Installing and Using Cisco Intrusion Prevention System Device Manager 5.0 - Defining Signatures [Cisco IPS 4200 Series Sensors]

Table Of Contents

Defining Signatures

About Signatures

Configuring Signature Variables

Overview

Supported User Role

Field Definitions

Signature Variables Panel

Add and Edit Signature Variable Dialog Boxes

Configuring Signature Variables

Configuring Signatures

Overview

Supported User Role

Field Definitions

Signature Configuration Panel

Add Signatures Dialog Box

Clone and Edit Signature Dialog Boxes

Assign Actions Dialog Box

Adding Signatures

Cloning Signatures

Tuning Signatures

Enabling and Disabling Signatures

Activating and Retiring Signatures

Assigning Actions to Signatures

Configuring the Miscellaneous Panel

Overview

Supported User Role

Field Definitions

Configuring Application Policy

Configuring IP Fragment Reassembly

Configuring TCP Stream Reassembly

Configuring IP Logging

Defining Signatures

This chapter explains how to configure signatures. It contains the following sections:

•About Signatures

•Configuring Signature Variables

•Configuring Signatures

•Configuring the Miscellaneous Panel

About Signatures

Attacks or other misuses of network resources can be defined as network intrusions. Sensors that use a signature-based technology can detect network intrusions. A signature is a set of rules that your sensor uses to detect typical intrusive activity, such as DoS attacks. As sensors scan network packets, they use signatures to detect known attacks and respond with actions that you define.

The sensor compares the list of signatures with network activity. When a match is found, the sensor takes an action, such as logging the event or sending an alert. Sensors let you modify existing signatures and define new ones.

Signature-based intrusion detection can produce false positives because certain normal network activity can be misinterpreted as malicious activity. For example, some network applications or operating systems may send out numerous ICMP messages, which a signature-based detection system might interpret as an attempt by an attacker to map out a network segment. You can minimize false positives by tuning your signatures.

To configure a sensor to monitor network traffic for a particular signature, you must enable the signature. By default, the most critical signatures are enabled when you install the signature update. When an attack is detected that matches an enabled signature, the sensor generates an alert, which is stored in the sensor's event store. The alerts, as well as other events, may be retrieved from the event store by web-based clients. By default the sensor logs all Informational alerts or higher.

Some signatures have subsignatures, that is, the signature is divided into subcategories. When you configure a subsignature, changes made to the parameters of one subsignature apply only to that subsignature. For example, if you edit signature 3050 subsignature 1 and change the severity, the severity change applies to only subsignature 1 and not to 3050 2, 3050 3, and 3050 4.

IPS 5.0 contains over 1000 built-in default signatures. You cannot rename or delete signatures from the list of built-in signatures, but you can retire signatures to remove them from the sensing engine. You can later activate retired signatures; however, this process requires the sensing engines to rebuild their configuration, which takes time and could delay the processing of traffic. You can tune built-in signatures by adjusting several signature parameters. Built-in signatures that have been modified are called tuned signatures.

You can create signatures, which are called custom signatures. Custom signature IDs begin at 60000. You can configure them for several things, such as matching of strings on UDP connections, tracking of network floods, and scans. Each signature is created using a signature engine specifically designed for the type of traffic being monitored.

Configuring Signature Variables

This section describes how to create signature variables, and contains the following topics:

•Overview

•Supported User Role

•Field Definitions

•Configuring Signature Variables

Overview

When you want to use the same value within multiple signatures, use a variable. When you change the value of a variable, the variables in all signatures are updated. This saves you from having to change the variable repeatedly as you configure signatures.

Note You must preface the variable with a dollar ($) sign to indicate that you are using a variable rather than a string.

Some variables cannot be deleted because they are necessary to the signature system. If a variable is protected, you cannot select it to edit it. You receive an error message if you try to delete protected variables. You can edit only one variable at a time.

Supported User Role

The following user roles are supported:

•Administrator

•Operator

•Viewer

You must be Administrator or Operator to configure signature variables.

Field Definitions

This section lists the field definitions for signature variables, and contains the following topics:

•Signature Variables Panel

•Add and Edit Signature Variable Dialog Boxes

Signature Variables Panel

The following fields and buttons are found on the Signature Variables panel.

Field Descriptions:

•Name—Identifies the name assigned to this variable.

•Type—Identifies the variable as a web port or IP address range.

•Value—Identifies the value(s) represented by this variable.

To designate multiple port numbers for a single variable, place a comma between the entries. For example, 80, 3128, 8000, 8010, 8080, 8888, 24326.

Button Functions:

•Add—Opens the Add Signature Variable dialog box.

From this dialog box, you can add a new variable and specify the values associated with that variable.

•Edit—Opens the Edit Signature Variable dialog box.

From this dialog box, you can change the values associated with this variable.

•Delete—Removes the selected variable from the list of available variables.

•Apply—Applies your changes and saves the revised configuration.

•Reset—Refreshes the panel by replacing any edits you made with the previously configured value.

Add and Edit Signature Variable Dialog Boxes

The following fields and buttons are found in the Add and Edit Signature Variable dialog boxes.

Field Descriptions:

•Name—Identifies the name assigned to this variable.

•Type—Identifies the variable as a web port or IP address range.

•Value—Identifies the value(s) represented by this variable.

To designate multiple port numbers for a single variable, place a comma between the entries. For example, 80, 3128, 8000, 8010, 8080, 8888, 24326.

Button Functions:

•OK—Accepts your changes and closes the dialog box.

•Cancel—Discards your changes and closes the dialog box.

•Help—Displays the help topic for this feature.

Configuring Signature Variables

To configure signature variables, follow these steps:

Step 1 Click Configuration > Signature Definition > Signature Variables.

The Signature Variables panel appears.

Step 2 Click Add to create a variable.

The Add Signature Variable dialog box appears.

Step 3 Type the name of the signature variable in the Name field.

Note A valid name can only contain numbers or letters. You can also use a hyphen (-) or underscore (_).

Step 4 Type the value into the Value field for the new signature variable.

Note You can use commas as delimiters. Make sure there are no trailing spaces after the comma. Otherwise, you receive a Validation failed error.

WEBPORTS has a predefined set of ports where web servers are running, but you can edit the value. This variable affects all signatures that have web ports. The default is 80, 3128, 8000, 8010, 8080, 8888, 24326.

Step 5 Click OK.

The new variable appears in the signature variables list on the Signature Variables panel.

Step 6 To edit an existing variable, select it in the signature variables list, and then click Edit.

The Edit Signature Variable dialog box appears for the variable that you chose.

Step 7 Make any necessary changes to the Value field.

Step 8 Click OK.

The edited variable appears in the signature variables list on the Signature Variables panel.

Step 9 To delete a variable, select it in the signature variables list, and then click Delete.

The variable no longer appears in the signature variables list on the Signature Variables panel.

Tip To discard your changes, click Reset.

Step 10 Click Apply to apply your changes and save the revised configuration.

Configuring Signatures

This section describes how to configure signatures, and contains the following topics:

•Overview

•Supported User Role

•Field Definitions

•Adding Signatures

•Cloning Signatures

•Tuning Signatures

•Enabling and Disabling Signatures

•Activating and Retiring Signatures

•Assigning Actions to Signatures

Overview

You can perform the following tasks on the Signature Configuration panel:

•Sort and view all signatures stored on the sensor.

You can sort by attack type, protocol, service, operating system, action to be performed, engine, signature ID, or signature name.

•View the NSDB information about the selected signature.

The NSDB pages list the key attributes, a description, any benign triggers, and any recommended filters for the selected signature.

•Edit (tune) an existing signature to change the value(s) associated with the parameter(s) for that signature.

•Create a signature, either by cloning an existing signature and using the parameters of that signature as a starting point for the new signature, or by adding a new signature from scratch.

You can also use the Custom Signature Wizard to create a signature. The wizard guides you through the parameters that you must select to configure a custom signature, including selection of the appropriate signature engine.

•Enable or disable an existing signature.

•Restore the factory defaults to the signature.

•Delete a custom signature.

You cannot delete built-in signatures.

•Activate or retire an existing signature.

•Assign actions to a signature.

Supported User Role

The following user roles are supported:

•Administrator

•Operator

•Viewer

You must be Administrator or Operator to configure signatures.

Field Definitions

This section lists the field definitions for configuring signatures, and contains the following topics:

•Signature Configuration Panel

•Add Signatures Dialog Box

•Clone and Edit Signature Dialog Boxes

•Assign Actions Dialog Box

Signature Configuration Panel

The following fields and buttons are found on the Signature Configuration panel.

Field Descriptions:

•Select By—Lets you sort the list of signatures by selecting an attribute to sort on, such as protocol, service, or action.

•Select Criteria—Lets you further sort within a category by selecting a specific class within that category.

For example, if you select to sort by protocol, you can select L2/L3/L4 protocol and view only signatures that are related to L2/L3/L4 protocol.

•Sig ID—Identifies the unique numerical value assigned to this signature.

This value lets the sensor identify a particular signature.

•SubSig ID—Identifies the unique numerical value assigned to this subsignature.

A SubSig ID is used to identify a more granular version of a broad signature.

•Name—Identifies the name assigned to the signature.

•Enabled—Identifies whether or not the signature is enabled.

A signature must be enabled for the sensor to protect against the traffic specified by the signature.

•Action—Identifies the actions the sensor will take when this signature fires.

•Severity—Identifies the severity level that the signature will report: High, Informational, Low, Medium.

•Fidelity Rating—Identifies the weight associated with how well this signature might perform in the absence of specific knowledge of the target.

•Type—Identifies whether this signature is a default (built-in), tuned, or custom signature.

•Engine—Identifies the engine responsible for parsing and inspecting the traffic specified by this signature.

•Retired—Identifies whether or not the signature is retired.

A retired signature is removed from the signature engine. You can activate a retired signature to place it back in the signature engine.

Button Functions:

•Select All—Selects all signatures.

•NSDB Link—Opens the NSDB page for the selected signature.

The NSDB pages lists the key attributes, a description, any benign triggers, and any recommended filters for the selected signature.

•Add—Opens the Add Signature dialog box.

You can create a signature by selecting the appropriate parameters.

•Clone—Opens the Clone Signature dialog box.

You can create a signature by changing the prepopulated values of the existing signature you chose to clone.

•Edit—Opens the Edit Signature dialog box.

You can change the parameters associated with the selected signature and effectively tune the signature.

You can edit only one signature at a time.

•Enable—Enables the selected signature.

•Disable—Disables the selected signature.

•Actions—Displays the Assign Actions dialog box.

•Restore Defaults—Returns all parameters to the default settings for the selected signature.

•Delete—Deletes the selected custom signature.

You cannot delete built-in signatures.

•Activate—Activates the selected signature if the signature is retired.

This process can take some time because the sensor has to add the signature back to the appropriate signature engine and reconstruct the signature engine.

•Retire—Retires the selected signature and removes it from the signature engine.

•Apply—Applies your changes and saves the revised configuration.

•Reset—Refreshes the panel by replacing any edits you made with the previously configured value.

Add Signatures Dialog Box

The following fields and buttons are found in the Add Signature dialog box:

Field Descriptions:

•Signature ID—Identifies the unique numerical value assigned to this signature. This value lets the sensor identify a particular signature.

The value is 1000 to 65000.

•SubSignature ID—Identifies the unique numerical value assigned to this subsignature. A subsignature ID is used to identify a more granular version of a broad signature.

The value is 0 to 255.

•Alert Severity—Lets you choose the severity level of the signature: High, Informational, Low, Medium.

•Sig Fidelity Rating—Lets you choose the weight associated with how well this signature might perform in the absence of specific knowledge of the target.

The value is 0 to 100. The default is 75.

•Promiscuous Delta—Lets you determine the seriousness of the alert.

•Sig Description—Lets you specify the following attributes that help you distinguish this signature from other signatures:

–Signature Name—The default is MySig.

–Alert Notes—Add alert notes in this field.

–User Comments—Add your comments about this signature in this field.

–Alarm Traits—The value is 0 to 65535. The default is 0.

–Release—The software release in which the signature first appeared.

•Engine—Lets you choose the engine responsible for parsing and inspecting the traffic specified by this signature.

•Event Counter—Lets you configure how the sensor counts events. For example, you can specify that you want the sensor to send an alert only if the same signature fires 5 times for the same address set:

–Event Count—The value is 1 to 65535. The default is 1.

–Event Count Key—Choose Attacker address, Attacker address and victim port, Attacker and victim addresses, Attacker and victim addresses and ports, or Victim address. The default is Attacker address.

–Specify Alert Interval—Choose Yes or No.

•Alert Frequency—Lets you configure how often the sensor alerts you when this signature is firing. Specify the following parameters for this signature:

–Summary Mode—Choose Fire All, Fire Once, Global Summarize, or Summarize.

–Summary Interval—The value is 1 to 65535. The default is 15.

–Summary Key—Choose Attacker address, Attacker address and victim port, Attacker and victim addresses, Attacker and victim addresses and ports, or Victim address. The default is Attacker address.

–Specify Global Summary Threshold—Choose Yes or No.

•Status—Lets you chose to enable or retire the signature:

–Enabled—Lets you choose whether the signature is enabled or disabled.The default is yes.

–Retired—Let you choose whether the signature is retired or not. The default is no.

Icons:

•Circle + icon—Indicates that you can expand the menu.

•Circle - icon—Indicates that the menu is collapsed.

•Green square icon—Indicates that this parameter is using the default value. Click the icon to edit the value.

•Red diamond icon—Indicates that this parameter is using a user-defined value. Click the icon to restore the default value.

Clone and Edit Signature Dialog Boxes

The following fields and buttons are found in the Clone and Edit Signature dialog boxes:

Field Descriptions:

•Signature ID—Identifies the unique numerical value assigned to this signature. This value lets the sensor identify a particular signature.

The value is 1000 to 65000.

•SubSignature ID—Identifies the unique numerical value assigned to this subsignature. A subsignature ID is used to identify a more granular version of a broad signature.

The value is 0 to 255.

•Alert Severity—Lets you choose the severity level of the signature: High, Informational, Low, Medium.

•Sig Fidelity Rating—Lets you choose the weight associated with how well this signature might perform in the absence of specific knowledge of the target.

The value is 0 to 100. The default is 75.

•Promiscuous Delta—Lets you determine the seriousness of the alert.

•Sig Description—Lets you specify the following attributes that help you distinguish this signature from other signatures:

–Signature Name—The default is MySig.

–Alert Notes—Add alert notes in this field.

–User Comments—Add your comments about this signature in this field.

–Alarm Traits—The value is 0 to 65535. The default is 0.

–Release—The software release in which the signature first appeared.

•Engine—Lets you choose the engine responsible for parsing and inspecting the traffic specified by this signature.

•Event Action—Lets you assign the actions the sensor takes when it responds to an event.

Caution When adding event actions, to select more than one event action, you must hold down the Ctrl key while selecting additional event actions to ensure that all of the actions stay selected.

Field Descriptions:

•Deny Attacker Inline—Terminates the current packet and future packets from this attacker address for a specified period of time (inline only).

The sensor maintains a list of the attackers being denied by the system. To remove an entry from the denied attacker list, you can view the list of attackers and clear the entire list, or you can wait for the timer to expire. The timer is a sliding timer for each entry. Therefore, if attacker A is being denied, but issues another attack, the timer for attacker A is reset and attacker A remains in the denied attacker list until the timer expires. If the denied attacker list is at capacity and cannot add a new entry, the packet will still be denied.

•Deny Connection Inline—Terminates the current packet and future packets on this TCP flow (inline only).

•Deny Packet Inline—Terminates the packet (inline only).

•Log Attacker Packets—Starts IP logging on packets that contain the attacker address and sends an alert. This action causes an alert to be written to the Event Store, even if Produce Alert is not selected.

•Log Pair Packets—Starts IP Logging on packets that contain the attacker/victim address pair. This action causes an alert to be written to the Event Store, even if Produce Alert is not selected.

•Log Victim Packets—Starts IP Logging on packets that contain the victim address and sends an alert. This action causes an alert to be written to the Event Store, even if Produce Alert is not selected.

•Produce Alert—Writes the event to the Event Store as an alert.

•Produce Verbose Alert—Includes an encoded dump of the offending packet in the alert. This action causes an alert to be written to the Event Store, even if Produce Alert is not selected.

•Request Block Connection—Sends a request to NAC to block this connection.

•Request Block Host—Sends a request to NAC to block this attacker host.

•Request SNMP Trap—Sends a request to the Notification Application component of the sensor to perform SNMP notification. This action causes an alert to be written to the Event Store, even if Produce Alert is not selected.

•Reset TCP Connection—Sends TCP resets to hijack and terminate the TCP flow

•Event Counter—Lets you configure how the sensor counts events. For example, you can specify that you want the sensor to send an alert only if the same signature fires 5 times for the same address set:

–Event Count—The value is 1 to 65535. The default is 1.

–Event Count Key—Choose Attacker address, Attacker address and victim port, Attacker and victim addresses, Attacker and victim addresses and ports, or Victim address. The default is Attacker address.

–Specify Alert Interval—Choose Yes or No.

•Alert Frequency—Lets you configure how often the sensor alerts you when this signature is firing. Specify the following parameters for this signature:

–Summary Mode—Choose Fire All, Fire Once, Global Summarize, or Summarize.

–Summary Interval—The value is 1 to 65535. The default is 15.

–Summary Key—Choose Attacker address, Attacker address and victim port, Attacker and victim addresses, Attacker and victim addresses and ports, or Victim address. The default is Attacker address.

–Specify Global Summary Threshold—Choose Yes or No.

•Status—Lets you chose to enable or retire the signature:

–Enabled—Lets you choose whether the signature is enabled or disabled.The default is yes.

–Retired—Let you choose whether the signature is retired or not. The default is no.

Icons:

•Circle + icon—Indicates that you can expand the menu.

•Circle - icon—Indicates that the menu is collapsed.

•Green square icon—Indicates that this parameter is using the default value. Click the icon to edit the value.

•Red diamond icon—Indicates that this parameter is using a user-defined value. Click the icon to restore the default value.

Button Functions:

•OK—Accepts your changes and closes the dialog box.

•Cancel—Discards your changes and closes the dialog box.

•Help—Displays the help topic for this feature.

Assign Actions Dialog Box

The following fields and buttons are found in the Assign Actions dialog box.

Note An event action is the sensor's response to an event. Event actions are configurable on a per signature basis.

Field Descriptions:

•Deny Attacker Inline—Terminates the current packet and future packets from this attacker address for a specified period of time (inline only).

The sensor maintains a list of the attackers being denied by the system. To remove an entry from the denied attacker list, you can view the list of attackers and clear the entire list, or you can wait for the timer to expire. The timer is a sliding timer for each entry. Therefore, if attacker A is being denied, but issues another attack, the timer for attacker A is reset and attacker A remains in the denied attacker list until the timer expires. If the denied attacker list is at capacity and cannot add a new entry, the packet will still be denied.

•Deny Connection Inline—Terminates the current packet and future packets on this TCP flow (inline only).

•Deny Packet Inline—Terminates the packet (inline only).

•Log Attacker Packets—Starts IP logging on packets that contain the attacker address and sends an alert. This action causes an alert to be written to the Event Store, even if Produce Alert is not selected.

•Log Pair Packets—Starts IP Logging on packets that contain the attacker/victim address pair. This action causes an alert to be written to the Event Store, even if Produce Alert is not selected.

•Log Victim Packets—Starts IP Logging on packets that contain the victim address and sends an alert. This action causes an alert to be written to the Event Store, even if Produce Alert is not selected.

•Produce Alert—Writes the event to the Event Store as an alert.

•Produce Verbose Alert—Includes an encoded dump of the offending packet in the alert. This action causes an alert to be written to the Event Store, even if Produce Alert is not selected.

•Request Block Connection—Sends a request to NAC to block this connection.

•Request Block Host—Sends a request to NAC to block this attacker host.

•Request SNMP Trap—Sends a request to the Notification Application component of the sensor to perform SNMP notification. This action causes an alert to be written to the Event Store, even if Produce Alert is not selected.

•Reset TCP Connection—Sends TCP resets to hijack and terminate the TCP flow.

Button Functions:

•Select All—Lets you select all event actions.

•Select None—Clears all event action selections.

Adding Signatures

To add signatures, follow these steps:

Step 1 Click Configuration > Signature Definition > Signature Configuration.

The Signature Configuration panel appears.

Step 2 To create a custom signature that is not based on an existing signature, follow these steps:

a. Click Add to open the Add Signature dialog box.

b. Specify a unique signature ID and subsignature ID for this new signature.

c. Select the severity you want to associate with this signature.

d. Specify a value between 1and 100 to represent the signature fidelity rating for this signature.

e. Complete the signature description fields and add any comments about this signature.

f. Select the engine the sensor will use to enforce this signature.

Note If you do not know which engine to select, use the Custom Signature Wizard to help you create a custom signature.

g. Complete the Event Counter fields if you want events counted.

h. Complete the Alert Frequency fields.

i. Under Status, select Yes to enable the signature.

Note A signature must be enabled for the sensor to actively detect the attack specified by the signature.

j. Under Status, specify if this signature is retired. Click No to activate the signature. This places the signature in the engine.

Note A signature must be activated for the sensor to actively detect the attack specified by the signature.

Tip To discard your changes and close the Add Signature dialog box, click Cancel.

k. Click OK.

The new signature appears in the list with the Type set to Custom.

Tip To discard your changes, click Reset.

Step 3 Click Apply to apply your changes and save the revised configuration.

Cloning Signatures

From the Signature Configuration panel, you can create a signature by cloning an existing signature. This task can save you time when you are creating signatures that are similar.

To clone signatures, follow these steps:

Step 1 Click Configuration > Signature Definition > Signature Configuration.

The Signature Configuration panel appears.

Step 2 To locate a signature, choose a sorting option from the Select By list.

For example, if you are searching for a UDP Flood signature, select L2/L3/L4 Protocol and then UDP Floods.

The Signature Configuration panel refreshes and displays only those signatures that match your sorting criteria.

Step 3 To create a signature by using an existing signature as the starting point, select the signature and follow these steps:

a. Click Clone to open the Clone Signature dialog box.

b. Specify a unique signature ID and subsignature ID for this new signature.

c. Review the parameter values and change the value of any parameter you want to be different for this new signature.

Caution When adding event actions, to select more than one event action, you must hold down the Ctrl key while selecting additional event actions to ensure that all of the actions stay selected.

Note A + icon indicates that more parameters are available for this signature. Click the + icon to expand the section and view the remaining parameters.

Tip A green icon indicates that the parameter is using the default value. Click the green icon to activate the parameter field and edit the value.

d. Under Status, select Yes to enable the signature.

Note A signature must be enabled for the sensor to actively detect the attack specified by the signature.

e. Under Status, specify if this signature is retired. Click No to activate the signature. This places the signature in the engine.

Note A signature must be activated for the sensor to actively detect the attack specified by the signature.

Tip To discard your changes and close the Clone Signature dialog box, click Cancel.

f. Click OK.

The cloned signature now appears in the list with the Type set to Custom.

Tip To discard your changes, click Reset.

Step 4 Click Apply to apply your changes and save the revised configuration.

Tuning Signatures

To tune signatures, follow these steps:

Step 1 Click Configuration > Signature Definition > Signature Configuration.

The Signature Configuration panel appears.

Step 2 To locate a signature, choose a sorting option from the Select By list.

For example, if you are searching for a UDP Flood signature, select L2/L3/L4 Protocol and then UDP Floods.

The Signature Configuration panel refreshes and displays only those signatures that match your sorting criteria.

Step 3 To tune an existing signature, select the signature, and follow these steps:

a. Click Edit to open the Edit Signature dialog box.

b. Review the parameter values and change the value of any parameter you want to tune.

Caution When adding event actions, to select more than one event action, you must hold down the Ctrl key while selecting additional event actions to ensure that all of the actions stay selected.

Note A + icon indicates that more parameters are available for this signature. Click the + icon to expand the section and view the remaining parameters.

Tip A green icon indicates that the parameter is using the default value. Click the green icon to activate the parameter field and edit the value.

c. Under Status, select Yes to enable the signature.

Note A signature must be enabled for the sensor to actively detect the attack specified by the signature.

d. Under Status, specify if this signature is retired. Click No to activate the signature. This places the signature in the engine.

Note A signature must be activated for the sensor to actively detect the attack specified by the signature.

Tip To discard your changes and close the Edit Signature dialog box, click Cancel.

e. Click OK.

The edited signature now appears in the list with the Type set to Tuned.

Tip To discard your changes, click Reset.

Step 4 Click Apply to apply your changes and save the revised configuration.

Enabling and Disabling Signatures

To enable signatures, follow these steps:

Step 1 Click Configuration > Signature Definition > Signature Configuration.

The Signature Configuration panel appears.

Step 2 To locate a signature, choose a sorting option from the Select By list.

For example, if you are searching for a UDP Flood signature, select L2/L3/L4 Protocol and then UDP Floods.

The Signature Configuration panel refreshes and displays only those signatures that match your sorting criteria.

Step 3 To enable or disable an existing signature, select the signature and follow these steps:

a. View the Enabled column to determine the status of the signature. A signature that is enabled has the value Yes in this column.

b. To enable a signature that is disabled, select the signature and click Enable.

c. To disable a signature that is enabled, select the signature and click Disable.

Tip To discard your changes, click Reset.

Step 4 Click Apply to apply your changes and save the revised configuration.

Activating and Retiring Signatures

Caution Activating and retiring signatures can take a very long time, up to 30 minutes or longer.

To activate and retire signatures, follow these steps:

Step 1 Click Configuration > Signature Definition > Signature Configuration.

The Signature Configuration panel appears.

Step 2 To locate a signature, choose a sorting option from the Select By list.

For example, if you are searching for a UDP Flood signature, select L2/L3/L4 Protocol and then UDP Floods.

The Signature Configuration panel refreshes and displays only those signatures that match your sorting criteria.

Step 3 To activate a signature that is retired, select the signature, and then click Activate.

Step 4 To retire a signature that is activated, select the signature and then click Retire.

Note If you retire a signature, that signature is removed from the engine but remains in the signature configuration list. You can later activate the retired signature, but doing so requires the sensor to rebuild the signature list for that engine and could delay signature processing.

Tip To discard your changes, click Reset.

Step 5 Click Apply to apply your changes and save the revised configuration.

Assigning Actions to Signatures

To assign actions to signatures, follow these steps:

Step 1 Click Configuration > Signature Definition > Signature Configuration.

The Signature Configuration panel appears.

Step 2 To locate a signature, choose a sorting option from the Select By list.

For example, if you are searching for a UDP Flood signature, select L2/L3/L4 Protocol and then UDP Floods.

The Signature Configuration panel refreshes and displays only those signatures that match your sorting criteria.

Step 3 To assign actions to a signature or set of signatures, select the signature(s), and then click Actions.

The Assign Actions dialog box appears.

a. Select the actions you want to assign to the signature(s).

A check mark indicates that the action is assigned to the selected signature(s). No check mark indicates that the action is not assigned to any of the selected signatures. A gray check mark indicates that the action is assigned to some of the selected signatures.

b. If you want to assign all actions to the selected signatures, click All. Or, if you want to remove all actions from the selected signatures, select None.

Tip To discard your changes and close the Assign Actions dialog box, click Cancel.

c. Click OK to save your changes and close the dialog box.

The new action now appears in the Action column.

Configuring the Miscellaneous Panel

This section describes how to configure the Miscellaneous panel, and contains the following topics:

•Overview

•Supported User Role

•Field Definitions

•Configuring Application Policy

•Configuring IP Fragment Reassembly

•Configuring TCP Stream Reassembly

•Configuring IP Logging

Overview

On the Miscellaneous panel, you can perform the following tasks:

•Configure the application policy parameters

You can configure the sensor to provide Layer 4 to Layer 7 packet inspection to prevent malicious attacks related to web services.

•Configure IP fragment reassembly options

You can configure the sensor to reassemble a datagram that has been fragmented over multiple packets. You can specify boundaries that the sensor uses to determine how many datagrams and how long to wait for more fragments of a datagram. The goal is to ensure that the sensor does not allocate all its resources to datagrams that cannot be completely reassembled, either because the sensor missed some frame transmissions or because an attack has been launched that is based on generating random fragment datagrams.

•Configure TCP stream reassembly

You can configure the sensor to monitor only TCP sessions that have been established by a complete three-way handshake. You can also configure how long to wait for the handshake to complete, and how long to keep monitoring a connection where no more packets have been seen. The goal is to prevent the sensor from creating alerts where a valid TCP session has not been established. There are known attacks against sensors that try to get the sensor to generate alerts by simply replaying pieces of an attack. The TCP session reassembly feature helps to mitigate these types of attacks against the sensor.

•Configure IP logging options

You can configure a sensor to generate an IP session log when the sensor detects an attack. When IP logging is configured as a response action for a signature and the signature is triggered, all packets to and from the source address of the alert are logged for a specified period of time.

Supported User Role

The following user roles are supported:

•Administrator

•Operator

•Viewer

You must be Administrator or Operator to configure the parameters on the Miscellaneous panel.

Field Definitions

The following fields and buttons are found on the Miscellaneous panel.

•Application Policy—Lets you configure application policy enforcement.

–Enable HTTP —Enables protection for web services. Select Yes to require the sensor to inspect HTTP traffic for compliance with the RFC.

–Max HTTP Requests—Specifies the maximum number of outstanding HTTP requests per connection.

–AIC Web Ports—Specifies the variable for ports to look for AIC traffic.

Note We recommend that you not configure AIC web ports, but rather use the default web ports.

–Enable FTP—Enables protection for web services. Select Yes to require the sensor to inspect FTP traffic.

•Fragment Reassembly—Lets you configure IP fragment reassembly.

–IP Reassembly Mode—Identifies the method the sensor uses to reassemble the fragments, based on the operating system.

•Stream Reassembly—Lets you configure TCP stream reassembly.

–TCP Handshake Required—Specifies that the sensor should only track sessions for which the three-way handshake is completed.

–TCP Reassembly Mode—Specifies the mode the sensor should use to reassemble TCP sessions with the following options:

Asymmetric—May only be seeing one direction of bidirectional traffic flow.

Note Asymmetric mode lets the sensor synchronize state with the flow and maintain inspection for those engines that do not require both directions. Asymmetric mode lowers security because full protection requires both sides of traffic to be seen.

Strict—If a packet is missed for any reason, all packets after the missed packet are not processed.

Loose—Use in environments where packets might be dropped.

•IP Log—Lets you configure the sensor to stop IP logging when any of the following conditions are met:

–Max IP Log Packets—Identifies the number of packets you want logged.

–IP Log Time—Identifies the duration you want the sensor to log. A valid value is 1 to 60 seconds. The default is 30 seconds.

–Max IP Log Bytes—Identifies the maximum number of bytes you want logged.

Button Functions:

•Apply—Applies your changes and saves the revised configuration.

•Reset—Refreshes the panel by replacing any edits you made with the previously configured value.

Configuring Application Policy

Tip A + icon indicates that more options are available for this parameter. Click the + icon to expand the section and view the remaining parameters.

Tip A green icon indicates that the parameter is currently using the default value. Click the green icon to activate the parameter field and edit the value.

To configure the application policy parameters, follow these steps:

Step 1 Click Configuration > Signature Definition > Miscellaneous.

The Miscellaneous panel appears.

Step 2 Under Application Policy, click the green icon next to Enable HTTP and select Yes to enable inspection of HTTP traffic.

Step 3 Click the green icon next to Max HTTP Requests and specify the number of outstanding HTTP requests per connection.

Step 4 (Optional) Click the green icon next to AIC Web Ports and specify the ports you want active.

Note We recommend that you not configure AIC web ports, but rather use the default web ports.

Step 5 Click the green icon next to Enable FTP and select Yes to enable inspection of FTP traffic.

Note If you enable the application policy for HTTP or FTP, the sensor checks to be sure the traffic is compliant with the RFC.

Tip To discard your changes, click Reset.

Step 6 Click Apply to apply your changes and save the revised configuration.

Configuring IP Fragment Reassembly

To configure the IP fragment reassembly parameters, follow these steps:

Step 1 Click Configuration > Signature Definition > Miscellaneous.

The Miscellaneous panel appears.

Step 2 Under Fragment Reassembly, click the green icon next to IP Reassembly Mode and select the operating system you want to use to reassemble the fragments.

Tip To discard your changes, click Reset.

Step 3 Click Apply to apply your changes and save the revised configuration.

Configuring TCP Stream Reassembly

To configure the TCP stream reassembly parameters, follow these steps:

Step 1 Click Configuration > Signature Definition > Miscellaneous.

The Miscellaneous panel appears.

Step 2 Under Stream Reassembly, click the green icon next to TCP Handshake Required and select yes.

Selecting TCP Handshake Required specifies that the sensor should only track sessions for which the three-way handshake is completed.

Step 3 Click the green icon next to TCP Reassembly Mode and select the mode the sensor should use to reassemble TCP sessions:

•Asymmetric—Lets the sensor synchronize state with the flow and maintain inspection for those engines that do not require both directions.

•Strict—If a packet is missed for any reason, all packets after the missed packet are processed.

•Loose—Use in environments where packets might be dropped.

Tip To discard your changes, click Reset.

Step 4 Click Apply to apply your changes and save the revised configuration.

Configuring IP Logging

Note When the sensor meets any one of the IP logging conditions, it stops IP logging.

To configure the IP logging parameters, follow these steps:

Step 1 Click Configuration > Signature Definition > Miscellaneous.

The Miscellaneous panel appears.

Step 2 Under IP Log, click the green icon next to Max IP Log Packets and then specify the number of packets you want logged.

Step 3 Click the green icon next to IP Log Time and then specify the duration you want the sensor to log.

A valid value is 1 to 60 minutes. The default is 30 minutes.

Step 4 Click the green icon next to Max IP Log Bytes and then specify the maximum number of bytes you want logged.

Tip To discard your changes, click Reset.

Step 5 Click Apply to apply your changes and save the revised configuration.

	Installing and Using Cisco Intrusion Prevention System Device Manager 5.0
	Defining Signatures
Installing and Using Cisco Intrusion Prevention System Device Manager 5.0 Preface Getting Started Setting Up the Sensor Configuring Interfaces Configuring the Analysis Engine Defining Signatures Creating Custom Signatures Configuring Event Action Rules Configuring Blocking Configuring SNMP Maintaining the Sensor Monitoring the Sensor Obtaining Software System Architecture Signature Engines Troubleshooting Glossary Index	Download this chapter Defining Signatures Download the complete book Click Here for Whole-Book PDF (PDF - 5 MB) Table Of Contents Defining Signatures About Signatures Configuring Signature Variables Overview Supported User Role Field Definitions Signature Variables Panel Add and Edit Signature Variable Dialog Boxes Configuring Signature Variables Configuring Signatures Overview Supported User Role Field Definitions Signature Configuration Panel Add Signatures Dialog Box Clone and Edit Signature Dialog Boxes Assign Actions Dialog Box Adding Signatures Cloning Signatures Tuning Signatures Enabling and Disabling Signatures Activating and Retiring Signatures Assigning Actions to Signatures Configuring the Miscellaneous Panel Overview Supported User Role Field Definitions Configuring Application Policy Configuring IP Fragment Reassembly Configuring TCP Stream Reassembly Configuring IP Logging Defining Signatures This chapter explains how to configure signatures. It contains the following sections: •About Signatures •Configuring Signature Variables •Configuring Signatures •Configuring the Miscellaneous Panel About Signatures Attacks or other misuses of network resources can be defined as network intrusions. Sensors that use a signature-based technology can detect network intrusions. A signature is a set of rules that your sensor uses to detect typical intrusive activity, such as DoS attacks. As sensors scan network packets, they use signatures to detect known attacks and respond with actions that you define. The sensor compares the list of signatures with network activity. When a match is found, the sensor takes an action, such as logging the event or sending an alert. Sensors let you modify existing signatures and define new ones. Signature-based intrusion detection can produce false positives because certain normal network activity can be misinterpreted as malicious activity. For example, some network applications or operating systems may send out numerous ICMP messages, which a signature-based detection system might interpret as an attempt by an attacker to map out a network segment. You can minimize false positives by tuning your signatures. To configure a sensor to monitor network traffic for a particular signature, you must enable the signature. By default, the most critical signatures are enabled when you install the signature update. When an attack is detected that matches an enabled signature, the sensor generates an alert, which is stored in the sensor's event store. The alerts, as well as other events, may be retrieved from the event store by web-based clients. By default the sensor logs all Informational alerts or higher. Some signatures have subsignatures, that is, the signature is divided into subcategories. When you configure a subsignature, changes made to the parameters of one subsignature apply only to that subsignature. For example, if you edit signature 3050 subsignature 1 and change the severity, the severity change applies to only subsignature 1 and not to 3050 2, 3050 3, and 3050 4. IPS 5.0 contains over 1000 built-in default signatures. You cannot rename or delete signatures from the list of built-in signatures, but you can retire signatures to remove them from the sensing engine. You can later activate retired signatures; however, this process requires the sensing engines to rebuild their configuration, which takes time and could delay the processing of traffic. You can tune built-in signatures by adjusting several signature parameters. Built-in signatures that have been modified are called tuned signatures. You can create signatures, which are called custom signatures. Custom signature IDs begin at 60000. You can configure them for several things, such as matching of strings on UDP connections, tracking of network floods, and scans. Each signature is created using a signature engine specifically designed for the type of traffic being monitored. Configuring Signature Variables This section describes how to create signature variables, and contains the following topics: •Overview •Supported User Role •Field Definitions •Configuring Signature Variables Overview When you want to use the same value within multiple signatures, use a variable. When you change the value of a variable, the variables in all signatures are updated. This saves you from having to change the variable repeatedly as you configure signatures. Note You must preface the variable with a dollar ($) sign to indicate that you are using a variable rather than a string. Some variables cannot be deleted because they are necessary to the signature system. If a variable is protected, you cannot select it to edit it. You receive an error message if you try to delete protected variables. You can edit only one variable at a time. Supported User Role The following user roles are supported: •Administrator •Operator •Viewer You must be Administrator or Operator to configure signature variables. Field Definitions This section lists the field definitions for signature variables, and contains the following topics: •Signature Variables Panel •Add and Edit Signature Variable Dialog Boxes Signature Variables Panel The following fields and buttons are found on the Signature Variables panel. Field Descriptions: •Name—Identifies the name assigned to this variable. •Type—Identifies the variable as a web port or IP address range. •Value—Identifies the value(s) represented by this variable. To designate multiple port numbers for a single variable, place a comma between the entries. For example, 80, 3128, 8000, 8010, 8080, 8888, 24326. Button Functions: •Add—Opens the Add Signature Variable dialog box. From this dialog box, you can add a new variable and specify the values associated with that variable. •Edit—Opens the Edit Signature Variable dialog box. From this dialog box, you can change the values associated with this variable. •Delete—Removes the selected variable from the list of available variables. •Apply—Applies your changes and saves the revised configuration. •Reset—Refreshes the panel by replacing any edits you made with the previously configured value. Add and Edit Signature Variable Dialog Boxes The following fields and buttons are found in the Add and Edit Signature Variable dialog boxes. Field Descriptions: •Name—Identifies the name assigned to this variable. •Type—Identifies the variable as a web port or IP address range. •Value—Identifies the value(s) represented by this variable. To designate multiple port numbers for a single variable, place a comma between the entries. For example, 80, 3128, 8000, 8010, 8080, 8888, 24326. Button Functions: •OK—Accepts your changes and closes the dialog box. •Cancel—Discards your changes and closes the dialog box. •Help—Displays the help topic for this feature. Configuring Signature Variables To configure signature variables, follow these steps: Step 1 Click Configuration > Signature Definition > Signature Variables. The Signature Variables panel appears. Step 2 Click Add to create a variable. The Add Signature Variable dialog box appears. Step 3 Type the name of the signature variable in the Name field. Note A valid name can only contain numbers or letters. You can also use a hyphen (-) or underscore (_). Step 4 Type the value into the Value field for the new signature variable. Note You can use commas as delimiters. Make sure there are no trailing spaces after the comma. Otherwise, you receive a `Validation failed` error. WEBPORTS has a predefined set of ports where web servers are running, but you can edit the value. This variable affects all signatures that have web ports. The default is 80, 3128, 8000, 8010, 8080, 8888, 24326. Step 5 Click OK. The new variable appears in the signature variables list on the Signature Variables panel. Step 6 To edit an existing variable, select it in the signature variables list, and then click Edit. The Edit Signature Variable dialog box appears for the variable that you chose. Step 7 Make any necessary changes to the Value field. Step 8 Click OK. The edited variable appears in the signature variables list on the Signature Variables panel. Step 9 To delete a variable, select it in the signature variables list, and then click Delete. The variable no longer appears in the signature variables list on the Signature Variables panel. Tip To discard your changes, click Reset. Step 10 Click Apply to apply your changes and save the revised configuration. Configuring Signatures This section describes how to configure signatures, and contains the following topics: •Overview •Supported User Role •Field Definitions •Adding Signatures •Cloning Signatures •Tuning Signatures •Enabling and Disabling Signatures •Activating and Retiring Signatures •Assigning Actions to Signatures Overview You can perform the following tasks on the Signature Configuration panel: •Sort and view all signatures stored on the sensor. You can sort by attack type, protocol, service, operating system, action to be performed, engine, signature ID, or signature name. •View the NSDB information about the selected signature. The NSDB pages list the key attributes, a description, any benign triggers, and any recommended filters for the selected signature. •Edit (tune) an existing signature to change the value(s) associated with the parameter(s) for that signature. •Create a signature, either by cloning an existing signature and using the parameters of that signature as a starting point for the new signature, or by adding a new signature from scratch. You can also use the Custom Signature Wizard to create a signature. The wizard guides you through the parameters that you must select to configure a custom signature, including selection of the appropriate signature engine. •Enable or disable an existing signature. •Restore the factory defaults to the signature. •Delete a custom signature. You cannot delete built-in signatures. •Activate or retire an existing signature. •Assign actions to a signature. Supported User Role The following user roles are supported: •Administrator •Operator •Viewer You must be Administrator or Operator to configure signatures. Field Definitions This section lists the field definitions for configuring signatures, and contains the following topics: •Signature Configuration Panel •Add Signatures Dialog Box •Clone and Edit Signature Dialog Boxes •Assign Actions Dialog Box Signature Configuration Panel The following fields and buttons are found on the Signature Configuration panel. Field Descriptions: •Select By—Lets you sort the list of signatures by selecting an attribute to sort on, such as protocol, service, or action. •Select Criteria—Lets you further sort within a category by selecting a specific class within that category. For example, if you select to sort by protocol, you can select L2/L3/L4 protocol and view only signatures that are related to L2/L3/L4 protocol. •Sig ID—Identifies the unique numerical value assigned to this signature. This value lets the sensor identify a particular signature. •SubSig ID—Identifies the unique numerical value assigned to this subsignature. A SubSig ID is used to identify a more granular version of a broad signature. •Name—Identifies the name assigned to the signature. •Enabled—Identifies whether or not the signature is enabled. A signature must be enabled for the sensor to protect against the traffic specified by the signature. •Action—Identifies the actions the sensor will take when this signature fires. •Severity—Identifies the severity level that the signature will report: High, Informational, Low, Medium. •Fidelity Rating—Identifies the weight associated with how well this signature might perform in the absence of specific knowledge of the target. •Type—Identifies whether this signature is a default (built-in), tuned, or custom signature. •Engine—Identifies the engine responsible for parsing and inspecting the traffic specified by this signature. •Retired—Identifies whether or not the signature is retired. A retired signature is removed from the signature engine. You can activate a retired signature to place it back in the signature engine. Button Functions: •Select All—Selects all signatures. •NSDB Link—Opens the NSDB page for the selected signature. The NSDB pages lists the key attributes, a description, any benign triggers, and any recommended filters for the selected signature. •Add—Opens the Add Signature dialog box. You can create a signature by selecting the appropriate parameters. •Clone—Opens the Clone Signature dialog box. You can create a signature by changing the prepopulated values of the existing signature you chose to clone. •Edit—Opens the Edit Signature dialog box. You can change the parameters associated with the selected signature and effectively tune the signature. You can edit only one signature at a time. •Enable—Enables the selected signature. •Disable—Disables the selected signature. •Actions—Displays the Assign Actions dialog box. •Restore Defaults—Returns all parameters to the default settings for the selected signature. •Delete—Deletes the selected custom signature. You cannot delete built-in signatures. •Activate—Activates the selected signature if the signature is retired. This process can take some time because the sensor has to add the signature back to the appropriate signature engine and reconstruct the signature engine. •Retire—Retires the selected signature and removes it from the signature engine. •Apply—Applies your changes and saves the revised configuration. •Reset—Refreshes the panel by replacing any edits you made with the previously configured value. Add Signatures Dialog Box The following fields and buttons are found in the Add Signature dialog box: Field Descriptions: •Signature ID—Identifies the unique numerical value assigned to this signature. This value lets the sensor identify a particular signature. The value is 1000 to 65000. •SubSignature ID—Identifies the unique numerical value assigned to this subsignature. A subsignature ID is used to identify a more granular version of a broad signature. The value is 0 to 255. •Alert Severity—Lets you choose the severity level of the signature: High, Informational, Low, Medium. •Sig Fidelity Rating—Lets you choose the weight associated with how well this signature might perform in the absence of specific knowledge of the target. The value is 0 to 100. The default is 75. •Promiscuous Delta—Lets you determine the seriousness of the alert. •Sig Description—Lets you specify the following attributes that help you distinguish this signature from other signatures: –Signature Name—The default is MySig. –Alert Notes—Add alert notes in this field. –User Comments—Add your comments about this signature in this field. –Alarm Traits—The value is 0 to 65535. The default is 0. –Release—The software release in which the signature first appeared. •Engine—Lets you choose the engine responsible for parsing and inspecting the traffic specified by this signature. •Event Counter—Lets you configure how the sensor counts events. For example, you can specify that you want the sensor to send an alert only if the same signature fires 5 times for the same address set: –Event Count—The value is 1 to 65535. The default is 1. –Event Count Key—Choose Attacker address, Attacker address and victim port, Attacker and victim addresses, Attacker and victim addresses and ports, or Victim address. The default is Attacker address. –Specify Alert Interval—Choose Yes or No. •Alert Frequency—Lets you configure how often the sensor alerts you when this signature is firing. Specify the following parameters for this signature: –Summary Mode—Choose Fire All, Fire Once, Global Summarize, or Summarize. –Summary Interval—The value is 1 to 65535. The default is 15. –Summary Key—Choose Attacker address, Attacker address and victim port, Attacker and victim addresses, Attacker and victim addresses and ports, or Victim address. The default is Attacker address. –Specify Global Summary Threshold—Choose Yes or No. •Status—Lets you chose to enable or retire the signature: –Enabled—Lets you choose whether the signature is enabled or disabled.The default is yes. –Retired—Let you choose whether the signature is retired or not. The default is no. Icons: •Circle + icon—Indicates that you can expand the menu. •Circle - icon—Indicates that the menu is collapsed. •Green square icon—Indicates that this parameter is using the default value. Click the icon to edit the value. •Red diamond icon—Indicates that this parameter is using a user-defined value. Click the icon to restore the default value. Clone and Edit Signature Dialog Boxes The following fields and buttons are found in the Clone and Edit Signature dialog boxes: Field Descriptions: •Signature ID—Identifies the unique numerical value assigned to this signature. This value lets the sensor identify a particular signature. The value is 1000 to 65000. •SubSignature ID—Identifies the unique numerical value assigned to this subsignature. A subsignature ID is used to identify a more granular version of a broad signature. The value is 0 to 255. •Alert Severity—Lets you choose the severity level of the signature: High, Informational, Low, Medium. •Sig Fidelity Rating—Lets you choose the weight associated with how well this signature might perform in the absence of specific knowledge of the target. The value is 0 to 100. The default is 75. •Promiscuous Delta—Lets you determine the seriousness of the alert. •Sig Description—Lets you specify the following attributes that help you distinguish this signature from other signatures: –Signature Name—The default is MySig. –Alert Notes—Add alert notes in this field. –User Comments—Add your comments about this signature in this field. –Alarm Traits—The value is 0 to 65535. The default is 0. –Release—The software release in which the signature first appeared. •Engine—Lets you choose the engine responsible for parsing and inspecting the traffic specified by this signature. •Event Action—Lets you assign the actions the sensor takes when it responds to an event. Caution When adding event actions, to select more than one event action, you must hold down the Ctrl key while selecting additional event actions to ensure that all of the actions stay selected. Field Descriptions: •Deny Attacker Inline—Terminates the current packet and future packets from this attacker address for a specified period of time (inline only). The sensor maintains a list of the attackers being denied by the system. To remove an entry from the denied attacker list, you can view the list of attackers and clear the entire list, or you can wait for the timer to expire. The timer is a sliding timer for each entry. Therefore, if attacker A is being denied, but issues another attack, the timer for attacker A is reset and attacker A remains in the denied attacker list until the timer expires. If the denied attacker list is at capacity and cannot add a new entry, the packet will still be denied. •Deny Connection Inline—Terminates the current packet and future packets on this TCP flow (inline only). •Deny Packet Inline—Terminates the packet (inline only). •Log Attacker Packets—Starts IP logging on packets that contain the attacker address and sends an alert. This action causes an alert to be written to the Event Store, even if Produce Alert is not selected. •Log Pair Packets—Starts IP Logging on packets that contain the attacker/victim address pair. This action causes an alert to be written to the Event Store, even if Produce Alert is not selected. •Log Victim Packets—Starts IP Logging on packets that contain the victim address and sends an alert. This action causes an alert to be written to the Event Store, even if Produce Alert is not selected. •Produce Alert—Writes the event to the Event Store as an alert. •Produce Verbose Alert—Includes an encoded dump of the offending packet in the alert. This action causes an alert to be written to the Event Store, even if Produce Alert is not selected. •Request Block Connection—Sends a request to NAC to block this connection. •Request Block Host—Sends a request to NAC to block this attacker host. •Request SNMP Trap—Sends a request to the Notification Application component of the sensor to perform SNMP notification. This action causes an alert to be written to the Event Store, even if Produce Alert is not selected. •Reset TCP Connection—Sends TCP resets to hijack and terminate the TCP flow •Event Counter—Lets you configure how the sensor counts events. For example, you can specify that you want the sensor to send an alert only if the same signature fires 5 times for the same address set: –Event Count—The value is 1 to 65535. The default is 1. –Event Count Key—Choose Attacker address, Attacker address and victim port, Attacker and victim addresses, Attacker and victim addresses and ports, or Victim address. The default is Attacker address. –Specify Alert Interval—Choose Yes or No. •Alert Frequency—Lets you configure how often the sensor alerts you when this signature is firing. Specify the following parameters for this signature: –Summary Mode—Choose Fire All, Fire Once, Global Summarize, or Summarize. –Summary Interval—The value is 1 to 65535. The default is 15. –Summary Key—Choose Attacker address, Attacker address and victim port, Attacker and victim addresses, Attacker and victim addresses and ports, or Victim address. The default is Attacker address. –Specify Global Summary Threshold—Choose Yes or No. •Status—Lets you chose to enable or retire the signature: –Enabled—Lets you choose whether the signature is enabled or disabled.The default is yes. –Retired—Let you choose whether the signature is retired or not. The default is no. Icons: •Circle + icon—Indicates that you can expand the menu. •Circle - icon—Indicates that the menu is collapsed. •Green square icon—Indicates that this parameter is using the default value. Click the icon to edit the value. •Red diamond icon—Indicates that this parameter is using a user-defined value. Click the icon to restore the default value. Button Functions: •OK—Accepts your changes and closes the dialog box. •Cancel—Discards your changes and closes the dialog box. •Help—Displays the help topic for this feature. Assign Actions Dialog Box The following fields and buttons are found in the Assign Actions dialog box. Note An event action is the sensor's response to an event. Event actions are configurable on a per signature basis. Field Descriptions: •Deny Attacker Inline—Terminates the current packet and future packets from this attacker address for a specified period of time (inline only). The sensor maintains a list of the attackers being denied by the system. To remove an entry from the denied attacker list, you can view the list of attackers and clear the entire list, or you can wait for the timer to expire. The timer is a sliding timer for each entry. Therefore, if attacker A is being denied, but issues another attack, the timer for attacker A is reset and attacker A remains in the denied attacker list until the timer expires. If the denied attacker list is at capacity and cannot add a new entry, the packet will still be denied. •Deny Connection Inline—Terminates the current packet and future packets on this TCP flow (inline only). •Deny Packet Inline—Terminates the packet (inline only). •Log Attacker Packets—Starts IP logging on packets that contain the attacker address and sends an alert. This action causes an alert to be written to the Event Store, even if Produce Alert is not selected. •Log Pair Packets—Starts IP Logging on packets that contain the attacker/victim address pair. This action causes an alert to be written to the Event Store, even if Produce Alert is not selected. •Log Victim Packets—Starts IP Logging on packets that contain the victim address and sends an alert. This action causes an alert to be written to the Event Store, even if Produce Alert is not selected. •Produce Alert—Writes the event to the Event Store as an alert. •Produce Verbose Alert—Includes an encoded dump of the offending packet in the alert. This action causes an alert to be written to the Event Store, even if Produce Alert is not selected. •Request Block Connection—Sends a request to NAC to block this connection. •Request Block Host—Sends a request to NAC to block this attacker host. •Request SNMP Trap—Sends a request to the Notification Application component of the sensor to perform SNMP notification. This action causes an alert to be written to the Event Store, even if Produce Alert is not selected. •Reset TCP Connection—Sends TCP resets to hijack and terminate the TCP flow. Button Functions: •Select All—Lets you select all event actions. •Select None—Clears all event action selections. Adding Signatures To add signatures, follow these steps: Step 1 Click Configuration > Signature Definition > Signature Configuration. The Signature Configuration panel appears. Step 2 To create a custom signature that is not based on an existing signature, follow these steps: a. Click Add to open the Add Signature dialog box. b. Specify a unique signature ID and subsignature ID for this new signature. c. Select the severity you want to associate with this signature. d. Specify a value between 1and 100 to represent the signature fidelity rating for this signature. e. Complete the signature description fields and add any comments about this signature. f. Select the engine the sensor will use to enforce this signature. Note If you do not know which engine to select, use the Custom Signature Wizard to help you create a custom signature. g. Complete the Event Counter fields if you want events counted. h. Complete the Alert Frequency fields. i. Under Status, select Yes to enable the signature. Note A signature must be enabled for the sensor to actively detect the attack specified by the signature. j. Under Status, specify if this signature is retired. Click No to activate the signature. This places the signature in the engine. Note A signature must be activated for the sensor to actively detect the attack specified by the signature. Tip To discard your changes and close the Add Signature dialog box, click Cancel. k. Click OK. The new signature appears in the list with the Type set to Custom. Tip To discard your changes, click Reset. Step 3 Click Apply to apply your changes and save the revised configuration. Cloning Signatures From the Signature Configuration panel, you can create a signature by cloning an existing signature. This task can save you time when you are creating signatures that are similar. To clone signatures, follow these steps: Step 1 Click Configuration > Signature Definition > Signature Configuration. The Signature Configuration panel appears. Step 2 To locate a signature, choose a sorting option from the Select By list. For example, if you are searching for a UDP Flood signature, select L2/L3/L4 Protocol and then UDP Floods. The Signature Configuration panel refreshes and displays only those signatures that match your sorting criteria. Step 3 To create a signature by using an existing signature as the starting point, select the signature and follow these steps: a. Click Clone to open the Clone Signature dialog box. b. Specify a unique signature ID and subsignature ID for this new signature. c. Review the parameter values and change the value of any parameter you want to be different for this new signature. Caution When adding event actions, to select more than one event action, you must hold down the Ctrl key while selecting additional event actions to ensure that all of the actions stay selected. Note A + icon indicates that more parameters are available for this signature. Click the + icon to expand the section and view the remaining parameters. Tip A green icon indicates that the parameter is using the default value. Click the green icon to activate the parameter field and edit the value. d. Under Status, select Yes to enable the signature. Note A signature must be enabled for the sensor to actively detect the attack specified by the signature. e. Under Status, specify if this signature is retired. Click No to activate the signature. This places the signature in the engine. Note A signature must be activated for the sensor to actively detect the attack specified by the signature. Tip To discard your changes and close the Clone Signature dialog box, click Cancel. f. Click OK. The cloned signature now appears in the list with the Type set to Custom. Tip To discard your changes, click Reset. Step 4 Click Apply to apply your changes and save the revised configuration. Tuning Signatures To tune signatures, follow these steps: Step 1 Click Configuration > Signature Definition > Signature Configuration. The Signature Configuration panel appears. Step 2 To locate a signature, choose a sorting option from the Select By list. For example, if you are searching for a UDP Flood signature, select L2/L3/L4 Protocol and then UDP Floods. The Signature Configuration panel refreshes and displays only those signatures that match your sorting criteria. Step 3 To tune an existing signature, select the signature, and follow these steps: a. Click Edit to open the Edit Signature dialog box. b. Review the parameter values and change the value of any parameter you want to tune. Caution When adding event actions, to select more than one event action, you must hold down the Ctrl key while selecting additional event actions to ensure that all of the actions stay selected. Note A + icon indicates that more parameters are available for this signature. Click the + icon to expand the section and view the remaining parameters. Tip A green icon indicates that the parameter is using the default value. Click the green icon to activate the parameter field and edit the value. c. Under Status, select Yes to enable the signature. Note A signature must be enabled for the sensor to actively detect the attack specified by the signature. d. Under Status, specify if this signature is retired. Click No to activate the signature. This places the signature in the engine. Note A signature must be activated for the sensor to actively detect the attack specified by the signature. Tip To discard your changes and close the Edit Signature dialog box, click Cancel. e. Click OK. The edited signature now appears in the list with the Type set to Tuned. Tip To discard your changes, click Reset. Step 4 Click Apply to apply your changes and save the revised configuration. Enabling and Disabling Signatures To enable signatures, follow these steps: Step 1 Click Configuration > Signature Definition > Signature Configuration. The Signature Configuration panel appears. Step 2 To locate a signature, choose a sorting option from the Select By list. For example, if you are searching for a UDP Flood signature, select L2/L3/L4 Protocol and then UDP Floods. The Signature Configuration panel refreshes and displays only those signatures that match your sorting criteria. Step 3 To enable or disable an existing signature, select the signature and follow these steps: a. View the Enabled column to determine the status of the signature. A signature that is enabled has the value Yes in this column. b. To enable a signature that is disabled, select the signature and click Enable. c. To disable a signature that is enabled, select the signature and click Disable. Tip To discard your changes, click Reset. Step 4 Click Apply to apply your changes and save the revised configuration. Activating and Retiring Signatures Caution Activating and retiring signatures can take a very long time, up to 30 minutes or longer. To activate and retire signatures, follow these steps: Step 1 Click Configuration > Signature Definition > Signature Configuration. The Signature Configuration panel appears. Step 2 To locate a signature, choose a sorting option from the Select By list. For example, if you are searching for a UDP Flood signature, select L2/L3/L4 Protocol and then UDP Floods. The Signature Configuration panel refreshes and displays only those signatures that match your sorting criteria. Step 3 To activate a signature that is retired, select the signature, and then click Activate. Step 4 To retire a signature that is activated, select the signature and then click Retire. Note If you retire a signature, that signature is removed from the engine but remains in the signature configuration list. You can later activate the retired signature, but doing so requires the sensor to rebuild the signature list for that engine and could delay signature processing. Tip To discard your changes, click Reset. Step 5 Click Apply to apply your changes and save the revised configuration. Assigning Actions to Signatures To assign actions to signatures, follow these steps: Step 1 Click Configuration > Signature Definition > Signature Configuration. The Signature Configuration panel appears. Step 2 To locate a signature, choose a sorting option from the Select By list. For example, if you are searching for a UDP Flood signature, select L2/L3/L4 Protocol and then UDP Floods. The Signature Configuration panel refreshes and displays only those signatures that match your sorting criteria. Step 3 To assign actions to a signature or set of signatures, select the signature(s), and then click Actions. The Assign Actions dialog box appears. a. Select the actions you want to assign to the signature(s). A check mark indicates that the action is assigned to the selected signature(s). No check mark indicates that the action is not assigned to any of the selected signatures. A gray check mark indicates that the action is assigned to some of the selected signatures. b. If you want to assign all actions to the selected signatures, click All. Or, if you want to remove all actions from the selected signatures, select None. Tip To discard your changes and close the Assign Actions dialog box, click Cancel. c. Click OK to save your changes and close the dialog box. The new action now appears in the Action column. Configuring the Miscellaneous Panel This section describes how to configure the Miscellaneous panel, and contains the following topics: •Overview •Supported User Role •Field Definitions •Configuring Application Policy •Configuring IP Fragment Reassembly •Configuring TCP Stream Reassembly •Configuring IP Logging Overview On the Miscellaneous panel, you can perform the following tasks: •Configure the application policy parameters You can configure the sensor to provide Layer 4 to Layer 7 packet inspection to prevent malicious attacks related to web services. •Configure IP fragment reassembly options You can configure the sensor to reassemble a datagram that has been fragmented over multiple packets. You can specify boundaries that the sensor uses to determine how many datagrams and how long to wait for more fragments of a datagram. The goal is to ensure that the sensor does not allocate all its resources to datagrams that cannot be completely reassembled, either because the sensor missed some frame transmissions or because an attack has been launched that is based on generating random fragment datagrams. •Configure TCP stream reassembly You can configure the sensor to monitor only TCP sessions that have been established by a complete three-way handshake. You can also configure how long to wait for the handshake to complete, and how long to keep monitoring a connection where no more packets have been seen. The goal is to prevent the sensor from creating alerts where a valid TCP session has not been established. There are known attacks against sensors that try to get the sensor to generate alerts by simply replaying pieces of an attack. The TCP session reassembly feature helps to mitigate these types of attacks against the sensor. •Configure IP logging options You can configure a sensor to generate an IP session log when the sensor detects an attack. When IP logging is configured as a response action for a signature and the signature is triggered, all packets to and from the source address of the alert are logged for a specified period of time. Supported User Role The following user roles are supported: •Administrator •Operator •Viewer You must be Administrator or Operator to configure the parameters on the Miscellaneous panel. Field Definitions The following fields and buttons are found on the Miscellaneous panel. •Application Policy—Lets you configure application policy enforcement. –Enable HTTP —Enables protection for web services. Select Yes to require the sensor to inspect HTTP traffic for compliance with the RFC. –Max HTTP Requests—Specifies the maximum number of outstanding HTTP requests per connection. –AIC Web Ports—Specifies the variable for ports to look for AIC traffic. Note We recommend that you not configure AIC web ports, but rather use the default web ports. –Enable FTP—Enables protection for web services. Select Yes to require the sensor to inspect FTP traffic. •Fragment Reassembly—Lets you configure IP fragment reassembly. –IP Reassembly Mode—Identifies the method the sensor uses to reassemble the fragments, based on the operating system. •Stream Reassembly—Lets you configure TCP stream reassembly. –TCP Handshake Required—Specifies that the sensor should only track sessions for which the three-way handshake is completed. –TCP Reassembly Mode—Specifies the mode the sensor should use to reassemble TCP sessions with the following options: Asymmetric—May only be seeing one direction of bidirectional traffic flow. Note Asymmetric mode lets the sensor synchronize state with the flow and maintain inspection for those engines that do not require both directions. Asymmetric mode lowers security because full protection requires both sides of traffic to be seen. Strict—If a packet is missed for any reason, all packets after the missed packet are not processed. Loose—Use in environments where packets might be dropped. •IP Log—Lets you configure the sensor to stop IP logging when any of the following conditions are met: –Max IP Log Packets—Identifies the number of packets you want logged. –IP Log Time—Identifies the duration you want the sensor to log. A valid value is 1 to 60 seconds. The default is 30 seconds. –Max IP Log Bytes—Identifies the maximum number of bytes you want logged. Button Functions: •Apply—Applies your changes and saves the revised configuration. •Reset—Refreshes the panel by replacing any edits you made with the previously configured value. Configuring Application Policy Tip A + icon indicates that more options are available for this parameter. Click the + icon to expand the section and view the remaining parameters. Tip A green icon indicates that the parameter is currently using the default value. Click the green icon to activate the parameter field and edit the value. To configure the application policy parameters, follow these steps: Step 1 Click Configuration > Signature Definition > Miscellaneous. The Miscellaneous panel appears. Step 2 Under Application Policy, click the green icon next to Enable HTTP and select Yes to enable inspection of HTTP traffic. Step 3 Click the green icon next to Max HTTP Requests and specify the number of outstanding HTTP requests per connection. Step 4 (Optional) Click the green icon next to AIC Web Ports and specify the ports you want active. Note We recommend that you not configure AIC web ports, but rather use the default web ports. Step 5 Click the green icon next to Enable FTP and select Yes to enable inspection of FTP traffic. Note If you enable the application policy for HTTP or FTP, the sensor checks to be sure the traffic is compliant with the RFC. Tip To discard your changes, click Reset. Step 6 Click Apply to apply your changes and save the revised configuration. Configuring IP Fragment Reassembly To configure the IP fragment reassembly parameters, follow these steps: Step 1 Click Configuration > Signature Definition > Miscellaneous. The Miscellaneous panel appears. Step 2 Under Fragment Reassembly, click the green icon next to IP Reassembly Mode and select the operating system you want to use to reassemble the fragments. Tip To discard your changes, click Reset. Step 3 Click Apply to apply your changes and save the revised configuration. Configuring TCP Stream Reassembly To configure the TCP stream reassembly parameters, follow these steps: Step 1 Click Configuration > Signature Definition > Miscellaneous. The Miscellaneous panel appears. Step 2 Under Stream Reassembly, click the green icon next to TCP Handshake Required and select yes. Selecting TCP Handshake Required specifies that the sensor should only track sessions for which the three-way handshake is completed. Step 3 Click the green icon next to TCP Reassembly Mode and select the mode the sensor should use to reassemble TCP sessions: •Asymmetric—Lets the sensor synchronize state with the flow and maintain inspection for those engines that do not require both directions. •Strict—If a packet is missed for any reason, all packets after the missed packet are processed. •Loose—Use in environments where packets might be dropped. Tip To discard your changes, click Reset. Step 4 Click Apply to apply your changes and save the revised configuration. Configuring IP Logging Note When the sensor meets any one of the IP logging conditions, it stops IP logging. To configure the IP logging parameters, follow these steps: Step 1 Click Configuration > Signature Definition > Miscellaneous. The Miscellaneous panel appears. Step 2 Under IP Log, click the green icon next to Max IP Log Packets and then specify the number of packets you want logged. Step 3 Click the green icon next to IP Log Time and then specify the duration you want the sensor to log. A valid value is 1 to 60 minutes. The default is 30 minutes. Step 4 Click the green icon next to Max IP Log Bytes and then specify the maximum number of bytes you want logged. Tip To discard your changes, click Reset. Step 5 Click Apply to apply your changes and save the revised configuration.
	© 1992-2009 Cisco Systems, Inc. All rights reserved. Terms & Conditions \| Privacy Statement \| Cookie Policy \| Trademarks of Cisco Systems, Inc.