You are on page 1of 21

Configuring Rules

Configuring System Correlation Rules

© 2006 Cisco Systems, Inc. All rights reserved. HIPS v3.0—4-1


Objectives

At the end of this lesson, you will be able to meet these


objectives:
• Identify the rules that you can use to categorize processes and
correlate events across multiple hosts
• Describe how to configure the System API control rule
• Configure the System API control rule
• Describe how to configure the Network shield rule
• Describe how to configure the Buffer overflow rule
• Explain the functions of the preconfigured E-mail Worm
Protection Module
• Explain the functions of the preconfigured Installation
Applications Policy
• Describe how to configure Global Event Correlation

© 2006 Cisco Systems, Inc. All rights reserved. HIPS v3.0—4-2


System Correlation Rules

Event sent to
CSA MC

CSA MC

CSA MC correlates
the events and
updates the hosts

Host
Protected Hosts
Infected with Worm

© 2006 Cisco Systems, Inc. All rights reserved. HIPS v3.0—4-3


Configuring the System API Control Rule

© 2006 Cisco Systems, Inc. All rights reserved. HIPS v3.0—4-4


Configuring the System API Control Rule
(Cont.)

© 2006 Cisco Systems, Inc. All rights reserved. HIPS v3.0—4-5


Configuring the System API Control Rule
(Cont.)

© 2006 Cisco Systems, Inc. All rights reserved. HIPS v3.0—4-6


Practice: Configuring the System API
Control Rule

© 2006 Cisco Systems, Inc. All rights reserved. HIPS v3.0—4-7


Configuring the Network Shield Rule

© 2006 Cisco Systems, Inc. All rights reserved. HIPS v3.0—4-8


Configuring the Network Shield Rule (Cont.)

© 2006 Cisco Systems, Inc. All rights reserved. HIPS v3.0—4-9


Configuring the Buffer Overflow Rule

© 2006 Cisco Systems, Inc. All rights reserved. HIPS v3.0—4-10


Configuring the Buffer Overflow Rule (Cont.)

© 2006 Cisco Systems, Inc. All rights reserved. HIPS v3.0—4-11


The E-Mail Worm Protection Rule Module

© 2006 Cisco Systems, Inc. All rights reserved. HIPS v3.0—4-12


The E-Mail Worm Protection Rule Module
(Cont.)

© 2006 Cisco Systems, Inc. All rights reserved. HIPS v3.0—4-13


E-Mail Worm Event Correlation

E-mail worm attack Alert!


XYZ.txt infected! Potential e-mail
worm attack
xyz.txt through XYZ.txt

E-mail worm detected

© 2006 Cisco Systems, Inc. All rights reserved. HIPS v3.0—4-14


The Installation Applications Policy

© 2006 Cisco Systems, Inc. All rights reserved. HIPS v3.0—4-15


The Installation Applications Policy (Cont.)

© 2006 Cisco Systems, Inc. All rights reserved. HIPS v3.0—4-16


The Installation Applications Policy (Cont.)

© 2006 Cisco Systems, Inc. All rights reserved. HIPS v3.0—4-17


Global Event Correlation

Un
a uth
ori
ze
dR
eg
ist
ry
At
ta ck

Network
E-mail Worm Attack Alerted

ort
ep
ca nR
S
Vi rus

Attacks Detected

© 2006 Cisco Systems, Inc. All rights reserved. HIPS v3.0—4-18


Configuring the Global Event Correlation

© 2006 Cisco Systems, Inc. All rights reserved. HIPS v3.0—4-19


Summary

• The system correlation rules allow CSA to prevent the command shells
from being invoked by vulnerable application categories.
• The System API Control rule detects and prevents errant programs from
performing malicious acts on individual systems and networks.
• A Network Shield rule provides network protocol stack hardening
capabilities.
• The Buffer Overflow rule checks for the accumulation of excess data for
processing.
• The E-mail Worm Protection module designs a dynamic application
class for detecting any suspicious action occurring on a system.
• The Installation Application policy is a preconfigured policy applied to
systems for tracing the time taken for installing a software and to add
the installation processes to a dynamically built application class.
• Global event correlation refers to the collection, consolidation, and
analysis of the information gathered as a result of intrusion from
multiple and often diverse network devices.

© 2006 Cisco Systems, Inc. All rights reserved. HIPS v3.0—4-20


© 2006 Cisco Systems, Inc. All rights reserved. HIPS v3.0—4-21

You might also like