, all monitoring interfaces are disabled. You must enable the monitoring interfaces
for the sensor to monitor your networks. You do not need to enable all interfaces. Enable only
those interfaces that you want to use. In addition to enabling the interfaces, you must assign
them to the default virtual sensor.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
2-83
IPS v6.02-14
2-84
Cisco Sensor
FastEthernet0/0
GigabitEthernet0/1
GigabitEthernet0/1
Management0/0
Management0/0
Management0/0
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Cisco Sensor
GigabitEthernet0/0
GigabitEthernet0/0
Cisco Catalyst
6500 Series
IDSM-2
GigabitEthernet0/2
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
2-85
Monitoring Interfaces
Monitoring interfaces are used by the sensor to analyze traffic for
security violations.
Monitoring interfaces can operate in one of four modes:
Promiscuous mode
Inline interface mode
Inline VLAN pair mode
VLAN group mode
IPS v6.02-15
Monitoring Interfaces
The sensor uses monitoring interfaces to analyze traffic for security violations. A sensor has
one or more monitoring interfaces depending on the sensor. Monitoring interfaces can operate
individually in promiscuous mode, or you can pair them to create inline interfaces for inline
monitoring mode.
Note
On appliances, all monitoring interfaces are disabled by default. You must enable them to
use them. On modules, the monitoring interfaces are permanently enabled.
Some appliances support optional Peripheral Component Interconnect (PCI) interface cards that
add monitoring interfaces to the sensor. You must insert or remove these optional cards while
the sensor is powered off. The sensor detects the addition or removal of a supported interface
card.
If you remove an optional PCI card, some of the interface configuration, such as speed, duplex,
description string, enabled or disabled state of the interface, and any inline interface pairings, is
deleted. These settings are restored to their default settings when the card is reinstalled.
However, the assignment of promiscuous and inline interfaces to the Analysis Engine is not
deleted from the Analysis Engine configuration. Instead, this configuration is ignored until
those cards are reinserted and you re-create the inline interface pairs.
2-86
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Promiscuous Mode
Packets
Monitoring
Interface
Monitoring
Interface
Copies of
Packets
Copies of
Packets
Cisco IPS
4215 Sensor
Command and
Control Interface
IPS v6.02-16
You can allow the monitoring interfaces to operate in promiscuous mode, as shown in the
figure, or you can pair the monitoring interfaces into logical interfaces called inline pairs for
inline sensor operation. When operating in promiscuous mode, monitoring interfaces do not
have IP addresses assigned to them and are therefore invisible to attackers. This behavior
enables the sensor to monitor the data stream without letting attackers know that they are being
watched.
In promiscuous mode, packets do not flow through the sensor. The sensor analyzes a copy of
the monitored traffic rather then the actual forwarded packet. The advantage of operating in
promiscuous mode is that the sensor does not affect the packet flow. There are no performance
or reliability issues with the forwarded traffic. The disadvantage of operating in promiscuous
mode, however, is that the sensor cannot stop malicious traffic from reaching its intended
target. The response actions implemented by promiscuous sensors are post-event responses and
sometimes require assistance from other networking devices, such as routers and firewalls, to
respond to an attack. A sensor operating in promiscuous mode cannot prevent attacks but can
react to them.
If your sensor has three or more monitoring interfaces, you can also combine inline and
promiscuous mode. With four or more interfaces, you can have two separate inline feeds. The
combinations are flexible. The only rule is that inline mode requires a pair of interfaces.
If the same traffic enters the sensor on multiple interfaces, you may have trouble. The sensor
may generate duplicate alerts for non-TCP traffic. For TCP traffic, you can receive many 13xx
alerts or TCP stream collisions resulting in no alert.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
2-87
Monitoring
Interface
Monitoring
Interface
Cisco 4200
Series Sensor
Command and
Control Interface
Packets
IPS v6.02-17
Operating a sensor in inline mode puts the sensor directly into the traffic flow and enables it to
prevent attacks by dropping malicious traffic before it reaches the intended target. With the
sensor operating in inline mode, as shown in the figure, all packets entering or leaving the
network must pass through the sensor.
You can install the sensor inline between two network devices, as shown in the figure. The
network devices could include routers, switches, or firewalls. If you install the sensor between
two switches, you might want to check to see if spanning tree is running and which, if any,
ports it is blocking. When you install the sensor between two switches that are connected by a
crossover cable, the switch ports that connect the two switches remain in a forwarding state
until the sensor starts up inline. When the sensor goes inline, spanning tree blocks the direct
cable crossover and sends packets through the sensor.
For a sensor to operate in inline mode, you must configure two monitoring interfaces as a pair.
The inline port pair operates in a transparent Layer 2 repeater mode in which packets entering
one interface of the port pair are transmitted out the other interface of the port pair, unless a
defined signature action results in a packet being dropped. The inline interfaces are transparent
and do not have IP addresses.
Note
2-88
The Cisco ASA AIP-SSM does not need an inline pair for monitoring. You need only to add
the physical interface to the virtual sensor.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
An inline sensor not only processes information on Layer 3 and Layer 4 but also analyzes the
contents and payload of the packets for more sophisticated, embedded Layer 3 to Layer 7
attacks. This deeper analysis enables the system to identify and prevent attacks that would
normally pass through a traditional firewall device.
The following are the only restrictions on interfaces in an inline pair:
This table shows the interfaces listed by Cisco IPS sensor model that can be part of an inline
pair.
Inline Interface Support
Cisco Sensor
4FE
Interfaces Not
Supporting Inline
None
All
FastEthernet0/1,
FastEthernet1/0,
FastEthernet1/1,
FastEthernet0/0
FastEthernet1/2,
FastEthernet1/3
Cisco IPS 4240
Sensor
GigabitEthernet0/0,
GigabitEthernet0/1
Management0/0
GigabitEthernet0/2,
GigabitEthernet0/3
Cisco IPS 4255
Sensor
GigabitEthernet0/0,
GigabitEthernet0/1
Management0/0
GigabitEthernet0/2,
GigabitEthernet0/3
Cisco IPS 4260
Sensor
Cisco IPS 4260
Sensor
TX (GE)
None
All
GigabitEthernet1/0,
GigabitEthernet1/1
GigabitEthernet0/0
GigabitEthernet0/1
GigabitEthernet1/2,
GigabitEthernet1/3
Cisco IPS 4260
Sensor
TX + TX
GigabitEthernet1/0,
GigabitEthernet1/1
GigabitEthernet0/0
GigabitEthernet0/1
GigabitEthernet1/2,
GigabitEthernet1/3
GigabitEthernet2/0,
GigabitEthernet2/1
GigabitEthernet2/2,
GigabitEthernet2/3
Cisco IPS 4260
Sensor
SX
GigabitEthernet1/0,
GigabitEthernet1/1
GigabitEthernet0/0
GigabitEthernet0/1
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
2-89
Cisco Sensor
Interfaces Not
Supporting Inline
SX + SX
GigabitEthernet1/0,
GigabitEthernet1/1
GigabitEthernet0/0
GigabitEthernet0/1
GigabitEthernet2/0,
GigabitEthernet2/1
2-90
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Known as inline-on-a-stick
Supported on all Cisco
sensor products except
the AIP-SSM-10 and
AIP-SSM-20
Functions as an 802.1Q
trunk, bridging
traffic between VLANs
VLAN 10
IPS
Appliance
Gig 0/2
VLAN 10
VLAN 11
VLAN 11
IPS v6.02-18
You can associate VLANS in pairs on a physical interface. This configuration is known as
inline-on-a-stick. Packets received on one of the paired VLANS are analyzed and then
forwarded to the other VLAN in the pair. Inline VLAN pairs are supported on all sensors that
are compatible with Cisco IPS Sensor Software Version 6.0 except AIP-SSM-10 and AIPSSM-20.
Inline VLAN pair mode is an active monitoring mode where a monitoring interface acts as an
IEEE 802.1Q trunk port, and the sensor performs VLAN bridging between pairs of VLANs on
the trunk. The sensor inspects the traffic that it receives on each VLAN in each pair, and can
either forward the packets on the other VLAN in the pair, or drop the packet if an intrusion
attempt is detected.
You can configure a Cisco IPS sensor to simultaneously bridge up to 255 VLAN pairs on each
monitoring interface. The sensor replaces the VLAN ID field in the 802.1Q header of each
received packet with the ID of the egress VLAN to which the sensor forwards the packet. The
sensor drops all packets received on any VLANs that are not assigned to inline VLAN pairs.
Note
Inline VLAN pairs are supported on Cisco IPS Sensor Software Version 5.1 or higher.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
2-91
IPS v6.02-19
You can divide each physical interface or inline interface into VLAN group subinterfaces,
where each subinterface consists of a group of VLANs on that interface. The Analysis Engine
supports multiple virtual sensors, each of which can monitor one or more of these
subinterfaces. This feature lets you apply multiple policies to the same sensor. The advantage
of this feature is that it allows you to use a sensor with only a few interfaces as if it had many
interfaces.
Note
You cannot divide physical interfaces that are in inline VLAN pairs (on-a-stick mode) into
VLAN groups.
VLAN group subinterfaces associate a set of VLANs with a physical or inline interface. No
VLAN can be a member of more than one VLAN group subinterface. Each VLAN group
subinterface is identified by a number between 1 and 255.
Subinterface 0 is a reserved subinterface number used to represent the entire nonvirtualized
physical or logical interface. You cannot create, delete, or modify subinterface 0, and no
statistics are reported for it. An unassigned VLAN group is maintained that contains all VLANs
that are not specifically assigned to another VLAN group. You cannot directly specify the
VLANs that are in the unassigned group. When a VLAN is added to or deleted from another
VLAN group subinterface, the unassigned group is updated.
Packets in the native VLAN of an 802.1Q trunk do not normally have 802.1Q encapsulation
headers to identify the VLAN number to which the packets belong. A default VLAN variable is
associated with each physical interface, and you should set this variable to the VLAN number
of the native VLAN or to 0. The value 0 indicates that the native VLAN is either unknown or
that you do not care if it is specified. If the default VLAN setting is 0, the following occurs:
2-92
Any alerts triggered by packets without 802.1Q encapsulation have a VLAN value of 0
reported in the alert.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Non 802.1Q-encapsulated traffic is associated with the unassigned VLAN group, and it is
not possible to assign the native VLAN to any other VLAN group.
Note
You can configure a port on a switch as either an access port or a trunk port. On an access
port, all traffic is in a single VLAN called the access VLAN. On a trunk port, multiple VLANs
can be carried over the port, and each packet has a special header attached called the
802.1Q header that contains the VLAN ID (VID). This header is commonly referred as the
VLAN tag. However, an 802.1Q trunk port has a special VLAN called the native VLAN.
Packets in the native VLAN do not have the 802.1Q headers attached. The Cisco Catalyst
6500 Series IDSM-2 can read the 802.1Q headers for all nonnative traffic to determine the
VID for that packet. However, the Cisco Catalyst 6500 Series IDSM-2 does not know which
VLAN is configured as the native VLAN for the port, so it does not know in which VLAN the
native packets are. Therefore, you must tell the Cisco Catalyst 6500 Series IDSM-2 which
VLAN is the native VLAN for that port. Then the Cisco Catalyst 6500 Series IDSM-2 treats
any untagged packets as if they were tagged with the native VID.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
2-93
VLANs
10, 11, 12
20, 21, 22
vlan-group x
VLANs 10, 11, 12
sub-if x
vlan-group y
VLANs 20, 21, 22
sub-if y
vlan-group y
VLANs 20, 21, 22
sub-if y
VLANs
10, 11, 12
20, 21, 22
VS2
vlan-group y
IPS v6.02-20
Because a VLAN group of an inline pair does not translate the VID, as is the case with the
inline-on-a-stick, an inline paired interface must exist between two switches to use VLAN
groups on a logical interface.
In the example, the two ports on the Cisco IPS sensor are configured as trunk ports so they can
carry multiple VLANs. In this configuration, the sensor bridges multiple VLANs between the
two switches. Because multiple VLANs are carried over the inline interface pair, the VLANs
can be divided into groups (VLAN groups), and each group can be assigned to a virtual sensor.
2-94
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
IPS v6.02-21
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
2-95
Select
All
Edit
Interfaces
Enable
Disable
Apply
Reset
IPS v6.02-22
Step 2
Step 3
If you plan to have your sensor do inline monitoring, enable at least two interfaces.
Note
Step 4
If you want to undo your changes, click Reset. Reset refreshes the panel by replacing any
edits that you made with the previously configured value.
Click Apply to apply your changes and save the revised configuration.
You can use the Select All button to select all of the interfaces simultaneously. To disable an
interface, click the Disable button. To edit values associated with the interface, choose the
interface and click Edit. The Edit Interface window opens.
2-96
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Duplex
Speed
Select
Interface
Use
Alternate
TCP Reset
Interface
IPS v6.02-23
If you choose an interface from the Interfaces panel and click Edit, the Edit Interface window
opens. The name of the interface is displayed to the right of the Interface Name label. From the
Edit Interface window, you can change these values associated with the selected interface:
Description: This is a description of the interface. Enter a description of the interface in the
Description field.
Enabled: This is the state of the interface. Click the Yes radio button to enable the
interface or click the No radio button to disable it.
Duplex: This is the duplex setting of the interface. Use the Duplex drop-down menu to
choose one of these options:
Speed: This is the speed setting of the interface. Use the Speed drop-down menu to choose
one of these options:
Default VLAN: Set this variable to the VLAN number of the native VLAN or to 0. If the
default VLAN setting is 0, the following occurs:
Any alerts triggered by packets without 802.1Q encapsulation have a VLAN value
of 0 reported in the alert.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
2-97
Use Alternate TCP Reset Interface: This is an option to have the sensor send TCP resets
on an alternate interface when this interface is used for promiscuous monitoring and the
reset action is triggered by the firing of a signature. Check the check box to enable this
option.
Select Interface: This is the interface to be used as the alternate TCP reset interface. Use
the drop-down menu to choose an interface. On all platforms other than the Cisco Catalyst
6500 Series IDSM-2, you can choose any interface, except the interface that you are editing
or the command and control interface, as the alternate TCP reset interface.
The Edit Interface window also displays the media type of the selected interface. The media
type will be any of these:
When you click OK in the Edit Interface window, the Interfaces panel becomes active and
displays your changes.
2-98
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Analysis
Engine
Edit
Virtual
Sensor
IPS v6.02-24
Current Cisco IPS sensors are able to receive data inputs from one or many monitored data
streams. For example, a single sensor with multiple monitoring interfaces can monitor traffic
from in front of the firewall, from behind the firewall, or from both locations concurrently. A
single sensor policy or configuration is applied to all of the monitored data streams.
With Cisco IPS Sensor Software Version 6.0, you can apply policies that are appropriate to,
and tuned to, each of the monitored segments. You can do this using virtual sensors. Virtual
sensors can monitor multiple segments and apply a different policy or configuration for each
virtual sensor within a single physical sensor. For the sensor to monitor your network, you must
enable the interfaces and you must assign the interfaces to the appropriate virtual sensor.
Note
You can assign interfaces to a virtual sensor, and you can change the description of a virtual
sensor, but you cannot change the name of vs0. Complete these steps to assign an interface to a
virtual sensor:
Step 1
Click Configuration and choose Analysis Engine > Virtual Sensor. The Virtual
Sensor panel is displayed.
Step 2
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
2-99
Assigned
Interfaces
(or Pairs)
Remove
Available
Interfaces
(or Pairs)
2-100
IPS v6.02-25
Step 3
The available interfaces or interface pairs that you can assign to the virtual sensor
are displayed. Choose the interface from the Details list.
Step 4
Click Assign. If you want to remove an interface or interface pair from this list, click
Remove.
Step 5
(Optional) Enter a new description for the default virtual sensor in the Description
field.
Step 6
Click OK. The Edit Virtual Sensor window closes, and the Virtual Sensor panel
displays the interface or interface pair that you added.
Step 7
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Add
Interface
Pairs
IPS v6.02-26
To use your sensor for inline intrusion prevention, you must configure an interface pair.
Configure an interface pair by completing these steps:
Step 1
Click Configuration and choose Interface Configuration > Interface Pairs. The
Interface Pairs panel is displayed.
Step 2
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
2-101
Interface
Pair Name
Select Two
Interfaces
Description
2-102
IPS v6.02-27
Step 3
Step 4
From the Select Two Interfaces list, choose the first interface and then hold down
the Shift key while you choose the second interface.
Step 5
Step 6
Click OK.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Analysis
Engine
Virtual
Sensor
IPS v6.02-28
You assign interface pairs to the virtual sensor. Complete these steps to assign an interface to
the virtual sensor:
Step 1
Click Configuration and choose Analysis Engine > Virtual Sensor. The Virtual
Sensor panel is displayed.
Step 2
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
2-103
Assigned
Interfaces
(or Pairs)
Remove
Available
Interfaces
(or Pairs)
IPS v6.02-29
Step 3
Choose the interface pair from the Details list, which displays the available
interfaces or interface pairs that you can assign to the virtual sensor.
Step 4
Click Assign. If you want to remove an interface or interface pair from this list, click
Remove.
Step 5
(Optional) Enter a new description for the default virtual sensor in the Description
field.
Step 6
Click OK. The Edit Virtual Sensor window closes, and the Virtual Sensor panel
displays the interface or interface pair that you added.
Note
Step 7
Note
Click Apply to apply your changes and save the revised configuration.
To delete an interface pair, select it and click Delete.
You can use the Select All button to select all of the interfaces simultaneously. To edit an
interface pair, select it and click Edit. The Edit Interface Pair window opens. This window
enables you to change the name, choose a new interface pair, or edit the description.
2-104
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Interface
Configuration
Missed
Packets
Threshold
Notification
Interval
Interface Idle
Threshold
Traffic Flow
Notifications
Apply
Reset
IPS v6.02-30
You can configure the sensor to monitor the flow of packets across an interface and send a
notification if that flow changes (starts or stops) during a specified interval. You can configure
the missed packet threshold within a specific notification interval and the interface idle delay
before a status event is reported. Complete these steps to configure traffic flow notification:
Step 1
Step 2
In the Missed Packets Threshold field, enter the percent of packets that must be
missed during a specified time before a notification is sent.
Step 3
In the Notification Interval field, enter the number of seconds during which you
want the sensor to check for the percentage of missed packets.
Step 4
In the Interface Idle Threshold field, enter the number of seconds that an interface
must be idle and not receiving packets before a notification is sent.
Note
Step 5
If you want to undo your changes, click Reset. Reset refreshes the panel by replacing any
edits that you made with the previously configured value.
Click Apply to apply your changes and save the revised configuration.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
2-105
Software Bypass
The software bypass feature ensures that packets continue
to flow through the sensor if the sensor is stalled or if an
application crashes. Some major characteristics of software
bypass are:
It applies only to inline paired interfaces.
It causes traffic inspection to cease without impacting network traffic.
It can be used for the following purposes:
Troubleshooting
To ensure that traffic continues to flow during sensor upgrades
As a failover mechanism
It can be configured to automatically start and stop.
IPS v6.02-31
Cisco IPS Sensor Software Version 6.0 contains a software bypass mechanism. Bypass enables
you to put the sensor in a mode that ensures that packets continue to flow through the sensor
even if the sensor software fails. When bypass is enabled, all processing subsystems are
bypassed and traffic is allowed to flow between the inline port pairs directly. Traffic inspection
ceases, but your network traffic is not impacted. You can configure your sensor to
automatically enable the bypass mechanism when it detects a software failure.
Note
Traffic inspection ceases if the sensor application is stalled or crashes. Therefore, network
traffic is not impacted.
In addition to serving as a soft failover mechanism, bypass is useful for troubleshooting and
ensuring that traffic continues to flow during sensor upgrades. As long as the sensor is powered
up and the Linux operating system is functioning, the bypass mechanism works.
Note
2-106
Bypass mode is meant to be used only with inline paired interfaces. For sensors running in
promiscuous mode, bypass mode should be set to Off.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Interface
Configuration
Bypass
Bypass
Mode
Apply
Reset
IPS v6.02-32
Click Configuration and choose Interface Configuration > Bypass. The Bypass
panel is displayed.
Step 2
Choose one of these modes from the Bypass Mode drop-down menu:
Caution
Step 3
Auto (bypass inspection when the Analysis Engine is stopped): Traffic flows
through the sensor for inspection unless the sensor is down. If the sensor is down,
traffic bypasses the sensor and is saved until the sensor is running again. The
sensor then inspects the traffic. Auto mode, which is the default setting, is useful
to ensure that traffic is still flowing while the sensor is being upgraded.
Off (always inspect inline traffic): This mode disables bypass mode. Traffic
always flows through the sensor for inspection. If the sensor is down, traffic stops
flowing.
On (never inspect inline traffic): This mode causes traffic to bypass inspection.
When you choose the On mode, the sensor acts like a bridge. The On mode is
useful in situations in which you are experiencing network difficulties, and you
are unsure if the sensor or another device is causing the problem. You can put the
sensor into On mode, perform network troubleshooting, and then change the
bypass mode to Auto or Off so that the sensor begins inspecting packets again. If
your network difficulty disappears when the sensor is in bypass On mode, check
your sensor configuration.
Security risks accompany use of the On mode. When the bypass mode is On, traffic is never
inspected; therefore, the sensor cannot prevent malicious attacks.
Click Apply to apply your changes and save the revised configuration.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
2-107
The sensor reports changes to the software bypass feature and these interface configuration
events as status events:
2-108
Link up or down
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Hardware Bypass
The Cisco IPS 4260 Sensor
supports a 4-port Gigabit
Ethernet card with hardware
bypass.
Hardware bypass is only
supported between ports 0 and
1 and between ports 2 and 3.
Ports 0 and 1 and ports 2 and 3
must be configured as inline
pairs.
Hardware bypass complements
software bypass.
IPS v6.02-33
The 4-port Gigabit Ethernet bypass card is supported only on the Cisco IPS 4260 Sensor.
This 4-port Gigabit Ethernet bypass card supports hardware bypass only between ports 0
and 1 and between ports 2 and 3.
Fail-open hardware bypass only works on inline interfaces (interface pairs), not on inline
VLAN pairs.
The speed and duplex settings are identical on the physical interfaces.
Autonegotiation must be set on the medium dependent interface crossover (MDIX) switch
ports connected to a Cisco IPS 4260 Sensor.
You must configure both the sensor ports and the switch ports for autonegotiation of speed and
duplex settings for hardware bypass to work. The switch ports must support MDIX, which
automatically reverses the transmit and receive lines if necessary to correct any cabling
problems. The sensor is only guaranteed to operate correctly with the switch if both of them are
configured for identical speed and duplex.
Note
To test failover, set the bypass mode to On or Auto, create one or more inline interfaces,
power down the sensor, and verify that traffic still flows through the inline path.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
2-109
IPS v6.02-34
Follow these steps to use Cisco IDM to view events generated by the sensor:
2-110
Step 1
Step 2
Step 3
Complete the filter choices in the Events pane. You can choose to view events based
on things such as event severity, types of events, number of events per page, and
time consideration.
Step 4
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Summary
This topic summarizes the key points that were discussed in this lesson.
Summary
Users access a sensor by logging into user accounts that you create on the
sensor. User accounts have roles that determine the privilege of the user on
the sensor.
You can manually configure the time on the sensor, or you can configure the
sensor to use an NTP server.
The sensor generates a server certificate when it is first started. You can use
the Cisco IDM to add trusted hosts.
Use the service account only under the direction of the Cisco TAC for
troubleshooting.
All sensors have only one command and control interface. Several sensor
models can have multiple monitoring interfaces.
For a sensor to operate in inline mode, you must configure two monitoring
interfaces as a pair.
The software bypass feature ensures that packets continue to flow through
the sensor even if the Analysis Engine ceases to function.
To more effectively view events generated by the sensor, you can filter the
events by severity, type, and time range.
2007 Cisco Systems, Inc. All rights reserved.
IPS v6.02-35
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
2-111
Module Summary
This topic summarizes the key points that were discussed in this module.
Module Summary
You can access the CLI by attaching a console cable, or through
a Telnet or SSH session across the network. The sensor is
bootstrapped using the setup command.
Cisco IDM is a web-based Java application that enables you to
configure and manage your sensor. Cisco IDM can be accessed
via Internet Explorer, Netscape, or Mozilla.
You can use the Cisco IDM to configure the time settings,
certificates, user accounts, and interfaces of a Cisco IPS sensor.
IPS v6.02-1
A network sensor can be configured using the command-line interface (CLI) and the Cisco
Intrusion Prevention System (IPS) Device Manager (IDM). It is usually best to do most of the
configuration using the Cisco IDM. The CLI is best utilized for running setup, maintenance,
and troubleshooting.
References
For additional information, refer to these resources:
2-112
Cisco Systems, Inc. Installing and Using Cisco Intrusion Prevention System Device
Manager 6.0: Getting Started.
http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_configuration_guide_
chapter09186a0080618948.html#wp1048697.
Cisco Systems, Inc. Installing and Using Cisco Intrusion Prevention System Device
Manager 6.0.
http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_configuration_guide_
book09186a00807a8a2a.html.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Module 3
Module Objectives
Upon completing this module, you will be able to use the Cisco IPS Device Manager (IDM) to
configure built-in signatures to meet the requirements of a given security policy. This ability
includes being able to meet these objectives:
Use the Cisco IDM to locate and configure built-in signatures and view events
Use the Cisco IDM to tune and customize signatures to meet the requirements of a given
security policy
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
3-2
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Lesson 1
Objectives
Upon completing this lesson, you will be able to use the Cisco IPS Device Manager (IDM) to
configure built-in signatures to meet the requirements of a given security policy. This ability
includes being able to meet these objectives:
Locate information about specific signatures and describe the Cisco Intrusion Prevention
Alert Center
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Signature Types
A Cisco IPS signature is a set of rules that your sensor
uses to detect typical intrusive activity. The sensor
supports three types of signatures:
Default signatures: Known attack signatures that are included in
the sensor software
Tuned signatures: Built-in signatures that you modify
Custom signatures: New signatures that you create
IPS v6.03-2
A signature is a set of rules that your sensor uses to detect typical intrusive activity, such as
denial of service (DoS) attacks. As sensors scan network packets, they use signatures to detect
known attacks and respond with actions that you define. The sensor compares its signatures
with network activity. When a match is found, the sensor can generate an alert event and store
it in the Event Store. The alert events, as well as other events, can be retrieved from the Event
Store by web-based clients.
Note
By default, the sensor generates an alert when a signature matches network traffic. You can
disable alert generation for any signature.
A signature must be enabled to monitor network traffic. The most critical signatures are
enabled by default.
Cisco IPS Sensor Software Version 6.0 contains more than 1500 built-in default signatures.
You cannot rename or delete signatures from the list of built-in signatures, but you can retire
signatures that are old or no longer applicable from the sensing engine. Retiring signatures
conserves sensor memory and enhances performance. If you retire a signature, that signature is
removed from the engine but remains in the signature configuration list. You can later activate
retired signatures, but doing so requires the sensor to rebuild its configurations. This rebuild
can be time consuming and can cause a delay in the processing of traffic.
You can also modify built-in signatures by adjusting their parameters. These modified built-in
signatures are called tuned signatures. In addition, you can create signatures, which are called
custom signatures. Custom signature IDs begin at 60,000.
3-4
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Some signatures have subsignatures, meaning that the signature is divided into subcategories.
When you configure a subsignature, changes made to the parameters of one subsignature apply
only to that subsignature. For example, if you edit signature 3050 subsignature 1, the change
applies only to subsignature 1 and not to signature 3050 subsignature 2, signature 3050
subsignature 3, and signature 3050 subsignature 4.
Note
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
3-5
Signature Features
Response actions
Alert summarization
Threshold configuration
Anti-evasive techniques
Fidelity ratings
Application firewall
SNMP support
IPv6 support
A blend of detection technologies
Regular expression string pattern matching
IPS v6.03-3
The Cisco IPS signatures have the following features and capabilities.
Response actions: These enable the sensor to take an action when the signature is
triggered.
Alert summarization: This enables the sensor to group various alerts into a single alert,
thereby decreasing the number of alerts that the sensor sends to the Event Store when a
signature is triggered.
Fidelity rating: This is a numerical rating of how prone the signature is to false alarms.
Simple Network Management Protocol (SNMP) support: This enables the sensor to
send SNMP traps triggered by IPS alert, status, or error events.
Note
3-6
Cisco IPS Sensor Software Version 6.0 allows IPv6 traffic to pass unobstructed with no
analysis.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Simple pattern matching: This looks for a character string in a single packet. For
example, the signature might look for the string badger.
Heuristic analysis: This uses some form of algorithmic logic to determine if an alert
should be generated. Heuristic analysis usually involves some form of statistical
analysis. It is typically used to detect reconnaissance attempts, such as slow scans
that attempt to evade sensor detection. A good example of a signature based on
heuristic analysis is one used to detect a port sweep. The signature looks for the
presence of a threshold number of unique ports being accessed on a particular
machine. You can further restrict the signature to look only for a certain type of
packet or a certain source address. Signatures of this type require some threshold
manipulations to make them conform to the utilization patterns on the network that
they are monitoring.
Protocol decode analysis: This looks for deviations from a standard protocol, as
defined by the RFC.
Anomaly analysis: This looks for network traffic that deviates from the traffic that
it normally detects on the network. The biggest problem with this methodology is
defining normal traffic. There are several types of anomaly analysis. Cisco
signatures use the following:
Regular expression string pattern matching: This capability enables the creation of
string patterns using regular expressions. These string patterns are used by the pattern
matching technologies.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
3-7
Signature Actions
Cisco IPS signatures can take one or all of the following
actions when triggered:
Drop malicious packets, including the trigger packet, before they
reach their targets (for inline sensors only)
Produce an alert or an alert that includes an encoded dump of the
trigger packet
Log IP packets that contain the attacker address, the victim
address, or both
Initiate the blocking of a connection or a specific host address
Send a request to the notification application component of the
sensor to perform SNMP notification
Terminate the TCP session between the source of an attack and
the target host
2007 Cisco Systems, Inc. All rights reserved.
IPS v6.03-4
You can configure the sensor to respond to malicious activity by configuring a signature to take
a response action when it matches network traffic.
Some of the actions that a sensor can take when a signature is triggered are specific to inline
IPS. The capability to drop packets as a response action is the essence of an inline solution. For
a sensor operating in inline mode, you can configure deny actions that drop packets, including
the packet that triggers the signature, before they reach their intended target. You can configure
signatures to take the following actions, whether your sensor is running in inline mode,
promiscuous mode, or both:
Produce an alert or an alert that includes an encoded dump of the trigger packet
Log IP packets that contain the attacker address, the victim address, or both
Send a request to the notification application component of the sensor to perform SNMP
notification
Terminate the TCP session between the source of an attack and the target host
The notification application is a sensor service that enables the sensor to send notification of
sensor alerts and system errors to an SNMP network management system (NMS). These SNMP
notifications are called traps. In addition to enabling the sending of traps, the notification
application enables an NMS to obtain basic health information from the sensor. SNMP is used
by many network administrators to monitor and configure network devices. The SNMP support
available in Cisco IPS Sensor Software Version 6.0 and higher enables these administrators to
consolidate data into a single console.
The notification application runs as a thread within MainApp and uses the Net-SNMP agent, a
public domain SNMP agent, to collect and store information about the sensor, translate the
information into a form that is compatible with SNMP, and deliver it to an NMS via SNMP.
Although the Net-SNMP agent currently supports SNMP version 3 (SNMPv3), the notification
application currently does not.
3-8
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
IPS v6.03-5
Regular expressions constitute a powerful and flexible notational language that allows you to
describe text. In the context of pattern matching, regular expressions allow a succinct
description of almost any arbitrary pattern.
Regular expressions are used for string matching. Regular expressions are strings that contain a
mix of plaintext and special characters to indicate what kind of matching to do. For example, if
you want the sensor to look for a numeric digit, use the regular expression [0-9]. The brackets
indicate that the character being compared should match any one of the characters enclosed
within the brackets. The dash (-) between 0 and 9 indicates that it is a range from 0 to 9.
Therefore, this regular expression matches any digit from 0 to 9.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
3-9
Meaning
Repeat 0 or 1 times
{x}
[abc]
[^abc]
[a-z]
()
\char
char
\n
Line feed
\t
Tab
IPS v6.03-6
To have the sensor search for a specific special character, you must use a backslash before the
special character. For example, the single-character regular expression \* matches a single
asterisk.
The regular expressions defined in this section are similar to a subset of the Portable Operating
System Interface (POSIX) extended regular expression definitions. In particular, [..], [==], and
[::] expressions are not supported. Escaped expressions representing single characters are
supported. The following table lists the Cisco IPS regular expressions syntax.
Regular Expression Syntax
3-10
Character
Description
This is the beginning of the string. The expression ^A will match an "A" only at
the beginning of the string.
This is immediately following the left bracket ([) and excludes the remaining
characters within brackets from matching the target string. The expression [^0-9]
indicates that the target character should not be a digit.
This matches the end of the string. The expression abc$ matches the substring
abc only if it is at the end of the string.
This allows the expression on either side to match the target string. The
expression a|b matches "a" as well as "b."
This indicates that the character to the left of the asterisk in the expression
should match zero or more times.
This is similar to the asterisk (*) but there must be at least one match of the
character to the left of the plus sign (+) in the expression.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Character
Description
()
This affects the order of pattern evaluation and serves as a tagged expression
that can be used when replacing the matched substring with another expression.
[]
This encloses a set of characters and indicates that any of the enclosed
characters can match the target character.
To use multipliers with multiple-character patterns, you enclose the pattern in parentheses.
(ab)* matches any number of the multiple-character string ab.
([A-Za-z][0-9])+ matches one or more instances of alphanumeric pairs but not none. An empty
string is not a match. The order for matches using multipliers (*, +, or ?) is to put the longest
construct first. Nested constructs are matched from outside to inside. Concatenated constructs
are matched beginning at the left side of the construct. Thus, the regular expression matches
A9b3 but not 9Ab3 because the letters are specified before the numbers.
You can also use parentheses around a single- or multiple-character pattern to instruct the
software to remember a pattern for use elsewhere in the regular expression. To create a regular
expression that recalls a previous pattern, you use parentheses to indicate memory of a specific
pattern and a backslash (\) followed by a digit to reuse the remembered pattern. The digit
specifies the occurrence of a parenthesis in the regular expression pattern. If you have more
than one remembered pattern in your regular expression, then \1 indicates the first remembered
pattern, and \2 indicates the second remembered pattern, and so on.
The regular expression a(.)bc(.)\1\2 uses parentheses for recall. It matches an a followed by
any character, followed by bc followed by any character, followed by the first any character
again, followed by the second any character again. For example, the regular expression can
match aZbcTZT. The software remembers that the first character is Z and the second
character is T and then uses Z and T again later in the regular expression.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
3-11
Regular Expression
Hacker or hacker
[Hh]acker
hot|cold
[hH][aA][cC][kK][eE][rR]
[hH][oO][tT]|[cC][oO][lL][dD]
IPS v6.03-7
3-12
To Match
Regular Expression
Hacker
Hacker
Hacker or hacker
[Hh]acker
Ba(na)+s
hot|cold
(m|s)oon
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Signature Engines
A signature engine is a component of the sensor that supports a
category of signatures.
Each Cisco IPS signature is controlled by a signature engine
designed to inspect a specific type of traffic.
Each engine has a set of legal parameters that have allowable
ranges or sets of values.
Configurable engine parameters enable you to tune signatures to
work optimally in your network and to create new signatures
unique to your network environment.
IPS v6.03-8
A signature engine is a component of the sensor that supports a category of signatures. Each
Cisco IPS signature is created and controlled by a signature engine specifically designed for the
type of traffic being monitored. For example, the string TCP engine searches TCP packets for
string patterns. It controls such signatures as the following:
Signature 3118, rwhoisd format string, which triggers upon detecting an soa command sent
to a rwhois server with a large argument
Signature 3138, Bagle.C virus email attachment, which fires when a pattern matching the C
variant of the Bagle virus in an e-mail attachment is detected
An engine is composed of a parser and an inspector. Each engine has a set of legal parameters
that have allowable ranges or sets of values. These configurable engine parameters enable you
to tune signatures to work optimally in your network and to create new signatures unique to
your network environment.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
3-13
Alerts
By default, the sensor generates an alert when an enabled signature is
triggered.
The default setting that generates an alert can be disabled.
Alerts are stored in the Event Store of the sensor.
External monitoring applications can pull alerts from the sensor via SDEE.
Monitoring applications can collect alerts on an as-needed basis.
Multiple hosts can collect alerts simultaneously.
Alerts can have any one of the following security levels:
Informational
Low
Medium
High
The severity level of the alert is derived from the severity level of the
signature causing the alert.
2007 Cisco Systems, Inc. All rights reserved.
IPS v6.03-9
By default, the sensor generates an alert when an enabled signature is triggered. Generating an
alert, however, is a configurable signature action that can be disabled. Alerts are stored in the
sensor Event Store. The Cisco IDM can pull alerts from the sensor via the Security Device
Event Exchange (SDEE). This capability allows a host or hosts to collect alerts on an as-needed
basis.
SDEE specifies two types of event requests for external monitoring applications such as Cisco
IDM interfacing with the sensor:
Query: Retrieve events that are in the Event Store at the time the query request is issued
Note
Multiple hosts can perform queries and subscribe to the live event feed simultaneously.
Every alert has a severity level that is derived from the severity level of the signature causing
the alert. Therefore, an alert, and a signature, can have one of the following security levels:
3-14
Informational
Low
Medium
High
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Alert Format
IPS v6.03-10
At times, you may need to look at an alert via the command-line interface (CLI) show events
command. In the output of this command, you can distinguish an alert from other types of
events by its first field, evIdsAlert. The format of an alert as it appears in the CLI conforms to
the Cisco Intrusion Detection Event Exchange standards. SDEE is a general-purpose standard
for the messaging of security events. SDEE, along with the Cisco Intrusion Detection Event
Exchange, specifies the format of event messages.
Note
The Cisco Intrusion Detection Event Exchange extends the SDEE and adds IPS-specific
elements that are used in Cisco IPS Sensor Software Version 6.0 alerts.
The following is an example of a Cisco IPS Sensor Software Version 6.0 alert from signature
2004, ICMP Echo Req:
evIdsAlert: eventId=1104949863483006238 severity=informational
vendor=Cisco
originator:
hostId: sensor1
appName: sensorApp
appInstanceId: 375
time: 2006/12/27 14:15:38 2006/12/27 06:15:38 GMT-08:00
signature: description=ICMP Echo Req id=2004 version=S1
subsigId: 0
marsCategory: Info/AllSession
interfaceGroup: vs0
vlan: 0
2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
3-15
participants:
attacker:
addr: locality=OUT 10.0.1.12
target:
addr: locality=OUT 172.26.26.50
os: idSource=unknown relevance=relevant type=unknown
riskRatingValue: attackRelevanceRating=relevant
targetValueRating=medium 35
threatRatingValue: 35
interface fe0/1
protocol icmp
The information in Cisco IPS alerts is labeled intuitively. For example, the signature:
description and eventID fields obviously contain the name and identification number of the
signature. The following list provides additional details and information on some of the less
intuitive fields, listed as they will appear on your screen:
vendor: This is always Cisco for Cisco products. This field is included in SDEE format
because vendors other than Cisco use SDEE.
originator: This contains the following subfields that provide information on the originator
of the alert:
interfaceGroup: This is the name of the interface group that received the traffic.
vlan: This is the VLAN number associated with packets involved in the activity that
triggered the alert. If this field is omitted or the value is 0, no VLAN information is
available.
participants: This contains the following subfields providing information about hosts that
participated in the attack, either as attackers or targets:
3-16
addr: locality: This is the IP address of the attacker and where this address is
located. The locality subfield is a string that indicates the relative location of the
attacker address within the network topology. It indicates, for example, whether
the host is within the protected network, the demilitarized zone (DMZ), or the
external (unprotected) network. The locality subfield displays a single locality
per address. If the address matches many localities, the most specific match is
displayed. For example, if the address matches both IN and DMZ1, DMZ1 is
displayed.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Note
Note
Locality names such as IN and DMZ1 come from event variables that you define. You can
create event variables and then use those variables in event action filters. Event variables
enable you to use the same value within multiple filters.
target: Host or hosts that are the target of an attack by each of the attackers
addr: locality: This is the IP address of the target host and where this address is
located. The locality subfield is a string that indicates the relative location of the
target address within the network topology. It indicates, for example, whether
the host is within the protected network, the DMZ, or the external (unprotected)
network. The locality subfield displays a single locality per address. If the
address matches many localities, the most specific match is displayed. For
example, if the address matches both IN and DMZ1, DMZ1 is displayed.
riskRatingValue: This is the value that represents the calculated risk associated with the
detected activity. The risk value is calculated using multiple factors and has a range
between 0 and 100 (inclusive), where 0 represents the lowest risk and 100 the greatest risk.
threatRatingValue: This is the value that represents the calculated threat associated with
the detected activity. The threat value is calculated using multiple factors and has a range
between 0 and 100 (inclusive), where 0 represents the lowest threat and 100 the greatest
threat.
interface: This provides traffic source information. The Interface field holds a simple value
such as fe1_0.
protocol: This is the network protocol wherein the malicious content was discovered.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
3-17
Intel
Reports
IPS v6.03-11
Up-to-the-minute signature and attack information is available at the Cisco Security Center,
which provides information on emerging threats and quick access to the latest signatures. The
Intelligence Reports section of the Cisco Security Center contains information about new
malicious Internet activity. It provides the names of the most recent threats along with the date,
severity level, and status of each threat, and a link to other sources of information about the
various threats.
Note
3-18
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Signature Details
Software
Download Center
Signature
Name
Release
Version
Signature
ID
Release
Date
Description
Alarm
Severity
Benign
Triggers
Related
Threats
2007 Cisco Systems, Inc. All rights reserved.
IPS v6.03-12
The figure shows an example of the Signature Details page that displays when you click the
name of a related signature from the Cisco Security Center page. A typical page contains the
following information fields about a signature:
Alarm Severity: The default alarm severity level assigned to the signature
Release Version: The signature update in which the signature was released
Release Date: The date on which the signature update was released
Benign Triggers: An explanation of any false positives that may appear to be exploits, but
are actually normal network activity
Related Security Reports: Links to intelligence reports that offer additional insight
regarding the vulnerability and its consequences
Note
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
3-19
IPS v6.03-13
If you click on the name of one of the latest or active threats listed in the Example Recent
IntelliShield Alerts section of the Cisco Security Center main page, you are taken to a page that
provides more information about the threat:
3-20
A concise description
A list of operating systems that can be affected by the threat and links to patches for each
operating system
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
IPS v6.03-14
By default, the Cisco IPS signatures are configured to meet the needs of most average
deployments. The most critical signatures are enabled to provide you immediately with a
certain level of security. Depending on your security policy and the location of your sensor or
sensors, you can choose to enable specific signatures that are disabled by default, tune certain
signatures, or even create custom signatures. Before modifying any signature settings or
creating new signatures, study the built-in signatures and their default settings and consider the
following:
Network protocols: Consider the network protocol of the traffic to be examined. For
example, if you are concerned with Enhanced Interior Gateway Routing Protocol (EIGRP)
packets, you might want to examine the configurable parameters of signatures that examine
IP packets and are triggered by the contents of a single packet.
Target address: Consider the target of any anticipated attack. For example, if you are
concerned with an excessive number of packets being sent to a specific network, you might
want to examine the configurable parameters of signatures that detect an excessive volume
of packets sent to a network.
Target port: Consider the anticipated target ports of the attack. For example, if you are
concerned with connections to a specific UDP port or a range of UDP ports, you might
want to examine the configurable parameters of signatures that detect those connections.
Type of attack: Consider any anticipated type of attack. For example, if you anticipate
DoS attacks, you might want to examine the signatures that are commonly used to detect
DoS attacks. If you anticipate reconnaissance attacks, you might want to examine the
signatures that are commonly used to detect network reconnaissance attacks.
Payload inspection: Consider the need to inspect the payload of a packet for a string
pattern. For example, if you must detect a string pattern in a TCP packet, you might want to
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
3-21
examine the configurable parameters of signatures that are designed to detect a string
pattern in a TCP packet.
After determining the needs of your specific deployment and familiarizing yourself with the
built-in signatures and their default settings, you can begin to modify signature settings as
needed. All signatures have the following two basic configurable parameters:
Note
3-22
You must be an administrator or operator to add, clone, enable, disable, edit, or delete
signatures.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Select By
Signature
Configuration
Signature
Definitions
2007 Cisco Systems, Inc. All rights reserved.
IPS v6.03-15
You can access signatures of interest in a variety of ways from the Cisco IDM. To begin, click
Configuration, choose Signature Definitions, and then click the Signature Configuration
tab to access the Signature Configuration panel. By default, the Signature Configuration panel
displays signatures listed by signature ID number. You can use the Select By drop-down menu
to display signatures in different ways, such as the types of attack they detect, or the services
that they inspect. When you change your selection in the Select By drop-down menu, the Select
Criteria drop-down menu changes to correspond to your selection.
For example, if you are searching for a UDP flood signature, choose DoS from the Select By
drop-down menu. The Select Criteria drop-down menu becomes a Select Type drop-down
menu. You can then choose UDP Floods from the Select Type drop-down menu. The Signature
Configuration panel refreshes and displays only those signatures that match your sorting
criteria.
Cisco IPS Sensor Software Version 6.x greatly increases the choices available in searching for
signatures. From the Select By drop-down menu, you can choose one of the following:
Active Signatures: Displays all individual signatures that have not been retired, listed in
ascending numerical order by signature ID number
Enabled: Displays all signatures that are enabled, or in other words, actively running on
the sensor
Fidelity Rating: Allows you to define a fidelity rating range of numbers, and then displays
only those signatures within that fidelity range
Base RR: Similar to fidelity rating, allows you to define a range of numbers and then
displays only those signatures within that range
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
3-23
Email: Enables you to display e-mail signatures by protocol such as Internet Message
Access Protocol (IMAP) or Simple Mail Transfer Protocol (SMTP)
L2/L3/L4 Protocol: Enables you to display signatures grouped by network protocol type
including Address Resolution Protocol (ARP), IP fragment, IPv6, and others
Network Services: Displays signatures based on network service protocols such as DHCP
or Border Gateway Protocol (BGP)
Other Services: Displays signatures based on application layer services such as FTP,
HTTP, NetBIOS/Server Message Block (SMB), and others
Reconnaissance: Enables the display of signatures such as ping sweeps and different types
of port scans
Web Server: Enables you to display signatures based on specific web servers
Active & Retired Signatures: Enables you to display all signatures known to the sensor,
whether active or not
A signature can be in multiple groups. For example, web signatures would be found in the
Other Services group and in the Web Server group. Editing a signature in one group affects it in
all groups. The last edit that you make is the one that is applied.
3-24
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Select By
IPS v6.03-16
The figure shows the Signature Configuration panel as it appears when Sig ID is chosen from
the Select By drop-down menu. The Select Criteria drop-down menu becomes an Enter Sig ID
field that enables you to enter the signature ID of the signature that you are trying to locate.
When the Enter Sig ID field is displayed, it is accompanied by a Find button. Click Find to
locate the signature of the signature ID that you entered. The following parameters of the
signature are displayed in the Signature Configuration panel:
Subsig ID: This identifies the number assigned to the subsignature. Usually this is 0.
Enabled: This identifies whether the signature is enabled. A signature must be enabled for
the sensor to protect against the traffic specified by the signature.
Severity: This identifies the severity level that the signature will report: High,
Informational, Low, and Medium.
Fidelity Rating: This identifies the weight associated with how well this signature might
perform in the absence of specific knowledge of the target.
Base RR: This displays the base risk rating value of each signature. Cisco IDM
automatically calculates the base risk rating by multiplying the Fidelity Rating and the
Severity factor and dividing them by 100 (Fidelity Rating x Severity factor /100).
Action: This identifies the actions that the sensor will take when this signature fires.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
3-25
3-26
Type: This identifies whether this signature is a default (built-in), tuned, or custom
signature.
Engine: This identifies the engine that parses and inspects the traffic specified by this
signature.
Caution
A retired signature is removed from the signature engine. You can activate a retired
signature to place it back in the signature engine.
Note
These parameters are displayed for all signatures that you display in the Signature
Configuration panel, regardless of how you display them.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
IPS v6.03-17
The figure shows the Signature Configuration panel when Other Services is selected from the
Select By drop-down menu. The Select Criteria drop-down menu becomes a Select Service
drop-down menu that enables you to choose a network service. In the figure, NETBIOS/SMB
is selected, so the Signature Configuration panel displays a list of signatures that inspect
NetBIOS and SMBs.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
3-27
Locating Signatures by OS
Select By
Select OS
IPS v6.03-18
Often it is desirable to enable or disable an entire group of signatures based on the operating
system criteria. Perhaps there are no IBM Advanced Interactive eXecutive (AIX) servers in
your environment and, as a noise reduction strategy; you choose to disable all AIX signatures.
In this case, you would want to locate all AIX signatures and disable them as a group.
3-28
Step 1
Step 2
Step 3
From the Select Criteria drop-down box, choose the operating system in which you
are interested.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Disable
IPS v6.03-19
Step 2
Step 3
Look at the Enabled column to determine the status of the signature. A signature that
is currently enabled has the value Yes in this column.
Step 4
If the signature is currently disabled, choose the signature and click Enable.
Step 5
Click Apply to apply your changes and save the revised configuration.
To disable a signature that is currently enabled, choose the signature and click Disable. You
can enable or disable all signatures in a group by clicking Select All before clicking the Enable
or Disable button.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
3-29
Actions
Restore
Defaults
Reset
IPS v6.03-20
Step 2
Step 3
Step 4
Note
3-30
The Restore Defaults button returns all parameters for the selected signature to the default
settings. The Reset button refreshes the panel by replacing any edits that you have made
with the previously configured value.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Select
All
Action
List
Select
None
Step 5
Check the check boxes for the actions that you want to assign to the signature. A
check mark indicates that the action is assigned to the selected signature. No check
mark indicates that the action is not assigned to any of the selected signatures. A
gray check mark indicates that the action is assigned to some of the selected
signatures. You can choose one or more of the following actions from the on-screen
list:
Note
IPS v6.03-21
Deny Attacker Inline: This action terminates the current packet and future
packets from this attacker address for a specified period of time. The sensor
maintains a list of the attackers currently being denied by the system. You can
remove entries from the list or wait for the timer to expire. The timer is a sliding
timer for each entry. Therefore, if attacker A is currently being denied but issues
another attack, the timer for attacker A is reset, and attacker A remains in the
denied attacker list until the timer expires. If the denied attacker list is at
capacity and cannot add a new entry, the packet is still denied.
This action is the most severe of the deny actions. It denies current and future packets from
a single attacker address.
Deny Attacker Service Pair Inline: This action terminates the current packet
and future packets from the attacker address victim port pair for a specified
period of time.
Deny Attacker Victim Pair Inline: This action terminates the current packet
and future packets from the attacker and victim address pair for a specified
period of time.
Deny Connection Inline: This action terminates the current packet and future
packets on this TCP flow.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
3-31
Note
Log Attacker Packets: This action starts IP logging on packets that contain the attacker
address and sends an alert. This action causes an alert to be written to the Event Store, even
if the Produce Alert action is not selected.
Log Pair Packets: This action starts IP logging on packets that contain the attacker and
victim address pair. This action causes an alert to be written to the Event Store, even if the
Produce Alert action is not selected.
Log Victim Packets: This action starts IP logging on packets that contain the victim
address and sends an alert. This action causes an alert to be written to the Event Store, even
if the Produce Alert action is not selected.
Produce Alert: This action writes the event to the Event Store as an alert.
Produce Verbose Alert: This action includes an encoded dump of the offending packet in
the alert. This action causes an alert to be written to the Event Store, even if the Produce
Alert action is not selected.
Request Block Connection: This action sends a request to a blocking device to block this
connection.
Request Block Host: This action sends a request to a blocking device to block this attacker
host.
Request SNMP Trap: This action sends a request to the Notification Application
component of the sensor to perform SNMP notification. This action causes an alert to be
written to the Event Store, even if Produce Alert is not selected.
Reset TCP Connection: This action sends TCP resets to hijack and terminate the TCP
flow.
The Reset TCP Connection action can be used in conjunction with the deny packet and deny
flow actions. However, deny packet and deny flow actions do not automatically cause TCP
reset actions to occur.
Note
3-32
If you want to assign all actions to the selected signatures, click Select All. If you want to
remove all actions from the selected signatures, click Select None.
Step 6
Click OK to close the Assign Actions window. The Signature Configuration panel
displays the actions that you selected in the Action column for the signature that you
configured.
Step 7
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Event
Action
Rules
Deny Attacker
Duration
Block
Action
Duration
Maximum
Denied
Attackers
IPS v6.03-22
From the General Settings panel, you can configure how long you want to deny attackers, the
maximum number of denied attackers, and how long you want blocks to last. To access the
General Settings panel, click Configuration, choose Event Action Rules, and click the
General Settings tab.
When you have completed your configuration, click Apply to apply your changes to the sensor,
or click Reset to replace any edits that you made with the previously configured value.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
3-33
Denied
Attackers
Clear List
Refresh
Reset All Hit
Counts
IPS v6.03-23
The Denied Attackers panel displays the IP addresses of all the attackers that have been denied
and the hit count for each denied attacker. You can reset the hit count for all IP addresses or
clear the list of denied attackers. To access the Denied Attackers panel, click Monitoring and
choose Denied Attackers. Click Refresh to refresh the list and use the following buttons as
needed:
Reset All Hit Counts: Clears the hit count for the denied attackers
Note
3-34
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Summary
This topic summarizes the key points that were discussed in this lesson.
Summary
A signature is a set of rules that your sensor uses to detect typical
intrusive activity. Cisco IPS Sensor Software Version 6.0 has over
1500 signatures.
Information about signatures can be found at the Cisco Intrusion
Prevention Alert Center.
Signatures can be configured to drop traffic, log traffic, request
blocking by another network device, terminate the session using
TCP resets, send an SNMP trap, or simply record an alert in the
Event Store. You must be an administrator or operator to add,
clone, enable, disable, edit, or delete signatures.
You can configure how long you want to deny attackers, the
maximum number of denied attackers, and how long you want
blocks to last.
IPS v6.03-24
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
3-35
3-36
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Lesson 2
Objectives
Upon completing this lesson, you will be able to describe the functions of signature engines and
their parameters. This ability includes being able to meet these objectives:
Describe the SERVICE signature engines, including the new TNS and SMB advanced
signature engines
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
IPS v6.03-2
Each Cisco IPS signature is created by a signature engine specifically designed for the type of
traffic being monitored. A signature engine is a component of the sensor that supports a
category of signatures. An engine is composed of a parser and an inspector. Each engine has a
set of legal parameters that have allowable ranges or sets of values. Cisco IPS signature engines
enable network security administrators to tune and create signatures unique to their network
environment.
3-38
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Engine Usage
Engine
Category
Usage
ATOMIC
FLOOD
META
NORMALIZER
SERVICE
STATE
IPS v6.03-3
Here are some of the general categories of Cisco IPS signature engines:
SERVICE: Used when services with Layers 5, 6, and 7 require protocol analysis
STATE: Used for state-based and regular expression-based pattern inspection and
alarming functionality for TCP streams
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
3-39
Usage
STRING
SWEEP
TRAFFIC
TROJAN
AIC
3-40
IPS v6.03-4
STRING: Used for regular expression-based pattern inspection and alarm functionality for
multiple transport protocols, including TCP, User Datagram Protocol (UDP), and Internet
Control Message Protocol (ICMP)
TROJAN: Used to detect BackOrifice Trojan horse traffic and Tribe Flood Network 2000
(TFN2K), Trojan, or distributed denial of service (DDoS) traffic
Alarm Interface Controller (AIC): Used for deep-packet inspection of FTP and HTTP
traffic
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Engine Parameters
An engine parameter is a name and value pair.
The parameter name is defined by its engine.
Parameter values have limits that are defined by the engine.
The parameter name is constant across all signatures in a
particular engine, but the value can be different for the various
signatures in an engine group.
Some parameters are common to all engines while others are
engine-specific.
IPS v6.03-5
Signature engines use their parameters to provide the configuration of signatures. An engine
parameter is a name and value pair. The name is defined by each engine, and the value has
limits that are defined by the engine so that only values falling within a particular range are
valid. The parameter name is constant across all signatures in a particular engine, but the value
can be different for the various signatures in an engine group.
Some parameters are common across all engines, and others are specialized for a specific
engine. The engine-specific parameters apply only to the signatures within a specific engine.
Engine-specific parameters are explained in the next topics of this lesson.
Note
Although all signatures have the EventAction parameter, you can select only actions that
make sense for that engine.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
3-41
Common Parameters
Signature ID
Sig
Description
SubSignature ID
Alert Severity
Signature
Name
Alert Notes
Sig Fidelity
Rating
User
Comments
Promiscuous
Delta ID
Alert
Traits
Engine
Event Counter
Release
Event Count
Event Count
Key
Specify
Alert
Interval
2007 Cisco Systems, Inc. All rights reserved.
IPS v6.03-6
Signature engines enable you to configure signatures by modifying their parameters. Some
parameters are common across all engines, and others are specialized for a specific engine. The
Cisco IPS Device Manager (IDM) Edit Signatures window displays all the common parameters
and the parameters specific to the engine that controls the selected signature.
This table lists the common signature parameters.
Common Signature Parameters
Common Signature
Parameters
Value
Signature ID
SubSignature ID
0255
Alert Severity
High
Medium
Low
Informational
0-100
3-42
Description
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Common Signature
Parameters
Value
Description
Promiscuous Delta
0-30
Sig Description
Signature Name
<string>
Alert Notes
<string>
User Comments
<string>
Alert Traits
065535
Release
<string>
Vulnerable OS List
Mars Category
Engine
When expanded, this displays the enginespecific parameters for the signature. The
engine-specific parameters apply only to the
signatures within the engine.
Event Counter
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
3-43
Common Signature
Parameters
Value
Description
Event Count
1-65535
Attacker address
Victim address
3-44
21000
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Alert
Frequency
Summary
Mode
Summary
Key
Specify Global
Summary
Threshold
Status
Enabled
Summary
Interval
Retired
Common Signature
Parameters
IPS v6.03-7
Value
Alert Frequency
Summary Mode
Description
Summarize: Sends an
interval summary alert
Global Summarize:
Sends a global summary
alert
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
3-45
Common Signature
Parameters
Value
Summary Key
Attacker address
Victim address
Specify Global
Summary Threshold
065535
Global Summary
Threshold
165535
Summary Interval
165535
Status
Enabled
Retired
3-46
Description
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Key Terminology
A = source address
a = source port
B = destination address
b = destination port
x = does not matter
IPS v6.03-8
In addition to the common Event Count Key and Summary Key parameters previously
described, Cisco IPS Sensor Software Version 6.0 uses two engine-specific keys. The following
are the four Cisco IPS Sensor Software Version 6.0 key parameters:
Event Count Key: This is the key in which multiple firings of the signature are counted.
The event Count Key should be less specific or more general than the Storage Key.
Summary Key: This is the address set to use for counting events for event summarization.
Storage Key: This is the key in which internal state data for the signature itself is stored.
You can configure this parameter for the signatures controlled by the ATOMIC Address
Resolution Protocol (ARP) and SWEEP engines. For example, the Storage Key Axxb could
be used for service sweeps in which an attacker is sweeping port 80 across multiple hosts.
The attacker port and the victim address are not examined, but the victim port is examined.
For most engines, the Storage Key is determined by the engine itself or by the engine and
one or more of the other parameters, such as Protocol.
The Key parameters use A, a, B, and b to designate a source address, source port, destination
address, and destination port, respectively. This terminology uses x as a wildcard. If x occupies
the position of A, a, B, or b in the sequence AaBb, the value of that position is unimportant.
The following are valid values:
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
3-47
Note
3-48
The bulleted list shows the key terminology as it appears in the CLI and the Cisco IDM,
respectively. The designators A, a, B, b, and x are not used to configure these parameters
from the Cisco IDM.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Summary Modes
You can use the Summary Mode common parameter to
control the number of alarms generated by a specific
signature. The Summary Mode parameter can have one
of the following values:
Fire Once
Fire All
Summarize
Global Summarize
IPS v6.03-9
The Summary Mode parameter controls the number of alarms generated by a specific signature.
By correctly configuring this parameter, you can reduce the ability of an attacker to consume
resources on your sensor by flooding it with attacks. Alert reduction also reduces the amount of
data that administrators must analyze. The summary mode can have one of the following
values.
Fire Once: This triggers a single alarm for each unique entry based on the Summary Key
parameter settings.
Fire All: This triggers an alarm for all activity that matches the signature characteristics.
This is effectively the opposite of the Fire Once option and can generate a considerably
larger number of alarms during an attack.
Summarize: This consolidates alarms for the address set specified in the Summary Key
parameter. The Summarize mode limits the number of alarms generated and makes it
difficult for an attacker to consume resources on the sensor or overwhelm the administrator
with alerts. This mode also reveals how many times an activity that matches the
characteristics of a signature was observed during a specific period of time. The first
instance of intrusive activity triggers a normal alert. Subsequently, other instances of the
same activityduplicate alertsare counted until the end of the summary interval for the
signature. When the length of time specified by the Summary Interval parameter has
elapsed, a summary alarm is sent to the Event Store, indicating the number of alarms that
occurred during the summary interval.
Global Summarize: This consolidates alarms for all address combinations. The Global
Summarize mode specifies that you want the sensor to send an alert the first time that a
signature fires on an address set and then send only a global summary alert that includes a
summary of all the alerts for all address sets over a given time interval.
Besides the basic alarm firing options, signatures can also take advantage of two alarm
summarization modes. Like Fire Once, the Summarize and Global Summarize modes limit the
number of alarms generated and make it difficult for an attacker to consume resources on the
sensor or overwhelm the administrator with noise.
2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
3-49
However, a network security administer using these alarm summarization modes receives
information on the number of times that the activity that matches the characteristics of a
signature was observed during a specific period of time. When Summarize mode is being used,
the first instance of intrusive activity triggers a normal alarm. Then, other instances are counted
until the end of the summary interval. When the length of time specified elapses, a summary
alarm is sent to the Event Store, indicating the number of alarms that occurred during the
summary interval.
Both alarm summarization modes operate in essentially the same way, except that Global
Summarize mode consolidates the alarms for all address combinations, whereas the Summarize
mode consolidates alarms only for the address set specified in the Summary Key parameter.
3-50
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Summary Threshold
Fire All
Summarize
Summarize
2007 Cisco Systems, Inc. All rights reserved.
IPS v6.03-10
Setting the Summary Threshold and Global Summary Threshold parameters enables a signature
to use variable alert summarization. To take advantage of variable alert summarization, you
must configure the signature to use the Fire All or Summarize mode. When traffic causes the
signature to fire, the Cisco IPS generates the alerts according to the original Summary Mode
setting. If the number of alerts for the signature exceeds the value configured for the Summary
Threshold parameter during a summary interval, the signature automatically switches to the
next-higher alert mode, a mode generating fewer alerts. If the number of alerts for the signature
exceeds the global summary threshold during the same summary interval, the signature
switches to Global Summarize, if not already at this level, because this is the maximum level of
alert consolidation. At the end of the summary interval, the signature reverts to its original
configured summary mode.
For example, if the signature starts with an original summary mode of Fire All, an alert is
generated every time the signature is triggered. If the number of alerts for the signature exceeds
the Summary Threshold parameter setting during a summary interval, the signature
automatically switches to Summarize mode. Finally, if the number of alerts exceeds the Global
Summary Threshold parameter during the same summary interval, the signature automatically
switches to Global Summarize mode. At the end of the summary interval, the signature reverts
to the Fire All mode.
The variable alert mode gives you the flexibility of having signatures fire an alert on every
instance of a signature but reducing the number of alerts generated when that number begins to
significantly affect the resources of the sensor and the ability of the network security
administrator to analyze the alerts being generated. This is an example of variable alert mode:
SIG ID 60000
Summary Mode: Fire All
Summary Threshold: 150
Global Summary Threshold:
300
Summary Interval: 60
2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
3-51
3-52
The example assumes that all alerts are on the same address set.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Engine Name
Engine Description
ATOMIC ARP
ATOMIC IP
ATOMIC IPv6
IPS v6.03-11
ATOMIC signature engines support signatures that are triggered by the contents of a single
packet. Because the ATOMIC signature engines examine single packets, they do not need to
maintain a state. Therefore, they do not store any persistent data across multiple data packets.
The following are ATOMIC signature engines:
ATOMIC ARP: This engine is used to examine basic Layer 2 packets. This engine can
also be used for more advanced detection of the ARP spoof tools dsniff and ettercap.
ATOMIC IP version 6 (IPv6): This engine detects Cisco IOS Software vulnerabilities that
are stimulated by malformed IPv6 traffic.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
3-53
Engine Name
Engine Description
FLOOD.NET
FLOOD.HOST
IPS v6.03-12
The FLOOD signature engines detect attacks in which the attacker is directing a flood of traffic
to either a single host or the entire network. The FLOOD engines are commonly used to detect
DoS attacks. The following are the FLOOD signature engines:
3-54
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Engine Description
SERVICE DNS
SERVICE FTP
SERVICE Generic
SERVICE H225
SERVICE HTTP
SERVICE IDENT
SERVICE MSRPC
IPS v6.03-13
The SERVICE signature engines analyze traffic at and above Layer 5 of the Open Systems
Interconnection (OSI) architectural model. This analysis provides protocol decoding for
numerous network protocols such as Domain Name System (DNS), FTP, and HTTP.
The following are SERVICE signature engines:
SERVICE Generic: Emergency response engine that supplements the string and state
engines
SERVICE H225: Examines H.225 call signaling and call setup VoIP traffic
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
3-55
Engine Description
SERVICE MSSQL
SERVICE NTP
SERVICE RPC
SERVICE SMB
SERVICE SNMP
SERVICE SSH
SERVICE TNS
SERVICE Generic
Advanced
SERVICE SMB
Advanced
3-56
IPS v6.03-14
SERVICE MSSQL: This engine examines traffic used by Microsoft Structured Query
Language (SQL).
SERVICE NTP: This engine examines Network Time Protocol (NTP) traffic.
SERVICE RPC: This engine examines remote procedure call (RPC) traffic.
SERVICE SMB: This engine examines Server Message Block (SMB) traffic.
SERVICE SNMP: This engine examines Simple Network Management Protocol (SNMP)
traffic.
SERVICE TNS: This engine examines Transparent Network Substrate (TNS) traffic. TNS
is an industry-standard database network protocol.
SERVICE Generic Advanced: This engine examines generic network protocol traffic.
SERVICE SMB Advanced: This engine examines Microsoft SMB and Microsoft RPC
over SMB traffic.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
IPS v6.03-15
Two new engines were added to the Cisco IPS Sensor Software Version 6.0: the SERVICE
SMB Advanced engine and the SERVICE TNS engine. TNS is a protocol used between
database clients and database servers. Both of these engines require an intimate knowledge of
the protocols that they inspect before writing signatures for them.
Both engines support regular expressions.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
3-57
IPS v6.03-16
The SERVICE SMB Advanced engine processes Microsoft SMB and Microsoft RPC over
SMB packets. The SERVICE SMB Advanced engine uses the same decoding method for
connection-oriented Microsoft RPC as the SERVICE MSRPC engine, with the requirement that
the Microsoft RPC packet must be over the SMB protocol. The SERVICE SMB Advanced
engine supports Microsoft RPC over SMB on TCP ports 139 and 445.
3-58
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
IPS v6.03-17
The SERVICE TNS engine inspects the TNS protocol. TNS provides database applications
with a single common interface to all industry-standard network protocols. With TNS,
applications can connect to other database applications across networks with different
protocols. The default TNS listener port is TCP 1521. TNS also supports the redirecting of
frames, where a client is redirected to another host or to another TCP port or to both. To
support the redirecting of packets, the TNS engine listens on all TCP ports and has a quick TNS
frame header validation routine to ignore non-TNS streams.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
3-59
Engine Name
Engine Description
STRING ICMP
STRING TCP
STRING UDP
Multi STRING
IPS v6.03-18
The STRING signature engines support regular expression pattern matching and alarm
functionality for ICMP, UDP, and TCP. STRING signatures match patterns based on a stream
of packets, not a single atomic packet. Because network streams comprise more than one
packet, matches are made in context within the state of the stream. This type of signature
analysis considers the arrival order of packets in a TCP stream and handles pattern matching
across packet boundaries. The following are STRING signature engines:
3-60
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Engine Name
Engine Description
SWEEP
IPS v6.03-19
The SWEEP signature engines detect attacks in which one system makes connections to
multiple hosts or multiple ports. The SWEEP engines are commonly used to detect network
reconnaissance. Here are two SWEEP signature engines:
SWEEP Other TCP: Detects odd sweeps and scans such as Insecure.Com Network
Mapper (Nmap) or Queso sweep.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
3-61
SWEEP Engine
The SWEEP engine controls the following types of signatures:
ICMP
TCP
UDP
Signatures controlled by the SWEEP engine detect the following
types of sweeps:
Host sweeps
Port sweeps
Service sweeps
IPS v6.03-20
ICMP signatures
TCP signatures
UDP signatures
3-62
Port sweep: A single host attempting to connect to multiple ports on one host.
Service sweep: A single host attempting to access a given service on multiple hosts (A
service sweep counts unique target hosts on the same port.)
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
IPS v6.03-21
The SWEEP Other TCP signature engine supports signatures that trigger when a mixture of
TCP packets, with different flags set, is detected on the network. Examples of this type of
sweep are the Queso or Nmap sweeps that send odd TCP flag combinations and attempt to
fingerprint the operating system of the target machine. This engine does not do unique counting
like the other SWEEP signature engines.
The Nmap OS Fingerprint signature is an example of a SWEEP Other TCP signature. This
signature looks for a unique combination of TCP packets that the Nmap tool uses to fingerprint
a remote operating system. The TCP Flags parameter specifies the TCP flags that the signature
looks for. Each of the TCP flag combinations that you specify must be detected for the
signature to fire. Unlike other TCP-based engines, this engine does not have a mask parameter.
The signature looks for the flags specified in the TCP Flags parameter and ignores any other
TCP flags.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
3-63
Engine Description
TROJAN BO2K
TROJAN TFN2K
TROJAN UDP
IPS v6.03-22
Attackers can place backdoor Trojan programs on systems in your network to enable them to
operate from systems within your network. For example, when you download files from certain
sites on the Internet, you risk downloading files that contain Trojan programs. The Trojan
program can perform a variety of malicious acts, such as erasing your disk or enabling the
attacker to use your computer to commit DDoS attacks. The TROJAN engines detect Trojan
programs on your network.
The following are TROJAN signature engines:
TROJAN BO2K: Examines UDP and TCP traffic for nonstandard BackOrifice traffic
TROJAN TFN2K: Examines UDP, TCP, or ICMP traffic for irregular traffic patterns and
corrupted headers
BackOrifice is the original Microsoft Windows backdoor Trojan attack that runs over UDP.
BackOrifice 2000 (BO2K) soon superseded it. BO2K supports UDP and TCP with basic
(exclusive OR [XOR]) encryption. The TROJAN UDP signature engine handles the UDP
modes of BackOrifice and BO2K. The TROJAN BO2K signature engine handles the TCP
modes.
3-64
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Engine Description
TRAFFIC ICMP
TRAFFIC Anomaly
IPS v6.03-23
The TRAFFIC ICMP engine analyzes nonstandard protocols, such as TFN2K, Loki, and
DDoS. There are only two signatures that are based on the Loki protocol that have userconfigurable parameters.
TFN2K is the newer version of Tribal Flood Network (TFN). TFN2K is a DDoS agent that is
used to control coordinated attacks by infected computers (zombies) to target a single computer
(or domain) with bogus traffic floods from hundreds or thousands of unknown attacking hosts.
TFN2K sends randomized packet header information, but it has two discriminators that can be
used to define signatures. One is whether the Layer 3 checksum is incorrect, and the other is
whether the hexadecimal character 0x41 (A) is found at the end of the payload. TFN2K can
run on any port and can communicate with ICMP, TCP, UDP, or a combination of these
protocols.
Loki is a type of backdoor Trojan attack. When the computer is infected, the malicious code
creates an ICMP tunnel that can be used to send small payload in ICMP replies, which can go
straight through a firewall if the firewall is not configured to block ICMP. The Loki signatures
look for an imbalance of ICMP echo requests to ICMP echo replies and simple ICMP code and
payload discriminators.
The DDoS category (excluding TFN2K) targets ICMP-based DDoS agents. The main tools
used here are TFN and Stacheldraht. They are similar in operation to TFN2K, but rely only on
ICMP and have fixed commands: integers and strings.
The TRAFFIC Anomaly engine is part of the anomaly detection feature that was added to the
Cisco IPS Sensor Software Version 6.0. It contains nine anomaly detection signatures covering
the three protocols TCP, UDP, and other. Each signature has two subsignatures, one for the
2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
3-65
scanner and the other for the worm-infected host or a scanner under worm attack. When
anomaly detection discovers an anomaly, it triggers an alert for these signatures. All anomaly
detection signatures are enabled by default, and the alert severity for each one is set to high.
3-66
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Engine Name
Engine Description
AIC FTP
AIC HTTP
IPS v6.03-24
The AIC engines, AIC HTTP and AIC FTP, provide Layer 4 to Layer 7 packet inspection for
HTTP and FTP. By tuning the built-in AIC engine signatures, you can create granular policies
for HTTP and FTP.
The AIC engines can inspect HTTP traffic when it is received on AIC web ports. If traffic is
web traffic but is not received on a designated AIC web port, the SERVICE HTTP engine is
executed.
You can tune the signatures controlled by these engines; however, it is recommended that you
only enable them, change their severity level, and change the actions that they take when
triggered. The recommended action for the following signatures, which detect the more
dangerous activity, is Reset TCP Connection:
Signature 12694 (Chunked Transfer Encoding Error): Indicates that an error was found
while decoding the chunked encoding
Signature 12674 (Alarm on NonHTTP Traffic): Indicates that someone is possibly using
an application other than HTTP on port 80
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
3-67
Configuration
Signature
Definition:
Sig0
Enable
HTTP
Enable
FTP
Max
HTTP
Requests
AIC Web
Ports
IPS v6.03-25
To use the AIC engines, you must first enable Application Policy enforcement. Application
Policy enforcement is disabled by default for both HTTP and FTP. If you enable Application
Policy enforcement for these protocols, the sensor checks to be sure that the traffic is compliant
with their respective RFCs.
Complete the following steps to enable Application Policy enforcement and configure its global
settings:
3-68
Step 1
Step 2
Step 3
Step 4
Step 5
Click the Enable HTTP value and choose Yes from the drop-down menu to enable
Layer 4 to Layer 7 HTTP packet inspection.
Step 6
If you want to change the maximum number of outstanding HTTP requests per
connection, click the Max HTTP Requests value and enter a value from 1 to 16 in
the Max HTTP Requests field.
Step 7
If you want to modify the AIC ports, click the AIC Web Ports value and enter a
port number or range of port numbers. Valid values range from 0 to 65535. The
default port range appears as 80-80,3128-3128,8000-8000,8010-8010,80808080,8888-8888,24326-24326.
Step 8
Click the Enable FTP value and choose Yes from the drop-down menu to enable
Layer 4 to Layer 7 FTP packet inspection.
Step 9
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Note
The AIC HTTP engine is a superset of the SERVICE HTTP engine. If enabled, the AIC
HTTP engine handles the traditional SERVICE HTTP signatures.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
3-69
IPS v6.03-26
The AIC FTP engine provides a way to inspect FTP traffic and control the commands being
executed. For example, this engine gives you the ability to choose which FTP commands from
a precompiled list are to be permitted into the network. It also enables you to have the sensor
take an action when it detects an FTP command that it does not recognize.
The AIC FTP engine controls the following types of signatures:
Unrecognized FTP command: This is used to have the sensor take an action when it
detects an FTP command that is not recognized. There is only one signature of this type,
signature 12900. Signature 12900 is disabled by default, and the default actions are
Produce Alert and Deny Connection Inline.
Define FTP command: This is used to associate an action with a specific FTP command.
Each FTP command signature applies to a specific FTP command. These signatures enable
you to choose which FTP commands are permitted into your network. The default actions
for the Define FTP command signatures are Produce Alert and Deny Connection Inline.
However, all FTP command signatures are disabled by default, and all FTP commands
defined in the RFC are permitted.
3-70
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
IPS v6.03-27
The AIC HTTP engine enforces RFC compliance for HTTP methods to prevent attackers
from manipulating HTTP methods to disguise the insertion of malicious code. You can
permit or deny specific HTTP methods such as GET or POST methods to granularly
control HTTP transactions.
The AIC HTTP engine verifies that the content type passed in a response message is one of
those listed in the Accept field of the request message. If a violation is detected, the action
assigned to the signature is taken.
The AIC HTTP engine provides worm mitigation by enabling you to create policies that
deny certain Multipurpose Internet Mail Extensions (MIME) types, such as JPEG or
Moving Picture Experts Group (MPEG) Layer 3 (MP3) files, to enter the network. If a
worm is associated with that MIME type, it is not allowed into the network. The sensor
contains a list of predefined MIME types from which you can choose. You can also add
other MIME types. The AIC HTTP engine also verifies that the content type specified in
the header is the same as that being passed in the body of the message. For example, if the
MIME type is JPEG, the sensor can verify that the message body is indeed a JPEG
message. This ability can help prevent attacks in which malicious code is contained in a
non-JPEG attachment under a JPEG MIME-type header. If a discrepancy is found, the
action that you assign to the signature is executed.
The AIC HTTP engine controls which transfer encoding methods are permitted into the
network. The acceptable transfer encoding methods are deflate, compress, gzip, identity,
and chunked.
The AIC HTTP engine controls content based on message content and type of data being
transferred.
The AIC HTTP engine enforces Uniform Resource Identifier (URI) length.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
3-71
The AIC HTTP engine enforces message size according to the configured policy and the
header.
The AIC HTTP engine provides granular control over HTTP sessions to prevent abuse of
the HTTP protocol. You can control applications that attempt to tunnel over specified ports,
such as instant messaging (IM) and tunneling applications such as GoToMyPC. For
example, users can easily disguise file-sharing applications such as Kazaa by tunneling the
traffic through port 80. These types of activities can be accurately identified and
subsequently stopped. Increased understanding of activity targeted at subverting corporate
security policy eventually results in worm mitigation and bandwidth preservation.
The AIC HTTP engine can inspect HTTP traffic on any port as long as it is specified in AIC
web ports. Inspection and policy checks for peer-to-peer and IM applications are possible as
long as these applications are running over HTTP.
3-72
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
IPS v6.03-28
The AIC HTTP engine controls these six types of signatures, with the signatures to which they
apply:
Define web traffic policy: This is used to specify whether traffic not compliant with the
HTTP RFC is allowed into the protected network through web ports. You can tune the
alarm on the Non-HTTP TRAFFIC signature, which is the only signature of this type. If
you enable HTTP Application Policy enforcement and this signature is disabled, all nonHTTP-compliant traffic is allowed. By default, this signature is disabled. It cannot be added
or deleted, but the values associated with it can be modified.
Content type: This is used for policies associated with MIME types. You can create
custom content type signatures, or you can tune the following built-in content type
signatures:
Content type signatures: These enable you to associate an action with a specific
MIME type. These signatures can take an action when one of the following events
occurs:
Content verification fails. For example, the MIME type mentioned in the header is
not the same as the content of the data being passed in the body. A magic number is
used for content verification.
There is a message-size violation for a specified MIME type. For example, you can
configure a signature to fire if a JPEG image is larger than 20 KB.
Recognized content type signature: This is used to specify MIME types that are
recognized by the sensor. The recognized content type signature contains a hardcoded list of MIME types from which you can choose. By default, all mime types in
the list are recognized by the sensor. If the sensor detects a MIME type that is not
recognized, the action corresponding to this signature is taken. This signature is
enabled by default.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
3-73
Note
For the recognized content type signature, you can use the Enforce Accept Content Types
parameter to tell the sensor to verify that the content type mentioned in the HTTP response
message is one of the MIME types specified in the Accept field in the corresponding HTTP
request message. This parameter is disabled by default.
Message body pattern: This is used to define patterns that the sensor should look for in an
HTTP message. You can create a custom signature of this type or you can modify the
Yahoo! Messenger signature, which is the only built-in signature of this type. The patterns
for message body pattern signatures are defined by using regular expressions. By default,
everything in an HTTP message body is allowed through the sensor. You can use the
message body pattern signature type to create custom signatures that fire when they detect
patterns that you specify.
Request methods: These are used to define policies associated with HTTP request
methods. You can create custom request method signatures, or you can tune the following
built-in request method signatures:
Define request method signatures: These are used to have a signature take an
action when it detects a certain request method. The sensor contains a built-in
signature for each known RFC method.
Request method not recognized signature: This is used to specify request methods
that are recognized by the sensor. The request method not recognized signature
contains a hard-coded list of request methods from which you can choose. By
default, all request methods in the list are recognized by the sensor. If the sensor
detects a request method that is not recognized, the action corresponding to this
signature is taken. This signature is enabled by default.
Transfer encodings: These are used to define policies associated with transfer-encoding
methods. You can create custom transfer encoding signatures, or you can tune the
following built-in transfer encoding signatures:
Define transfer encoding signatures: These are used to have a signature take an
action when it detects a certain transfer encoding method. The sensor contains builtin transfer encoding signatures, each of which is associated with a transfer encoding
method.
Chunked transfer encoding error signature: This is used to specify what actions
are taken when a chunked encoding error is detected.
Max outstanding requests overrun: This is used to have the sensor take an action when
the Max HTTP Requests value is exceeded. The max outstanding requests overrun
signature is the only signature of this type.
3-74
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Header Check signature is one of three content type image/gif signatures. Like the other content
type signatures, signature 12621 has the following subsignature IDs:
0 (for no additional details): Use subsignature 0 to have the sensor look only for the
specified MIME type in the packet header.
1 (for length): Use subsignature 1 to specify a size limitation for the MIME type named in
the signature. For example, if you want to specify a size limitation for a GIF image, use
signature 12621, subsignature 1, Content Type Image/gif Invalid Message Length.
2 (for content verification): Use subsignature 2 if you want the sensor to take an action
when it detects a message in which the magic number found in the body does not match the
content type specified in the header.
The default settings for the following AIC HTTP parameters enable the Content Type
Image/gif Header Check signature to drop the connection and generate an alert when it detects
the GIF MIME type by examining the packet header:
Event Action: The default setting is Deny Connection Inline and Produce Alert. You can
choose any Cisco IPS Sensor Software Version 6.0 event action from the menu.
Signature Type: The default setting is Content Types. You can choose any signature type
from the drop-down menu. The rest of the parameter options vary depending on the
signature type that you choose.
Content Types: The default setting is Define Content Type. This parameter is displayed
only if you choose Content Types as the Signature Type. You can choose Define
Recognized Content Types from the drop-down menu or you can accept the default setting.
Name: The default setting is image/gif. The Name parameter specifies the content type for
which the signature is defined. It is displayed only if you choose Define Content Type as
the Content Type.
Content Type Details: The default setting is No Additional Details, which configures the
signature to look only for the specified MIME type in the packet header. This parameter is
displayed only if you choose Define Content Type as the Content Type.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
3-75
IPS v6.03-29
Some protocols have different states. Searching for specific patterns at these various states
enables you to create robust signatures. State machines provide this capability. A state machine
consists of a starting state and a list of valid state transitions. It stores the state of something
and, at a given time, can operate on input to move from one state to another or cause an action
or output to take place. State machines are used to describe a specific event that causes an
output or alarm.
The STATE engine enables your sensor to perform inspection at the various states of a Cisco
login, a line printer remote (LPR) format string, or the Simple Mail Transfer Protocol (SMTP).
The following are examples of STATE engine parameters:
State Machine: This enables you to choose one of the following state machines and then
use the State Name parameter to specify the state required to trigger the signature. The
State Name parameter specifies the state that the state machine must be in for the signature
to begin the search.
3-76
Cisco Login: This causes the signature to check for specific patterns at different
states in the Cisco login process. If you choose Cisco Login, you can choose one of
the following state names:
Cisco Device
Control C
Pass Prompt
Start
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
LPR Format String: This causes the signature to inspect the LPR protocol. If you
choose LPR Format String, you can choose one of the following state names:
Abort
Format Char
Start
SMTP: This causes the signature to check for specific patterns at different states in
the SMTP protocol. If you choose SMTP, you can choose one of the following state
names:
SMTP Commands
Abort
Mail Body
Mail Header
Start
Direction: This enables you to specify the direction of the traffic that triggers the signature:
From Service: The signature fires on traffic originating from the specified service
port.
To Service: The signature fires on traffic destined for the specified service port.
Service Ports: This enables you to specify a comma-separated list of ports or port ranges
where the target service may reside. Valid values range from 0 to 65535.
Note
The STATE engine has a hidden configuration file used to define the state transitions. This
enables the IPS engineers to deliver new state definitions in signature updates.
Required
State
Next State
Direction
UserAccessVerification
Start
CiscoDevice
FromService
CiscoSystemsConsole
Start
CiscoDevice
FromService
password[:]
CiscoDevice
PassPrompt
FromService
\x03
PassPrompt
ControlC
ToService
(enable)
ControlC
EnableBypass
FromService
\x03[\x00-\xFF]
ControlC
PassPrompt
ToService
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
3-77
Required
State
Next State
Direction
[1-9]
Start
Abort
ToService
Start
FormatChar
ToService
[\x0a\x0d]
FormatChar
Abort
ToService
3-78
Regular Expression
String
Required State
Next State
Direction
[\r\n[250[]
Start
SmtpCommands
FromService
220[ ][^\r\n[\x7f\xff]*SNMP
Start
SmtpCommands
FromService
(HE|EH)LO
Start
SmtpCommands
ToService
[\r\n](235|220.*TLS)
Start
Abort
FromService
[\r\n](235|220.*TLS)
SmtpCommands
Abort
FromService
[Dd][Aa][Tt][Aa]|[Bb][Dd][
Aa][Tt]
SmtpCommands
MailHeader
ToService
[\r\n]354
SmtpCommands
MailHeader
FromService
[\r\n][.][\r\n]
MailHeader
SmtpCommands
ToService
[\r\n][2][0-9][0-9][ ]
MailHeader
SmtpCommands
FromService
([\r][\n]|[\n][\r]){2}
MailHeader
MailBody
ToService
[\r\n][.][\r\n]
MailBody
SmtpCommands
ToService
[\r\n][2][0-9][0-9][ ]
MailBody
SmtpCommands
FromService
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Signature 5081
cmd.exe Access
Signature 5124
IIS CGI Decode
Signature 5114
IIS Unicode Attack
Signature 3215
Dot Dot Execute
Signature 3216
Dot Dot Crash
Nimda
Signature 5081+5124+5114+3215+3216 = Nimda
If the five signatures fire within a 3 second interval, the meta signature, Nimda, fires.
IPS v6.03-30
The META engine provides event correlation on the sensor. Using the META engine can
dramatically reduce the number of alerts generated by a worm. Multifaceted attacks, such as
Nimda, exploit a number of different vulnerabilities and can trigger several different signatures,
thereby generating many alerts. The META engine enables you to disable the component
signatures of the worm, so that they do not generate alerts and receive only a Meta alert that
indicates that the worm is happening. By doing the correlation on the sensor itself rather than at
a management console, the sensor can take action immediately.
The META engine provides a method of combining signatures. For example, you can use it to
combine UDP and TCP port SWEEP signatures. The main difference between the META
engine and other signature engines is its input. Regular engines take packets as input, while the
META engine takes signature events as input.
The META engine contains built-in signatures, but you can also create your own meta
signatures. For example, if you notice before a buffer overflow that you see a number of hosts
that are pinged and a number of ports that are scanned, you can create a signature that fires if it
detects this activity.
The following are examples of META engine parameters:
Meta Reset Interval: This is the time period in seconds during which the component
events must occur if this signature is to fire. Valid values range from 0 to 3600.
Component List: This is the component signatures of this meta signature. For each
component signature, you can set a component count parameter to specify the number of
times that the component signature must fire for the meta signature to fire.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
3-79
3-80
Component List in Order: This enables you to specify whether the component signatures
must fire in a specific order for the signature to fire.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
NORMALIZER Engine
This topic discusses the NORMALIZER signature engine and its specific configuration
parameters.
NORMALIZER Engine
The NORMALIZER engine detects and corrects ambiguities and
abnormalities in traffic as packets flow through the data path.
The traffic that the NORMALIZER engine inspects is guaranteed
unambiguous because it is normalized before it is inspected.
The NORMALIZER engine performs such functions as:
Properly sequencing packets in a TCP stream
Reassembling fragmented IP packets
IPS v6.03-31
The NORMALIZER engine detects and corrects ambiguities and abnormalities in traffic as
packets flow through the data path. The result is that the NORMALIZER engine no longer
needs to consider potential ambiguities when analyzing the traffic. The traffic that the
NORMALIZER engine inspects is guaranteed unambiguous because it is normalized before it
is inspected.
Cisco IPS Sensor Software Version 6.0 contains an IP normalizer and a TCP normalizer. The
NORMALIZER engine provides the configuration interface for both normalizers. The TCP
normalizer performs such functions as properly sequencing packets in a TCP stream. The IP
normalizer performs such functions as reassembling fragmented IP packets.
Although you cannot use the NORMALIZER engine to create new signatures, you can tune all
of the signatures in the NORMALIZER engine. You can configure limits on system resource
use for any signature controlled by the engine. For example, you can configure the maximum
number of fragments that the sensor will attempt to track at the same time. The performance
impact of the normalizer functions depends upon the traffic sent to the NORMALIZER engine.
TCP sessions that are already in order take less time and impact performance less than TCP
sessions in which all the packets are out of order.
Note
You cannot add custom signatures to the NORMALIZER engine. You can tune the existing
ones.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
3-81
The NORMALIZER engine enables the sensor to effectively watch traffic and enforce policy
when faced with wildly varying IP fragmentation implementations. Intentional or unintentional
fragmentation of IP datagrams can serve to hide exploits, making them difficult or impossible
to detect. In addition, fragmentation can be used to attempt to circumvent an access control
policy such as those found on a firewall or router. Some of these attacks are described in RFC
1858, Security Considerations for IP Fragment Filtering, and RFC 3128, Protection Against a
Variant of the Tiny Fragment Attack. To further complicate matters, different operating systems
use different methods to queue and dispatch fragmented datagrams. If the sensor attempted to
check for all possible ways that an end host reassembles the datagrams, the overhead of
processing the fragmented traffic could be used as a method for a DoS attack against the sensor.
The NORMALIZER engine handles this problem by reassembling all fragmented datagrams
inline.
As fragmented datagrams enter the data path, the NORMALIZER engine queues and
reassembles them. It then inspects the completed datagrams. The result of this process is that
the sensor no longer needs to consider potential ambiguities in interpreting the datagram. The
datagram that the NORMALIZER engine inspects is guaranteed unambiguous because it is
reassembled before it is inspected. After inspecting the complete datagram, the sensor
refragments packets as necessary for them to continue down the data path.
Note
The Frag Overlap signature is an example of the signatures within the NORMALIZER engine
and how they can be configured. The Frag Overlap signature fires when the fragments queued
for a datagram overlap each other. This signature does not fire when a datagram fragment is an
exact duplicate of another. Exact duplicates are dropped in inline mode regardless of settings.
When the sensor is running in promiscuous mode, the reassembly is done following the method
set in the fragment reassembly mode system settings.
When the sensor is running inline, the Modify Packet Inline action can remove the overlapped
data from all but one fragment so there is no ambiguity about how the endpoint treats the
datagram. The Deny Connection Inline action has no effect on this signature. The Deny Packet
Inline action drops the packet and all associated fragments for the datagram.
The following are examples of NORMALIZER engine parameters:
3-82
Fragment Reassembly Timeout: This is the number of seconds within which all
fragments for a datagram must arrive. The signature fires if not all fragments for the
datagram arrive before the fragment reassembly timeout. The timer starts when the first
packet for the datagram arrives. Valid values range from 0 to 360.
Max Old ACK: This enables you to specify the maximum number of old
acknowledgments (ACKs). If the signature detects more than the specified number of old
ACKs, it assumes that it has detected a session hijack and fires. Valid values range from 0
to 65535.
SYN Flood Max Embryonic: The synchronize/start (SYN) Flood Max Embryonic
parameter enables you to specify a maximum number of embryonic connections. The
signature fires if it detects more than the specified number of embryonic connections. Valid
values range from 0 to 2147483647.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Note
Signatures in the NORMALIZER engine have an additional action available to them. This
action, Modify Packet Inline, scrubs the packet and corrects irregularities such as bad
checksum, out-of-range values, and other RFC violations.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
3-83
Summary
This topic summarizes the key points that were discussed in this lesson.
Summary
A signature engine is a component of the sensor that supports a
category of signatures. The Cisco IPS signature engines enable you
to tune built-in signatures and create new signatures.
Signature engines use their parameters to provide configuration of
signatures. Some parameters are common across all engines, such
as Signature ID, Alert Severity, and Sig Description. Other
parameters are unique to a specific engine.
ATOMIC signature engines support signatures that are triggered by
the contents of a single packet.
FLOOD signature engines detect attacks in which the attacker is
directing a flood of traffic to either a single host or the entire network.
The Cisco IPS Sensor Software Version 6.0 adds the SERVICE TNS
and SERVICE SMB Advanced engines.
STRING ICMP, STRING TCP, and STRING UDP are STRING
signature engines.
2007 Cisco Systems, Inc. All rights reserved.
IPS v6.03-32
Summary (Cont.)
The SWEEP engines are commonly used to detect network
reconnaissance. The SWEEP Other TCP signature engine supports
signatures that trigger when a mixture of TCP packets, with different
flags set, is detected on the network.
The TROJAN engines detect Trojan programs on your network.
The TRAFFIC ICMP engine analyzes nonstandard protocols.
You can tune the built-in AIC engine signatures to create granular
policies for HTTP and FTP.
State machines allow the Cisco IPS sensor to search for specific
patterns at various states within a protocol.
The META engine provides event correlation on the sensor and can
dramatically reduce the number of alerts generated by a worm.
The NORMALIZER engine properly sequences packets in a TCP
stream and reassembles fragmented IP packets.
2007 Cisco Systems, Inc. All rights reserved.
3-84
IPS v6.03-33
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Lesson 3
Customizing Signatures
Overview
This lesson provides an overview of reducing noise, false positives, and false negatives by
creating custom signatures. Sometimes the strategy will be to customize existing signatures,
other times, to create new signatures.
Objectives
Upon completing this lesson, you will be able to use the Cisco Intrusion Prevention System
(IPS) Device Manager (IDM) to tune and customize signatures to meet the requirements of a
given security policy. This ability includes being able to meet these objectives:
Tune and create signatures to focus a Cisco IPS sensor on the environment
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Tuning Signatures
This topic introduces signature tuning.
Tuning Signatures
Why tune signatures in a Cisco IPS sensor?
To reduce background noise
To reduce false positives
To reduce false negatives
To closely sync to the networks and systems it is watching
(policy-based IPS)
To increase performance
Tuning is a complex art, where many compromises need to be
made in terms of performance, visibility, and correctness of the
Cisco IPS sensor output.
IPS v6.03-2
Tuning Cisco IPS sensors is important for various reasons. The default settings of the Cisco IPS
sensor could have all of the alerts turned on, which makes the sensor very noisy. Also, the most
common signatures for a general network setup may be turned on by default. The meaning
of common and general depends on the vendor. Signatures that are very important for one
type of organization, may not be important to a different type of organization.
You should tune the Cisco IPS sensor for the following reasons:
3-86
Many events may be completely irrelevant to the monitored network. If the Cisco IPS
sensor observes a series of Microsoft Internet Information Server (IIS)-based attacks on a
network of Apache servers, it would probably not interest the organization. This is of
course not true for attacks leaving the network of the organization. Those attacks can
indicate an infection.
You should tune the Cisco IPS sensor to filter out false positives. An Internet Control
Message Protocol (ICMP) packet usually does not signal an attack. An ICMP echo reply is
usually also quite harmless, unless its destination is a server, or if no ICMP traffic is
allowed to leave the network.
You should tune the Cisco IPS sensor if you want to reduce false negatives. Some
signatures that are important to the network setup of an organization may be turned off by
default or their threshold set too high.
It may be important to create custom signatures that fit the network setup. This is especially
true for policy-based and signature-based IPS.
If the network throughput is very high, and the traffic patterns are very chaotic and noisy,
the Cisco IPS sensor may not be able to handle the load. It may be important to turn off
certain unimportant, but noisy, events to increase the performance of the device.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
You should tune the Cisco IPS sensor to reduce the level of background noise. This reason
is especially important for preventing operator denial of service (DoS) attacks. Receiving a
multitude of alerts may initially be exciting and fun to watch, but it will obscure important
events in a sea of unimportant data, or the operator will grow tired of sifting through
screens and screens of alerts. An organization can exclude many events from their
monitoring policy, because they almost never present a security-significant event.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
3-87
Noise Reduction
This topic describes noise reduction and how to tune and create signatures to reduce noise.
Noise Reduction
Default Cisco IPS sensor settings usually result in noisy output:
Networks are noisy by nature.
Noise overloads the operator.
Goal: Reduce noise in the Cisco IPS sensor output, without
causing false negatives in the process
Strategy: Filter out events that never, or extremely rarely, signal
an attack
IPS v6.03-3
If the default setting of the Cisco IPS sensor is to have all of the alerts turned on, this makes the
Cisco IPS sensor very noisy when it is connected to a chaotic and noisy network. One type of a
noisy, chaotic network is a demilitarized zone (DMZ) network, where the firewall does not
filter adequately. Alternatively, if the firewall filters too much, the IPS designer may decide to
connect the Cisco IPS sensor on the outside segment to detect all of the traffic coming from the
Internet service provider (ISP).
A high amount of noise can overload the network administrator, resulting in an administrator
DoS. The goal of the IPS designer is to reduce the amount of alerts by not filtering out
important events. The designer can achieve this goal by disabling some alerts all together or by
increasing the threshold for others.
3-88
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
IPS v6.03-4
When you observe the Cisco IPS sensor alerts, you may observe many NetBIOS name
resolution alerts. These alerts occur because Microsoft web servers try to resolve a NetBIOS
name of the host that connects to them. NetBIOS name resolution queries for incoming
computer addresses, or a Port Address Translation (PAT) address of the firewall, are in most
cases benign, and are filtered out of the Cisco IPS sensor output as noise when they are directed
at client systems or non-Microsoft Windows servers.
Many IPS systems can be set to trigger alerts on ICMP echo-reply packets. ICMP echo-reply
packets are in many cases part of legitimate traffic, and indicate nothing more than connectivity
troubleshooting by inside and Internet users.
However, you should not turn off ICMP echo-reply alerts for the following devices:
Servers: Servers are rarely used for troubleshooting, and an echo-reply packet going to a
server might indicate some suspicious activity.
Nonexistent hosts: IP ranges that are legitimate on a network, but unused, should never
receive echo-reply packets. This would indicate suspicious activity.
Network devices: Even though network devices do have IP addresses for management
purposes, they do not usually receive ICMP echo requests, especially from the Internet.
If the monitored network is behind a firewall, it can filter out many events that are considered
noisy. It is important for the IPS operator, when tuning the Cisco IPS sensor for noise
reduction, to know the configuration of the firewall, or at least know the security policy that it
should enforce. Alerts that are considered unimportant and noisy in other environments, may
become very important, and should not trigger at all in filtered environment. Therefore, do not
disable such signatures in controlled and quiet environments.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
3-89
IPS v6.03-5
When configuring the Cisco IPS sensor for noise reduction, remember the following guidelines:
3-90
Noise reduction is very important if the IPS operator is not skilled. Instruct the operator that
the majority of the alerts are important, and further investigation is necessary.
If possible, when turning off the console display of alerts for noisy events, do not turn off
their detection. When researching an incident later, it is best to have as much information
available as possible.
If you disable an alert for a signature, ensure that the attacks that may be missed are
identified. For attacks that are important to catch, try to design a custom signature that is
not too noisy.
Periodically rethink the strategy in light of new attacks that may appear. Also, whenever
possible, take time to go through unfiltered logs to check if the noise that was filtered out is
just noise.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
IPS v6.03-6
False positive alerts differ from noise in one important detail; they are triggered by symptoms
that indicate attacks. However, sometimes legitimate activity can trigger such symptoms.
The following are examples of false positives:
A user with malicious intent may perform network mapping, or a network administrator
may have purchased a new management program, that maps the network when run for the
first time.
A specific but otherwise legitimate part of a mail header could be detected as a mail worm.
Such a mail header may also be a part of a nonmalicious mail message.
Directory traversal attacks on a web server contain a string .., but relative links may also
be a part of a legitimate web page. Such design enables the administrator to move certain
portions of the site to a new root directory without creating broken links.
When filtering out such alerts, be very careful. It may be safer to live with false positives than
to turn off such alerts.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
3-91
IPS v6.03-7
3-92
Selectively disable alerts (console output) for false positive signatures, or even entire
signatures.
Match the signature more precisely to the environment. For example, to detect the dot-dot
(..) HTTP attacks, define a STATE.HTTP signature that triggers on directory traversal
attempts, but not on the portion of the site where relative HTML links are used that have
caused false positives to fire.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Tunable content:
Change the range of allowed parameters
(for example, exclude a destination port)
Modify string matchingtighten the pattern to lower matches
of legitimate data
IPS v6.03-8
Another way to tune alert triggering is to change the thresholds used inside a signature. For
example, if the signature considers five TCP synchronize/start (SYN) packets sent to five hosts
a TCP SYN scan, and these packets coincide with a normal usage pattern in a network, the
operator might want to change the threshold of 5 packets to a higher number, such as 20
packets. Therefore, increase the limits that are exceeded too soon, so that the Cisco IPS sensor
does not exclude legitimate behavior. However, ensure that a modified signature does not cause
false negatives, and try to tune the signature only for a single host.
Another method of trigger tuning is to tune the content of a signaturethat is, the data on
which the signature triggers. For example, a web signature that triggers when a certain file is
accessed with certain malicious input parameters might simply trigger on matching the
filename in an HTTP session. This tuning triggers alerts for any access to that file. As the
signature is built using string matching, tighten the string-matching pattern to include the
known malicious input as a condition for the trigger.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
3-93
IPS v6.03-9
Consider the following guidelines when reducing the rate of false positives:
3-94
Unskilled or overworked operators gain the most from reducing the amount of unnecessary
alerts.
If you disable an alert for one signature, ensure that the attacks that may be missed are
identified. For specific attacks that the organization is interested in catching, build custom
signatures.
Perform tunings periodicallysome applications will trigger false alerts weekly, monthly,
and so on.
Do not forget to re-evaluate the filters periodicallythe administrator may need to turn
some alerts back on, when new attacks are invented.
Always try to apply the modified, more complex signature only to the relevant target (that
is, a host, a subnet, and so on). This preserves the performance of the Cisco IPS sensor,
because only the required hosts have their signatures tuned.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
IPS v6.03-10
False negatives are alerts that should be triggered, but are not. Ideally, there should be no false
negatives. However, tuning may have turned off some alerts, or created thresholds that are too
high for the alert to trigger. If these things are creating false negatives, the IPS designer must
redefine these settings.
To catch false negatives, it is important to periodically check the Cisco IPS sensor logs and
search for all of the events that did not trigger the alerts. It is also important to check server
logs for strange events and correlate those to the Cisco IPS sensor logs to detect false negatives
that were lost due to IPS evasion techniques. Cisco Security Agent can be very useful in
catching false negatives. Some false negative alerts may happen because of IPS evasion.
You can tune the following to reduce the amount of false negative alerts:
You can also create custom signatures that clearly define the malicious traffic. It is important
that you write any custom signatures to anticipate predictable variations that the attack may
take.
Note
All of these actions can also increase the amount of false positive alerts.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
3-95
IPS v6.03-11
3-96
Increase the time span that a Cisco IPS sensor uses to detect scans and sweeps. This
configuration is useful for detecting slower scans. If you change the settings of the sensor,
be aware that the changes can cause the sensor to consume more resources, and for a longer
time, so it is important to monitor resource utilization afterward.
If the number of correlated events that must happen is too high, try to lower the limit. For
example, if the Cisco IPS sensor triggers a network sweep for 15 hosts or more, and the
administrator is monitoring a network of 8 hosts, the Cisco IPS sensor will not detect a
network sweep.
When possible, try to modify the settings on a per-host basis. Always try to apply the
modified, more complex signature only to the relevant target (that is, a host, a subnet, and
so on). This preserves the performance of the Cisco IPS sensor, because only the required
hosts have their signatures tuned.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
IPS v6.03-12
To combat false negatives, tune the signature content to describe the attack more generically;
that is, include all of the variations and mutations that the Cisco IPS sensor has missed so far.
This tuning can involve the following:
Change the range of allowed parameters for a signaturefor example, look for a specific
string on more than one destination port in TCP sessions.
Add other possible representations of the attack data to the pattern, if string matching uses
regular expressions.
Always try to apply the modified, more complex signature only to the relevant target (that
is, a host, a subnet, and so on). Doing so preserves the performance of the Cisco IPS sensor,
because only the required hosts have their signatures tuned.
Note
A very complex regular expression can lower the performance of the Cisco IPS sensor.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
3-97
Combating Evasion
Enable all available anti-evasion measures
Detect conditions that should not occur normally:
Fragmentation overlaps and fragmentation database timeouts
TCP stream or sequence overlaps
Sensor running out of memory
Unexpected dropping packets on sensor
IPS v6.03-13
When server or firewall logs report strange events, but the Cisco IPS sensor logs do not, the
reason is usually IPS evasion. In such an event, it is important to check these things:
The resources on the sensor and system logs (It may be possible that some type of DoS
attack on the sensor itself was performed.)
The network topology and routing configurations, to eliminate possible external causes for
detection failure
Additionally, consider increasing the IP packet and TCP stream reassembly timeouts, if you
suspect continuous evasion.
3-98
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
IPS v6.03-14
Periodically check the Cisco Security Agent, firewall, and host logs. Correlate the data with
the Cisco IPS sensor logs to see if the sensor did not detect any. Cisco Security Monitoring,
Analysis, and Response System (MARS) is a useful tool to accomplish this correlation.
Note
Correlation is much more accurate when all system clocks are synchronized. If possible, use
the same, trusted, Network Time Protocol (NTP) source for all of the network devices and
servers.
Tune signature thresholds for events that the Cisco IPS sensor did not detect. Lower the
restrictions on the signature. For example, specify that fewer packets are required to detect
a sweep, or increase the timeout if resources permit.
Employ maximum anti-evasion measures. Increase IP packet and TCP stream reassembly
timeouts. Turn on deobfuscation for signatures that require it. While some evasion
techniques might be successful, the IPS analyst must be able to detect evasion attempts to
further investigate such an event. Some Cisco IPS sensor alerts can help indicate evasion
attempts, such as overlapping fragments, fragment timeouts, and dropped packets, or are
even dedicated to catch evasion attempts. Cisco IPS Sensor Software Version 6.0 catches
attempts with special characters, such as a carriage return in the URL.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
3-99
IPS v6.03-15
It is important for the operator to be familiar with the environment, and to tune the Cisco IPS
sensor to match the behavior of the environment as best as possible.
To be able to focus the Cisco IPS sensor, you must be aware of the following:
Fragment reassembly: Some TCP/IP stacks reassemble fragmented IP packets and TCP
streams. In this case, the new data overwrites the data that is already in the buffer. Other
TCP/IP stacks fill in only the blank spaces in the buffer with the new data; in effect older
data overwrites newer data.
Microsoft Windows NT 4.0 used to crash with a Blue Screen of Death (BSOD) upon
receiving a TCP packet with the urgent (URG) bit set in the header.
Note
3-100
Ensure that the focus is on the application attacks that are important for the observed
system. Attacks against the Apache web server are meaningless on a system with IIS
installed.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
IPS v6.03-16
The goal of tuning the Cisco IPS sensor to the environment is to gain maximum coverage while
not overloading the system. In mixed environments, this may mean covering as many hosts as
possible, while risking some IPS evasion for the remaining minority. Because of this, it is
recommended that you do the following:
Always tune fragmentation settings. This is a systemwide setting and applies to all
monitored traffic. For the reassembly algorithms, use the reassembly setting that covers the
majority of hosts, or at least use the setting that covers the most important systems that the
Cisco IPS sensor is protecting.
Turn on deobfuscation only for relevant triggers. Turning on deobfuscation for attacks that
can be detected without deobfuscation would needlessly consume valuable system
resources. Deobfuscation inside the HTTP protocol is turned on for all HTTP signatures by
default, and it uses the Microsoft IIS dialect, for example, the Cisco IPS sensor interprets
obfuscated data as the Microsoft IIS would.
Turn on alerts for noisy events only for the most vulnerable of valuable hosts.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
3-101
Windows Guidelines
The recommended general tuning settings for watching
Windows server operating systems are:
IP reassembly: ReassembleMode = NT
All IIS signatures enabled
Enable specific RPC/NBT signatures (NULL access, guest
access, password guessing)
Enable general RPC/NBT signatures depending on role of server
(not on a fileserver)
Deobfuscation on by default using IIS dialect
IPS v6.03-17
Use the following settings for a Cisco IPS sensor that is set to monitor mainly Microsoft
Windows systems:
IP reassembly = NT:
Recommended values for most common operating systems are as follows:
3-102
Solaris for SunOS and Solaris: Time order, always overwrite previous data
NT for Windows NT, 2000 and 2003: Reverse Time order, always overwrite
previous data
Deobfuscation inside the HTTP protocol is turned on for all HTTP signatures by default,
and it uses the Microsoft IIS dialect; for example, the Cisco IPS sensor interprets
obfuscated data as the Microsoft IIS would.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Solaris Guidelines
Recommended general tuning settings for watching
Solaris servers are:
IP reassembly: ReassembleMode = Solaris
Enable specific UNIX RPC signatures
Enable specific r-services signatures
Watch general r-services
(depending on legitimate use of r-services)
Enable general RPC/NFS signatures depending on role of server
(not on a fileserver)
IPS v6.03-18
Use the following settings for a Cisco IPS sensor that is set to monitor mostly Solaris systems:
Create policy-based connection signatures for other r-services such as remote shell
(RSH), remote execution (rexec), and so on.
Enable general RPC/Network File System (NFS) signatures, depending on the role of the
server. (Note that NFS may use User Datagram Protocol (UDP) or TCP. Enabling all NFS
signatures may not be suitable for a NFS server, where user mistakes are common and
some alerts, for example, failed file server logins, would trigger too often to be analyzed by
the IPS analyst).
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
3-103
Linux Guidelines
Recommended general tuning settings for watching Linux
servers are:
IP reassembly: ReassembleMode = Linux
Enable specific UNIX RPC signatures
Enable specific r-services signatures
Watch general r-services
(depending on legitimate use of r-services)
Enable general RPC/NFS signatures depending on role of server
(not on a fileserver)
IPS v6.03-19
Use the following settings for a Cisco IPS Sensor set to monitor mostly Linux systems:
3-104
Rlogin signatures
Create policy-based connection signatures for other r-services such as RSH, rexec,
and so on
Enable general RPC/NFS signatures, depending on the role of the server. (Note that NFS
may use UDP or TCP. Enabling all NFS signatures may not be suitable for a NFS server,
where user mistakes are common and some alerts, for example, failed file server logins,
would trigger too often to be analyzed by the IPS analyst.)
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
IPS v6.03-20
To help focus the Cisco IPS sensor, create policy-based signatures when you are monitoring
controlled environments, such as DMZ networks or dedicated portions of the network. Ensure
that alerts trigger for everything that the security policy does not permit.
The following are examples of creating signatures for unauthorized protocols or types, based on
a network security policy:
Detect the use of ICMP types, such as echo request and echo reply, redirect messages, and
so on.
Note
Destination unreachable ICMP packets are part of normal TCP/IP traffic when maximum
transmission unit (MTU) path discovery is used.
Trigger alerts for all nonpermitted services. For example, if your network allows only FTP,
trigger alerts on every other service.
Detect unauthorized actions. For example, if designing a special dedicated web site for an
internal application, create a custom STATE.HTTP signature, which detects Uniform
Resource Identifiers (URIs) that do not match the site.
If the environment permits it (there is not much traffic or noise on the network), turn on
nearly all of the signatures.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
3-105
IPS v6.03-21
If the Cisco IPS sensor monitors noisy networks that have high volumes of traffic, performance
of the sensor may become an issue, and the sensor may not be able to detect all of the events. In
such conditions, it becomes important to tune the sensor, or to make changes to the
environment to avoid uncontrolled loss of detection capabilities.
Generally, as a designer, you can do the following to increase the performance of a Cisco IPS
sensor:
Enable additional filtering on the firewall that does not break any legitimate network use.
Reduce IPS detection capabilities for events that are not important for the current
environment. For example, you can turn off signatures for IIS web servers, if no such
servers are present. By doing this, some visibility may be lost, but the system would gain
an additional performance edge.
Use multiple sensors so that you can divide the task of monitoring between them.
The sensor itself may detect performance issues, or a network administrator may notice
performance issues on other devices.
3-106
Both the Cisco IPS 4200 Series Sensors and the Cisco Catalyst 6500 Series Intrusion
Detection System Services Module 2 (IDSM-2) trigger alerts when the system drops
packets.
If the Cisco IPS sensor is connected to a Switched Port Analyzer (SPAN) port of a network
switch, the network switch may report packet loss for this port.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Untrusted
Trusted
IPS v6.03-22
A correctly configured firewall filters out the majority of noise, letting through only legitimate
traffic, at least up to Open Systems Interconnection (OSI) Layer 4, although some firewalls can
also filter protocol data units for Layer 5 to Layer 7.
By placing the Cisco IPS sensor behind a firewall, the firewall will filter most of the low-level
noise, thus enabling the Cisco IPS sensor to focus on attacks in the traffic that the security
policy explicitly permits.
With the Cisco Catalyst 6500 Series IDSM-2, you can perform selective capture by setting the
appropriate VLAN access control lists (VACLs), which capture only a subset of traffic off the
switch backplane and copy it to the Cisco Catalyst 6500 Series IDSM-2. Therefore, the Cisco
Catalyst 6500 Series IDSM-2 receives only a copy of the packets that are suitable for analysis,
and completely ignores the rest of traffic. Using SPAN on a switch to monitor only
unidirectional (receive [Rx] or transmit [Tx]) traffic on a port or VLAN achieves a similar, but
less granular selective capture effect, .
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
3-107
Untrusted
Trusted
E-Commerce
Server
IPS v6.03-23
By selectively disabling all unneeded signatures, the Cisco IPS sensor resources are free to
process the remaining events. In some cases, it is advisable to review the string-matching
signatures and create simpler rules. As a result, the rate of false positives may increase, but no
events are lost. You can use other techniques to mitigate the false positives.
3-108
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Untrusted
Trusted
Layer 5-Layer 7
Signatures Only
IPS v6.03-24
To prevent loss of attack detection, use Cisco IPS sensor load balancing. Place more sensors on
the same network segment, and configure them to detect different types of events.
Configure one of the sensors to detect only low-level attacks, such as network sweeps, port
scans and policy violations, and configure the other sensor to detect application-level
attacks.
Configure one of the sensors to detect only UNIX-based attacks, and configure the other to
detect Microsoft Windows-based attacks.
Configure one of the sensors to detect only attacks on web servers, and configure the other
to detect UNIX RPC and NFS attacks.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
3-109
Untrusted
Trusted
IPS v6.03-25
Sometimes it is possible to split the traffic entering the network. This reduces the amount of
traffic that each sensor must monitor. The IPS designer can use the same configuration for all
sensors.
3-110
If multiple servers are present, place them on separate network segments, and use a
separate sensor for each segment.
Use equal cost routing (ECR) to split the traffic in half. In such cases, use Network Address
Translation (NAT) to enforce the same path for return traffic.
Use firewall load balancing, as the figure illustrates, with Cisco IPS sensors behind each
firewall. Such a setup is the most transparent and scalable solution, and no NAT
configuration is necessary to achieve symmetric routing.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Untrusted
Trusted
E-Commerce
Server
IPS v6.03-26
If possible or required, split the network into more segments and monitor each segment
separately.
Place servers in each network segment, and use Cisco IPS sensors to monitor each segment.
Divide the servers according to their role, and if necessary based on their operating system,
taking into account the fragment reassembly algorithms used for each operating system.
Configure each Cisco IPS sensor specifically for the network segment that it monitors, with the
detection engine and signatures tuned to the maximum. In the extreme, configure each Cisco
IPS sensor to monitor only the traffic from one host.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
3-111
Unidirectional Capture
Unidirectional (simplex) capture can be used to increase
performance:
Use only if attacks can be identified by a unidirectional stream
Requires tuning of the Cisco IPS sensor engine (disable TCP
handshake tracking, use TCP loose reassembly)
Simple to do with the Cisco Catalyst 6500 Series IDSM-2
(only capture traffic to a destination TCP/UDP port)
IPS v6.03-27
If unidirectional monitoring is required, ensure that the TCP reassembly engine is tuned.
TCPStrictReassembly (strict or loose): A setting of loose indicates that the Cisco IPS
sensor does not need strict reassembly. Use the setting loose in environments where the
Cisco IPS sensor might drop packets or use unidirectional monitoring. A setting of strict
means that if the Cisco IPS sensor misses a packet for any reason, it does not process any
packets after that missed packet. The default setting is strict.
With a LAN switch that has capture functionality, such as the Cisco Catalyst 6500 Series
Switches, unidirectional monitoring is very simple to configurecopy only packets going to a
well-known destination port, such as HTTP, to the capture port (Cisco Catalyst 6500 Series
IDSM-2). Do not copy return traffic, packets with a source port of HTTP, or any traffic from
the web server, to the Cisco Catalyst 6500 Series IDSM-2 IPS engine.
Unidirectional capture situations might also arise when asymmetric routing is in placefor
example, with certain load-balancing designs. Always fix the design and only revert to simplex
capture if no other solution is possible. It is always best to see as much traffic as possible to
detect the largest number of anomalies.
3-112
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
IPS v6.03-28
Signature tuning can also help you detect and prevent network activity specific to your current
network environment. The following scenario provides an example.
A company FTP server stores software that is being beta tested by customers. The company
wants to detect unauthorized login attempts. The FTP Authorization Failure signature can be
tuned to detect these attempts and take the following actions:
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
3-113
Edit
Event
Action
IPS v6.03-29
The Edit Signature window enables you to tune signatures by changing the values of the
signature parameters. A + icon indicates that more parameters are available for the signature.
Click the + icon to expand a section and view the remaining parameters.
A green icon indicates that the parameter is currently using the default value. If you click the
green icon, it becomes a red diamond icon. This activates the Parameter field and enables you
to edit the value. Clicking the red diamond icon restores the default value.
After accessing the Edit Signature window for the FTP Authorization Failure signature, the
network security administrator tunes the signature as follows:
3-114
Step 1
Step 2
Step 3
Step 4
Step 5
Step 6
Hold down the Ctrl key while choosing Produce Alert from the Event Action list.
Step 7
Click OK. The Edit Signature window closes, displaying the Signature
Configuration panel.
Step 8
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
IPS v6.03-30
It does not use the inline packet drop to stop the TFTP traffic.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
3-115
Configuration
Signature
Definition
Edit
Signature
Configuration
Select By:
Sig ID
IPS v6.03-31
You can tune signature 4611 to meet your requirements by completing the following steps:
3-116
Step 1
Step 2
Step 3
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Event
Counter
Event
Count
Key
Specify Alert
Interval
Alert
Frequency
Summary
Mode
Alert
Interval
IPS v6.03-32
Step 4
Expand the Engine icon to show the engine-specific parameters for the STRING
UDP engine.
Step 5
Step 6
Step 7
Hold down the Ctrl key and choose Deny Packet Inline. After you finish
configuring the signature and apply your configuration, signature 4611 will use the
inline drop action to stop TFTP traffic.
Step 8
Step 9
Step 10
Click OK.
Cisco IPS Signatures
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
3-117
For the example, you also must create an event filter that prevents the request from being
dropped when it originates from a legitimate management system. Filters are explained in the
Advanced Cisco IPS Configuration module.
3-118
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
IPS v6.03-33
Although the Cisco IDM Custom Signature Wizard is available to help you quickly and easily
create custom signatures, creating effective custom signatures is not a simple task. It requires
detailed knowledge of the attack for which you are creating the signature. In addition, a custom
signature can affect the performance of the sensor, and poorly written signatures can generate
false positives and false negatives. Before deploying a custom signature, you should carefully
test it to ensure that it behaves as expected. You should also analyze its impact on sensor
performance.
To establish a baseline and test the impact of a signature, choose Interface Configuration >
Traffic Flow Notifications to configure the Missed Packets Threshold and Notification
Interval settings. Then allow the sensor to run with the current signature set to see if the sensor
is handling the load. Adjust the values if needed. Then add a single custom signature and
monitor events for any status notifications.
The Custom Signature Wizard guides you through a step-by-step process for creating custom
signatures. It enables you to create custom signatures using either one of the following
methods:
Note
You can also create custom signatures without using the Custom Signature Wizard.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
3-119
IPS v6.03-34
In the first scenario, a network security administrator wants to create a custom signature that is
triggered by SYN packets destined for port 23. The administrator decides to use the Custom
Signature Wizard to create the signature. The administrator decides, for the following reasons,
to use the ATOMIC IP engine to create the signature:
3-120
You can use the TCP Flags and TCP Mask parameters to specify the flag of interest.
You can use the Destination Port Range parameter to specify the destination port of
interest.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Signature
Definition
Custom
Signature
Wizard
Start the
Wizard
IPS v6.03-35
Complete the following steps to create the signature by specifying a signature engine in the
Custom Signature Wizard:
Step 1
Click Configuration, choose Signature Definitions, and then click the Custom
Signature Wizard tab. The Custom Signature Wizard panel is displayed.
Step 2
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
3-121
Select
Engine
Next
Step 3
Click the Yes radio button. If you click No, the Wizard leads you through creating a
custom signature without using a signature engine.
Step 4
Choose Atomic IP from the Select Engine drop-down list. You can choose from the
following list of engines:
Step 5
3-122
IPS v6.03-36
Atomic IP
Service HTTP
Service MSRPC
Service RPC
State SMTP
String ICMP
String TCP
String UDP
Sweep
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Signature
ID
Signature
Name
Next
IPS v6.03-37
Step 6
Accept the default Signature ID number 60000. Valid signature ID values range
from 60000 to 65000.
Step 7
Step 8
Step 9
(Optional) In the Alert Notes field, enter text to be associated with the alert if this
signature fires. Alert Notes text is reported to the Event Viewer when an alert is
generated.
Step 10
(Optional) In the User Comments field, enter notes or other comments about this
signature that you want stored with the signature parameters.
Step 11
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
3-123
Specify
Layer 4
Protocol
TCP
Flags
TCP
Mask
Layer 4
Protocol
Specify
Destination
Port Range
Destination
Port Range
Next
Step 12
Step 13
Step 14
Choose TCP Protocol from the Layer 4 Protocol drop-down list. If you are creating
an ATOMIC IP custom signature, you can choose one of the following from the
Layer 4 Protocol drop-down list.
Note
3-124
IPS v6.03-38
ICMP Protocol
Other IP Protocols
TCP Protocol
UDP Protocol
After you make your selection, the screen refreshes to present configuration options specific
to that selection.
Step 15
Step 16
Choose Syn and Ack from the TCP Mask drop-down list.
Step 17
Step 18
Choose Yes from the Specify Destination Port Range drop-down list.
Step 19
Enter 23 in the Destination Port Range field. Valid values range from 0 to 65535.
Step 20
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Signature
Fidelity
Rating
Severity of
the Alert
Next
IPS v6.03-39
Step 21
Step 22
Choose High from the Severity of the Alert drop-down menu list.
Step 23
Click Next. The Alert Behavior panel is displayed. From the Alert Behavior panel,
you can accept the default alert behavior by clicking Finish, or you can change it by
clicking Advanced. Clicking Advanced opens the Advanced Alert Behavior Wizard,
with which you can configure alert handling for this signature.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
3-125
Advanced
Finish
3-126
IPS v6.03-40
Step 24
Click Finish to accept the default alert behavior. The Create Custom Signature
window opens, asking you if you want to proceed.
Step 25
Click Yes.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
IPS v6.03-41
In our second custom signature scenario, the network security administrator wants to create a
signature that can detect the word confidential in common electronic communications. The
administrator also wants the sensor to drop any traffic that contains the string confidential
and generate an alert. Other than the string for which the signature should search, the
administrator has only the following information:
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
3-127
IPS v6.03-42
The administrator wants to configure the signature so that an alert is sent to the Event Store
every time that the signature fires but only up to a specified limit. The administrator wants the
signature to limit the number of alerts by dynamically changing its response as follows when
the alert rate exceeds 20 alerts in 30 seconds:
3-128
Send a summary alert for firings of the signature on the same victim address during the
interval.
If the alert rate exceeds 25 in the 30-second interval, send a global summary alert, which
counts the number of times that the signature fires for all attacker and victim IP addresses
and ports.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
No
Next
IPS v6.03-43
You can use the Custom Signature Wizard to create the signature without specifying which
engine to use. To open the Custom Signature Wizard, click Configuration choose Signature
Definition and click the Custom Signature Wizard tab. When the Custom Signature Wizard
panel is displayed, click Start the Wizard to begin creating a signature. Proceed to create the
signature by completing the following steps:
Step 1
Click the No radio button to create a custom signature without using a signature
engine.
Step 2
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
3-129
TCP
Next
3-130
IPS v6.03-44
Step 3
From the Protocol Type panel, choose TCP as the protocol to inspect.
Step 4
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Single TCP
Connection
Next
Step 5
Step 6
Step 7
Step 8
IPS v6.03-45
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
3-131
Signature ID
Signature Name
SubSignature ID
Alert Notes
User Comments
Next
Step 9
IPS v6.03-46
Step 10
3-132
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Event Action
Regex String
Service Ports
Direction
Next
Step 11
IPS v6.03-47
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
3-133
Signature
Fidelity Rating
Severity of
the Alert
Next
Step 12
IPS v6.03-48
Step 13
3-134
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Advanced
Step 14
IPS v6.03-49
Click Advanced to change the alert behavior. The Event Count and Interval panel is
displayed.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
3-135
Event Count
Event Count
Key
Step 15
IPS v6.03-50
Complete the following substeps to configure the Event Count and Interval:
1. Enter 3 in the Event Count field.
2. Choose Victim Address from the Event Count Key drop-down list.
3. Check the Use Event Interval check box.
4. Enter 60 in the Event Interval (seconds) field.
5. Click Next. The Alert Summarization panel is displayed.
3-136
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Alert Every
Time the
Signature
Fires
Next
Step 16
IPS v6.03-51
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
3-137
Summary Key
Use Dynamic
Summarization
Summary
Threshold
Specify
Global
Summary
Threshold
Summary
Interval
(seconds)
Global
Summary
Threshold
Finish
Step 17
IPS v6.03-52
3-138
Step 18
Click Finish to complete the creation of the custom signature. The Create Custom
Signature window opens, asking if you want to proceed.
Step 19
Click Yes.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
IPS v6.03-53
In our third custom signature scenario, the network security administrator must create a
signature that fires when a Nimda attack is occurring. Nimda triggers the following built-in
signatures, which are components of a Nimda attack:
The administrator wants the sensor to generate an alert for the new signature if the component
signatures are triggered by the same attacker within a 60-second period. The administrator
wants to limit the number of alerts generated by having the sensor generate alerts only for the
new signature and not for the component signatures. The administrator learns that the META
engine can be used to meet this need.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
3-139
Signature
Definition
Select Engine
Select By
Signature
Configuration
Add
IPS v6.03-54
The network security administrator can create the custom meta signature without using the
Custom Signature Wizard by completing the following steps.
3-140
Step 1
Step 2
Step 3
Step 4
Step 5
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Engine
Event
Action
IPS v6.03-55
Step 6
Accept the default Signature ID. Valid signature ID values range from 60000 to
65000.
Step 7
Step 8
Step 9
Enter a numerical value indicating your confidence in the accuracy of the signature
in the Sig Fidelity Rating field. Valid values range from 0 to 100. The default is 75.
Step 10
Step 11
Step 12
Step 13
Step 14
Step 15
Choose the actions that you want to assign to the signature from the Event Action
list.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
3-141
Component
List
Step 16
3-142
IPS v6.03-56
Click the Component List icon. The Component List window opens.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Entry Key
Component
Sig ID
Add
Component
SubSig ID
OK
IPS v6.03-57
Step 17
Step 18
Step 19
Enter 5114, the signature ID for the first component signature in the Component Sig
ID field.
Step 20
Enter 1, the SubSig ID, for the first component signature in the Component SubSig
ID field.
Step 21
Click OK. The component signature is displayed in the available entries list of the
Component List window.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
3-143
Available
Entries
Selected
Entries
Select
OK
3-144
IPS v6.03-58
Step 22
Choose the Entry Key name from the Available Entries list.
Step 23
Click Select. The entry key moves to the Selected Entries list.
Step 24
Click Add again and repeat Steps 18 to 23 to add each component signature.
Step 25
Click OK after you have added all component signatures. The Add Signatures
window is displayed.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Meta
Reset
Interval
Meta
Key
OK
2007 Cisco Systems, Inc. All rights reserved.
IPS v6.03-59
Step 26
Verify that the default for the Meta Reset Interval field is 60.
Step 27
Verify that the default for the Meta Key field is the Attacker Address.
Step 28
Click OK.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
3-145
Configuration
Select
By
Actions
Signature
Definition
Signature
Configuration
Produce
Alert
2007 Cisco Systems, Inc. All rights reserved.
IPS v6.03-60
To keep the sensor from generating alerts for the component signatures, remove the Produce
Alert action from the component signatures.
Caution
3-146
Removing the Produce Alert action from the component signatures means that the sensor
will never generate alerts when these signatures fire, regardless of whether the meta
signature is triggered.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Summary
This topic summarizes the key points that were discussed in this lesson.
Summary
You tune a sensor for noise reduction, false positive reduction, and false negative
reduction.
To reduce noise that a Cisco IPS sensor generates, filter out events where no, or
rare cases, signal an attack.
Two main strategies for reducing false positives are alert and signature filtering,
and signature tuning.
Two common things to tune when trying to reduce false negatives are the numeric
threshold of the alert and the content of the signature.
To better focus a Cisco IPS sensor, always tune fragmentation settings, turn on
deobfuscation only for relevant events, and turn on alerts for noisy events only for
specific hosts.
When needed, new signatures can be created using the Cisco IDM Custom
Signature Wizard.
Signature tuning helps you detect and prevent network activity specific to your
current network environment.
Creating effective custom signatures requires detailed knowledge of the attack for
which you are creating the signature.
2007 Cisco Systems, Inc. All rights reserved.
IPS v6.03-61
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
3-147
Module Summary
This topic summarizes the key points that were discussed in this module.
Module Summary
A signature is a set of rules that your sensor uses to detect typical
intrusive activity, such as DoS attacks.
A signature engine is a component of the sensor that supports a category
of signatures. Each Cisco IPS Signature is created and controlled by a
signature engine specifically designed for the type of traffic being
monitored.
Signatures are tuned for many reasons. Some of the more common ones
are:
Noise reduction
False positive reduction
False negative reduction
Focusing on the environment
Addressing sensor performance issues
IPS v6.03-1
The fundamental unit of the Cisco Intrusion Prevention System (IPS) sensor product is the
signature. Signatures are sets of rules that are used to detect malicious traffic. Each signature is
defined and controlled by one of the signature engines. When a signature fires, and it is
configured to create an alert, those alerts are stored in the sensor Event Store.
You need to tune signatures in order to accomplish a number of things:
Noise reduction
References
For additional information, refer to these resources:
3-148
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.