Guest

IDS/IPS - Reaction & Response

IPS Summarization Configuration Examples

Techzone Article content

Document ID: 116110

Updated: May 09, 2013

Contributed by Ryan Morrow, David Houck, and ElMehdi Babzine, Cisco TAC Engineers.

   Print

Introduction

This document provides explanations, advantages, and examples for configuration of summarization on the Cisco Intrusion Prevention System (IPS).

Prerequisites

Requirements

Cisco recommends that you have knowledge of these topics:

  • Cisco Adaptive Security Appliance (ASA) 5500 or 5500x Cisco Intrusion Prevention System (IPS) modules
  • IPS 4200, 4300, or 4500 series IPS appliances
  • NME-IPS module
  • IPS signature alerts

Components Used

The information in this document is based on these software and hardware versions:

  • ASA 5500 or 5500x IPS modules
  • IPS 4200, 4300 or 4500 series IPS appliances
  • NME-IPS module

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Conventions

Refer to Cisco Technical Tips Conventions for information on document conventions.

Background Information

IPS summarization provides modes to aggregate events into a single alert, so that the volume of alerts sent by the sensor can be decreased. Each signature is created with defaults that reflect a preferred, normal behavior. However, each signature has special parameters that influence how alerts are handled, so the default behavior of signatures can be tuned within the constraints for each engine type.

Summarization and event actions are processed after the meta engine has processed the component events. This lets the sensor watch for suspicious activity over a series of events.

Basic aggregation provides two modes:

  • Simple mode - configures a threshold number of hits for a signature that must be met before the alert is sent.
  • Advanced mode - configures a threshold number of hits per second (timed-interval count) for a signature that must be met before the alert is sent.

Summarization Options

  • fire-all - Fires an alert each time the signature is triggered. If the threshold is set for summarization, alerts are fired for each execution until summarization occurs. After summarization starts, only one alert for every summary interval fires for each address set. Alerts for other address sets are either all seen or separately summarized. The signature reverts to fire-all mode after a period of no alerts for that signature.
  • summary - Fires an alert the first time a signature is triggered. Additional alerts for that signature are summarized for the duration of the summary interval. Only one alert every summary interval should fire for each address set. If the global summary threshold is reached, the signature goes into global-summarization mode.
  • global-summarization - Fires an alert for every summary interval. Signatures can be preconfigured for global-summarization.
  • fire-once - Fires an alert for each address set. This mode can be upgraded to global-summarization mode.

Event Summarization

A common scenario is to undergo a period of baseline tuning in order to identify hyper alerting signatures. There are often a number of low-level and informational-level signatures that need summarization based on traffic mix. Review these signatures in order to determine the proper thresholds.

Note: Be careful whenever you reduce the amount of alerts, especially alerts from high severity signatures. Ensure that security is not compromised and that the proper actions are in place for any signature that is summarized.

Configuration

Note: Use the Command Lookup Tool (registered customers only) in order to obtain more information on the commands used in this section.

SSH Brute Force Attack - Signature 3653

Rapid Secure Shell (SSH) sessions, when actively alerting, can quickly fill the event store. Currently, SSH brute force attempts are being denied.

If you only need alerts every five minutes, use the summary option for alert-frequency with a summary-interval of 300 seconds:

sensor# configure terminal
sensor(config)# service signature-definition sig0
sensor(config-sig)# signatures 3653 0
sensor(config-sig-sig)# alert-frequency
sensor(config-sig-sig-ale)# summary-mode summarize
sensor(config-sig-sig-ale-sum)# summary-interval 300
sensor(config-sig-sig-ale-fir-yes)# exit
sensor(config-sig-sig-ale-sum)# show settings
alert-frequency
-----------------------------------------------
summary-mode
-----------------------------------------------
summarize
-----------------------------------------------
summary-interval: 300 default: 15
summary-key: Axxx <defaulted>
specify-global-summary-threshold
-----------------------------------------------
yes
-----------------------------------------------
global-summary-threshold: 240 <defaulted>
-----------------------------------------------
-----------------------------------------------
-----------------------------------------------
sensor(config-sig-sig-ale-fir)# exit
sensor(config-sig-sig-ale)# exit
sensor(config-sig-sig)# exit
sensor(config-sig)# exit
Apply Changes:?[yes]:

Excessive SQL Query in HTTP Requests - Signature 5474

The Select-From SQL query embedded in an HTTP request is one of the most common hyper alerting signatures in an edge deployment.

In order to view signature 5474 hourly for an attacker/victim pair, use the fire-once option for alert-frequency with a summary-interval of 3600 seconds:

sensor# configure terminal
sensor(config)# service signature-definition sig0
sensor(config-sig)# signatures 5474 0
sensor(config-sig-sig)# alert-frequency
sensor(config-sig-sig-ale)# summary-mode fire-once
sensor(config-sig-sig-ale-fir)# specify-global-summary-threshold yes
sensor(config-sig-sig-ale-fir-yes)# global-summary-threshold 3600
sensor(config-sig-sig-ale-fir-yes)# summary-interval 3600
sensor(config-sig-sig-ale-fir-yes)# exit
sensor(config-sig-sig-ale-fir)# show settings
fire-once
-----------------------------------------------
summary-key: Axxx default: Axxx
specify-global-summary-threshold
-----------------------------------------------
yes
-----------------------------------------------
global-summary-threshold: 3600 default: 240
summary-interval: 3600 default: 15
-----------------------------------------------
-----------------------------------------------
-----------------------------------------------
sensor(config-sig-sig-ale-fir)# exit
sensor(config-sig-sig-ale)# exit
sensor(config-sig-sig)# exit
sensor(config-sig)# exit
Apply Changes:?[yes]:

AD Internal or External TCP/UDP Scanner - Signatures 13000 to 13008

In this example, the signature fires when it detects a Transport Control Protocol (TCP)/User Datagram Protocol (UDP) scanner that scans the set of destination IP addresses configured as zone Internal or External. If the IPS Manager Express (IME) sends default, high severity events as email notifications, there might be thousands of emails.

Note: Make sure the fires are not a false positive attack. Change the setting for Anomaly Detection to "learn mode" for 48 hours, then move it back to "detect mode" in order to resolve the issue.

In order to reduce the number of emails, use the fire-once option for alert-frequency, with a summary-interval of 720 seconds or once every 12 minutes.

sensor# configure terminal
sensor(config)# service signature-definition sig0
sensor(config-sig)# signatures 13000 0
sensor(config-sig-sig)# alert-frequency
sensor(config-sig-sig-ale)# summary-mode fire-once
sensor(config-sig-sig-ale-fir)# specify-global-summary-threshold yes
sensor(config-sig-sig-ale-fir-yes)# global-summary-threshold 720
sensor(config-sig-sig-ale-fir-yes)# summary-interval 720
sensor(config-sig-sig-ale-fir-yes)# exit
sensor(config-sig-sig-ale-fir-yes)# show settings
   fire-once
   -----------------------------------------------
      summary-key: Axxx <defaulted>
      specify-global-summary-threshold
      -----------------------------------------------
         yes
         -----------------------------------------------
            global-summary-threshold: 720 default: 240
            summary-interval: 720 default: 15
         -----------------------------------------------
      -----------------------------------------------
   -----------------------------------------------
sensor(config-sig-sig-ale-fir)# exit
sensor(config-sig-sig-ale)# exit
sensor(config-sig-sig)# exit
sensor(config-sig)# exit
Apply Changes:?[yes]:

Verify

There is currently no verification procedure available for this configuration.

Troubleshoot

There is currently no specific troubleshooting information available for this configuration.

Related Information

Updated: May 09, 2013
Document ID: 116110