Table Of Contents
Configuring Sensors and Signature Settings
Configuring Basic Sensor and Signature Settings
Identifying Internal Networks
Identifying an NTP Server
About Signatures
Copying Signature Settings
Tuning Sensor Configurations
Configuring Blocking
Specifying 4.X Blocking Properties
Specifying 5.X Blocking Properties
Specifying Networks and Hosts that Should Never Be Blocked
Using Blocking Devices
Configuring Rate Limiting
Specifying Master Blocking Sensors
About the Configuration Comparison Tool
Copying Configuration Settings
Reviewing Pending Configuration File Settings
Unlocking Pending Configuration Settings
Reviewing Historical Configuration File Settings
Identifying Allowed Hosts
Configuring 4.x Sensor and Signature Settings
Specifying Reassembly Options for a 4.x Sensor
Configuring Port Mapping on a 4.x Device
Configuring Automatic IP Logging on a 4.x Sensor
Defining Identification Properties for a 4.x Sensor
Configuring Sensing Interfaces for 4.x Sensors
Using Signatures in 4.x Devices
Configuring and Tuning Signatures for 4.X Sensors
Adding a 4.x Custom Signature By Using the Signature Wizard
Defining Filters for a 4.x Device
Configuring 5.X Sensor and Signature Settings
Defining Identification Properties for a 5.X Sensor
Configuring Event Actions for 5.X Sensors
Using Event Variables
Using Target Value Ratings
Using Event Action Overrides
Using Event Action Filters
Configuring Signature EAFs at the Group Level
Configuring Event Action General Settings
Configuring Interfaces for IPS 5.X Sensors
Editing Interfaces for IPS 5.X Sensors
Configuring Interface Pairs for IPS 5.X Sensors
Configuring VLAN Pairs
Configuring Bypass for IPS 5.X Sensors
Configuring Traffic Flow Notifications for IPS 5.X Sensors
Configuring Analysis Engine Settings for 5.X Sensors
Editing Virtual Sensors
Editing Global Parameters
Configuring SNMP Settings for IPS 5.X Sensors
Configuring General SNMP Parameters
Configuring SNMP Traps
Adding SNMP Trap Destination Addresses
Editing SNMP Trap Destination Addresses
Using Signatures in 5.x Devices
Creating Signature Variables for 5.x Devices
Editing Signatures for 5.x Devices
Tuning Signatures for 5.x Devices
Setting Miscellaneous Signature Parameters for 5.x Devices
Adding a 5.x Custom Signature By Using the Signature Wizard
Configuring IOS IPS Sensor Settings
Using Signature Definition Files (SDFs) in IOS IPS Devices
Defining Identification Properties for an IOS IPS Device
Using Signatures in IOS IPS Devices
Configuring and Tuning Signatures for IOS IPS Devices
Adding an IOS IPS Custom Signature By Using the Signature Wizard
Specifying IOS IPS Rules
Identifying Different Ports to be Monitored by IOS IPS Devices
Specifying IOS IPS General Properties
Specifying IOS IPS SDEE Properties
Defining Filters for an IOS IPS Device
Specifying Reassembly Options for an IOS IPS Device
Configuring Sensors and Signature Settings
Network sensing can be accomplished using a sensor, an IDSM (Intrusion Detection System Module), a Cisco IOS router running IOS IPS, and line-card modules running in certain Cisco IOS routers. These sensing platforms are components of the Cisco Intrusion Prevention System and can be managed by Management Center for IPS Sensors (IPS MC). These sensing platforms monitor and analyze network traffic in real time. They do this by looking for anomalies and misuse on the basis of an extensive embedded signature library. However, these platforms differ in how they can respond to perceived intrusions.
Note 
Sensors up to and including versions 4.x are typically referred to as IDS (Intrusion Detection System) sensors. Sensors with version designations of 5.0 or greater are referred to as IPS (Intrusion Prevention System) sensors.
When a sensor detects unauthorized network activity, it can terminate the connection, permanently block the associated host, log the incident, and send an alarm to IPS MC. Event action is the new term for alarms from sensors.
The IDSM is a switching module designed for the Catalyst 6000 family of switches. When the Cisco Intrusion Prevention System detects unauthorized network activity, the IDSM responds by generating an alarm that can be logged and displayed by IPS MC.
Network sensing requires configuring several sensor or IDSM settings and signature settings. After you configure the sensors, you must tune them to achieve optimal performance, and particularly to minimize false positives and false negatives.
Note Do not confuse tuning sensor configurations with tuning parameters for individual signatures.
Some settings can be configured only at the sensor level or only at the group level. For example, defining filters for a sensor can be done only at the sensor level in IPS MC version 2.1 and earlier. As another example, identifying additional ports used by specific signatures can be done only at the group level.
You initiate these configuration and tuning tasks in the Configuration > Settings TOC. Most of these tasks require you to use the Object Selector. The Object Selector handle appears to the left of the page and is dragged to the right to view. The TOC (Table of Contents) pane that you see varies depending on what you select in the Object Selector.
Tip The Configuration > Settings TOC, the Configuration > History page, the Admin > License Management page, and the Devices > Certificate Management page are the only places where the Object Selector is used in IPS MC.
The tasks you perform to configure sensor and signature settings vary significantly depending on the type of device or devices you are operating upon. For that reason, this chapter is divided into the following sections:
•Basic Configuration of Sensors and Signatures—Details the information and procedures that are either common to all devices, or those that differ only to a small degree. Also details the information and procedures necessary for tuning devices.
•Configuration of 5.x Sensors and Signatures—Details the information and procedures necessary for configuring settings for 5.x devices.
•Configuration of 4.x Sensors and Signatures—Details the information and procedures necessary for configuring settings for 4.x devices.
•Configuration of IOS IPS Devices and Signatures—Details the information and procedures necessary for configuring settings for IOS IP devices.
This chapter contains the following topics:
•Configuring Basic Sensor and Signature Settings
•Configuring 4.x Sensor and Signature Settings
•Configuring 5.X Sensor and Signature Settings
•Configuring IOS IPS Sensor Settings
Configuring Basic Sensor and Signature Settings
This section details the sensor and signature setting configuration and tuning procedures that differ little or not at all with regard to the type of sensor you are using. Subsequent sections in this chapter provide configuration details on particular devices supported by IPS MC.
This section contains the following topics:
•Identifying Internal Networks
•Identifying an NTP Server
•About Signatures
•Copying Signature Settings
•Tuning Sensor Configurations
•Configuring Blocking
•About the Configuration Comparison Tool
•Copying Configuration Settings
•Reviewing Pending Configuration File Settings
•Unlocking Pending Configuration Settings
•Reviewing Historical Configuration File Settings
•Identifying Allowed Hosts
Identifying Internal Networks
For each sensor or group of sensors that you manage with IPS MC, you can identify trusted, internal networks. Internal networks are handled differently from external networks for the purposes of reports and alarms.
Note This procedure applies to 4.x devices only.
To identify an internal network, follow these steps:
Step 1 Select Configuration > Settings.
Step 2 In the TOC, click the Object Selector handle.
Step 3 In the Object Selector, select the sensor for which you want to identify an internal network.
The Object Selector closes.
Step 4 Select Internal Networks (IDS 4.x) from the TOC.
The Internal Networks page appears, and the Object bar displays the sensor that you selected.
Step 5 On the Internal Networks page, add an internal network. After you add an internal network, you can edit its properties or delete it.
Identifying an NTP Server
Network Timing Protocol (NTP) server time can be used with a sensor if the sensor is managed by IPS MC. This procedure describes how to identify an NTP server to use with a sensor, not how to set the time on a sensor.
Caution If your sensors already have an NTP server configuration, such as you might have established outside of IPS MC, you must identify the NTP server by using this procedure. Otherwise, your NTP server settings might be lost. We recommend selecting the Global group in the step-by-step procedure below.
For detailed information on how to set the time on a sensor, refer to Configuring the Sensor to Use an NTP Time Source in Configuring the Cisco Intrusion Prevention System Sensor Using the Command Line Interface Version 5.0. You will be prompted for your CCO username and password.
Tip Check the time on your IDS sensor if you are having trouble updating your IDS sensor software. If the time on the sensor is ahead of the time on the associated certificate, the certificate will be rejected, and the sensor software update may fail.
To identify an NTP server, follow these steps:
Step 1 Select Configuration > Settings.
Step 2 In the TOC, click the Object Selector handle.
Step 3 In the Object Selector, select the sensor or group for which you want to identify an NTP server.
The Object Selector closes.
Step 4 In the TOC, select NTP Server.
The NTP Server page appears, and the Object bar displays the sensor or group that you selected.
Step 5 In the Server IP field, enter the IP address of the NTP server.
Step 6 In the Key field, enter the key value of the NTP server.
Step 7 In the Key ID field, enter the Key ID value of the NTP server. Valid values are 1 through 4294967295.
Step 8 The Mandatory check box is present if you selected a group, in Step 3. Select the Mandatory check box to apply these settings to all objects in the group and in all subgroups. Otherwise, objects in this group and in all subgroups will override the settings of this group.
About Signatures
Network intrusions are attacks on, or other misuses of, network resources. Cisco Intrusion Prevention System sensors use a signature-based technology to detect network intrusions. A signature specifies the types of network intrusions that you want the sensor to detect and report. As sensors scan network packets, they use signatures to detect known types of attacks, such as denial of service (DoS) attacks, and respond with actions that you define.
On a basic level, signature-based intrusion detection technology can be compared to virus-checking programs. Cisco Systems produces a set of signatures that the sensor compares with network activity. When a match is found, the sensor takes some action, such as logging the event or sending an alarm to the Event Viewer provided with Monitoring Center for Security (Security Monitor).
Signatures can produce false positives, because certain normal network activity can be construed as malicious. For example, some network applications or operating systems may send out numerous ICMP messages, which a signature-based detection system might interpret as an attempt by an attacker to map out a network segment. You can minimize false positives by tuning your sensors.
For more information about signatures on specific devices, refer to the following topics:
•Using Signatures in 4.x Devices
•Using Signatures in 5.x Devices
•Using Signatures in IOS IPS Devices
Caution In IPS MC 2.0.2 and later versions, all IOS IPS signatures are unselected by default. As a result, if you upgrade from IDS MC 2.0 or IPS MC 2.0.1 to IDS/IPS MC 2.0.2 or later, any IOS IPS signatures that you left at their defaults will be deselected in your upgraded IPS MC installation. However, your configuration and tuning information will be preserved when upgrading to IDS MC 2.0.2 if you changed any of the default settings.
Copying Signature Settings
Beginning with IPS MC 2.2, you can copy signature settings from any group or device to any other group or device of a similar version (that is, 4.x to 4.x, or 5.x to 5.x, or IOS IPS to IOS IPS). The signature copy feature enables you to promote signatures from a device level to a parent group level. There is no restriction on the source or destination for the copy operation except that only a single destination and source are allowed.
There are two methods of copying:
•Soft Copy—Signature settings can be copied to a destination group or device. Settings at the child level that overrode the parent settings are maintained.
•Hard Copy—Signature settings can be copied to a destination group only. Committed and pending signature settings for the copied signatures are deleted from children of the destination group. The children of the destination group use the new settings.
Note The copied settings replace the settings only on children devices that are similar to the source device. For example, if you perform a hard copy of a 5.x device to a group that contains 4.x and 5.x devices, only the 5.x devices are affected; the 4.x devices remain unchanged.
A hard copy is time consuming when there is a large number of signatures copied or a large number of destination group children. To monitor the progress of the operation, use the Progress Viewer panel.
Beyond the choice of executing either a hard copy or soft copy, the signature copy feature also provides the following three options:
•Copy General Settings—Copies general parameters such as Severity, Actions, Enable, Disable, Selected, and Unselected.
•Copy Signature Tunings—Copies signature tuning parameters.
•Check for incompatible signature context(s)—The system checks for an incompatible context between the source and destination tuning parameters before starting the signature copy operation. If the system identifies an incompatible signature context between the source and any destination, the system displays a warning message and enables you to select whether to proceed.
Warning Rather than copying an incompatible tuning parameter, when incompatibility is identified, the copy operation overwrites the tuning parameters of incompatible signatures with their default values.
To copy one or more signatures, follow these steps:
Step 1 Select Configuration > Settings.
Step 2 In the TOC, click the Object Selector handle.
Step 3 In the Object Selector, select the group or device from which you want to copy signature settings.
The Object Selector closes.
Step 4 In the TOC under Signatures, select the device version, for example, IPS 5.x.
The Signatures in Group page appears, listing the signatures for the selected device.
Step 5 Select the check box for the signature or signatures that you want to copy, and then click Copy.
The Copy Signature Settings page appears and displays the Select Target Object dialog box.
Step 6 Select the destination (target) object to which you want to copy the signature information.
The selected destination object is highlighted.
Step 7 Select either the Hard Copy or Soft Copy radio button.
Tip The default is Soft Copy. Select Hard Copy only when you are copying to a group and want all children objects of the destination group to receive the copied information.
Step 8 To copy general settings, select the Copy General Settings check box.
Step 9 To copy signature tunings, ensure that the Copy Signature Tunings check box is selected.
Tip You can select Copy General Settings, or Copy Signature Tunings, or both.
Step 10 To check for incompatible signature context(s) during the copy operation, select the Check for incompatible signature context(s) check box.
Note If you do not select the Check for incompatible signature context(s) check box, and incompatible signature contexts are encountered at a destination sensor, that sensor is reset to its default signature settings and you will lose any customization you have on that sensor for the signature being copied.
Step 11 Click Ok.
The Progress Viewer window appears and shows the progression of the operation.
Tip You can click Refresh to update the display in the Progress Viewer and you can click Show Messages to view logs of the copy operation.
Tuning Sensor Configurations
After you configure your sensors, you must tune them to achieve optimal performance on your network, and particularly to minimize false positives and false negatives.
Note Do not confuse tuning sensor configurations with tuning parameters for individual signatures.
A false positive occurs when legitimate network activity, such as virus scanning, is interpreted and reported as an attack. This happens when network activity meets criteria that were specified to identify an attack before the attack occurred. You can decrease the number false positives by tuning your sensor configurations.
A false negative occurs when an attack was not detected. Tuning your sensor configurations will help you decrease the number of false negatives.
You can tune sensor configurations by using four methods:
•Specify reassembly settings for IP fragments and TCP sessions: Refer to Specifying Reassembly Options for a 4.x Sensor for 4.x devices, to Specifying Reassembly Options for an IOS IPS Device for IOS IPS devices, and to Setting Miscellaneous Signature Parameters for 5.x Devices for 5.x devices.
Specifying reassembly settings prevents false negatives that are caused because the sensor cannot reconstruct the datagram or session.
•Port mapping (that is, identifying additional ports): Refer to Configuring Port Mapping on a 4.x Device for 4.x devices and to Identifying Different Ports to be Monitored by IOS IPS Devices for IOS IPS devices (port mapping is not available for 5.x devices).
For some devices supported by IPS MC, you can identify additional ports that should be considered by a sensor signature. This is known as port mapping. Examples of additional ports are those used by custom TCP services and those used by well-known services that you have reassigned to another port. Identifying additional ports is important because some sensor signatures are based on specific port numbers.
•Identify hosts and networks that should be exempt from blocking: Refer to Specifying Networks and Hosts that Should Never Be Blocked for both 4.x devices and 5.x devices (this method is not available for IOS IPS devices).
For example, your sensor configuration may include instructions to block sources of a particular attack whenever that attack is detected; you may also have a trusted network device whose normal, expected behavior appears to be that attack. In this situation, you can tune your sensor configuration to ignore that perceived attack when its source is your trusted network device. In that way, you avoid false positives from your trusted network device, and your trusted network device is not blocked. You still receive alarms if that particular attack is detected in traffic from other sources. Also, you can still block other, untrusted devices if your sensor detects that particular attack in traffic from those other, untrusted devices.
•Filter alarms according to their severity and source: Refer to Defining Filters for a 4.x Device for 4.x devices, to Defining Filters for an IOS IPS Device and to Using Event Action Filters for 5.x devices (this method is not available for IOS IPS devices).
Filtering audit events reduces the number of false positives. You can set the minimum level of events that will be reported to you. Also, you can enable and disable alarms from specific hosts and networks. For some devices supported by IPS MC, you can define rules that prevent the sensor from generating alarms and audit event records for suspicious behavior based on traffic originating from or destined to specific networks and hosts.
For more specific information on tuning sensors see one of the following sections:
•Configuring and Tuning Signatures for 4.X Sensors
•Tuning Signatures for 5.x Devices
•Configuring and Tuning Signatures for IOS IPS Devices
Configuring Blocking
You can use the Blocking page to specify the devices that will perform blocking and to specify other parameters. Blocking parameters that you can configure include the following:
•4.x Blocking Properties—Enables you to define general blocking properties for blocking devices defined for 4.x sensors.
•5.x Blocking Properties—Enables you to define general blocking properties for blocking devices defined for 5.x sensors. These properties include the rate limiting function, which can be applied to sensors that support it (for example, 5.1 sensors).
•Never Block Addresses—Enables you to define machines or networks that should never be blocked.
•Blocking Devices—Enables you to define routers and firewalls that will be used to perform blocking.
•Master Blocking Sensor—Enables you to define sensor(s) that will perform blocking on behalf of the sensor.
Note You must define the master blocking sensor(s) first.
This section contains the following topics:
•Specifying 4.X Blocking Properties
•Specifying 5.X Blocking Properties
•Specifying Networks and Hosts that Should Never Be Blocked
•Using Blocking Devices
•Configuring Rate Limiting
•Specifying Master Blocking Sensors
Specifying 4.X Blocking Properties
The 4.x Blocking Properties table on the Blocking Properties page enables you to define general blocking properties for blocking devices defined for 4.x sensors. For the procedure for defining general blocking properties for blocking devices defined for 5.x sensors, see Specifying 5.X Blocking Properties.
To specify blocking properties, follow these steps:
Step 1 Select Configuration > Settings.
Step 2 In the TOC, click the Object Selector handle.
Step 3 In the Object Selector, select the 4.X sensor for which you want to specify blocking properties.
The Object Selector closes.
Step 4 In the TOC under Blocking, select Blocking Properties.
The 4.x Blocking Properties table appears.
Step 5 To enable blocking, select the Enable Blocking check box.
Note Alternatively, you can specify and save the blocking properties and enable blocking at another time.
Step 6 Specify a value for the Length of Automatic Block. This is the time period that generated ACL rules remain active at blocking devices.
Step 7 Specify a value for the Maximum ACL Entries. This is the maximum number of simultaneous ACL entries that can be maintained.
Step 8 To enable the logging of ACL policy violations on the blocking devices, select the Enable ACL Logging check box.
Step 9 To allow blocking devices to block the sensor's IP address, select the Allow blocking devices to block the sensor's IP address check box.
Step 10 To specify that settings at this level override (non-mandatory) settings from any parent group level, select the Override check box.
Step 11 Click Apply.
The blocking properties for the selected 4.X sensor are saved.
Note If you selected the Enable Blocking check box, these blocking properties are enabled.
Specifying 5.X Blocking Properties
The 5.x Blocking Properties table on the Blocking Properties page enables you to define general blocking properties for blocking devices defined for 5.x sensors. For the procedure for defining general blocking properties for blocking devices defined for 4.x sensors, see Specifying 4.X Blocking Properties.
Beginning with IPS MC 2.2, a rate limiting feature is available through the Network Access Control (NAC) functionality of Cisco IPS 5.1 sensors. Rate limiting enables 5.1 sensors to restrict the rate of specified traffic classes on network devices. Rate limiting responses are available in event action filtering and in blocking, and are supported for the Flood Host engine, the Flood Net engine, and the TCP half-open SYN signature. Rate limit requests can be forwarded to other sensors using the master blocking sensor forwarding mechanism.
To specify blocking properties, follow these steps:
Step 1 Select Configuration > Settings.
Step 2 In the TOC, click the Object Selector handle.
Step 3 In the Object Selector, select the 5.X sensor (or group) for which you want to specify blocking properties.
The Object Selector closes.
Step 4 In the TOC under Blocking, select 5.x Blocking Properties.
The 5.x Blocking Properties table appears.
Note The 5.x Blocking Properties table differs according to what you selected in the Object Selector. If you selected a group, the table includes a Mandatory check box that, when selected, enforces the settings made here for all sensors and subgroups within the selected group (however, if the group contains both 5.0 and 5.1 sensors, the Maximum Rate Limit Entries value will be enforced on 5.1 sensors only). In addition, the Maximum Rate Limit Entries field appears in the 5.x Blocking Properties table when the selected sensor supports rate limiting (for example, IPS 5.1 sensors) or when you select a group.
Step 5 To specify that settings at this level override non-mandatory settings from any parent group level, select the Override check box.
Selecting the Override check box enables the other fields in the table.
Step 6 To enable blocking and rate limiting, select the Enable Blocking check box.
Step 7 If you have selected a group, to make the blocking property settings mandatory for all sensors and subgroups within the selected group, select the Mandatory check box.
Step 8 To enable the logging of ACL policy violations on the blocking devices, select the Enable ACL Logging check box.
Note You can specify and save the blocking properties enable blocking at another time.
Step 9 To allow sensors to block, select the Allow Sensors to Block check box.
Step 10 To enable logging of blocking events and errors, select the Log Block Events and Errors check box.
Step 11 To enable writing to NVRAM, select the Enable NVRAM Write check box.
Step 12 Specify a value in the Maximum Block Entries field. This is the maximum number of simultaneous ACL entries that can be maintained.
Step 13 Specify a value in the Maximum Interfaces field. This is the maximum number of interfaces that can be maintained.
Step 14 If you are specifying blocking properties for a sensor that supports rate limiting (for example, IPS 5.1 sensors) enter a value in the Maximum Rate Limit Entries field. The maximum rate limit should be equal to or less than the maximum blocking entries. If you configure more rate limit entries than block entries, you receive an error. The default is 250. Minimum value is 0; maximum value is 32767.
Step 15 Click Apply.
The blocking properties for the selected 5.X sensor are saved.
Tip If you selected the Enable Blocking check box, these blocking properties are enabled.
Specifying Networks and Hosts that Should Never Be Blocked
You can configure a sensor to block an attack by generating ACL rules for publication to a Cisco IOS router. However, you must tune your sensor signatures to identify hosts and networks that should never be blocked. For example, you may have a trusted network device whose normal, expected behavior mimics an attack. But such a device should never be blocked. Also, trusted, internal networks should never be blocked. Proper tuning reduces the number of false positives and helps to ensure proper network operation.
Note This procedure applies to 4.X and 5.X sensors.
To specify the networks or hosts that should never be blocked when an attack is detected, follow these steps:
Step 1 Select Configuration > Settings.
Step 2 Click the Object Selector handle.
Step 3 In the Object Selector, select the sensor for which you want to identify hosts and networks that should not be blocked.
The Object Selector closes.
Step 4 In the TOC, select Blocking > Never Block Addresses.
The IP Addresses page appears, listing hosts and networks that can be blocked by configuring the sensor that you selected. On this page, you can add, edit, and delete hosts and networks.
Step 5 To add a host or network to the list of those that should never be blocked by the sensor that you selected, click Add. On the Enter Network page that appears, follow these steps:
a. Enter the IP address.
b. Enter the Network mask.
c. Enter a Comment [optional].
d. Click OK.
Step 6 To edit information associated with a host or network in the list, select the radio button adjacent to the address of that host or network, and click Edit. On the Enter Network page that appears, follow these steps:
a. Edit the IP address, as required.
b. Edit the Network mask, as required.
c. Edit the Comment, as required.
d. Click OK.
Step 7 To delete a host or network from the list of those that should never be blocked by the sensor that you selected, select the radio button corresponding to the address of that host or network, and click Delete.
The host or network that you selected is deleted.
Tip If desired, you can add, edit, or delete additional hosts or networks.
Using Blocking Devices
You can block attacks on your network, or apply rate limiting for a sensor that supports rate limiting (for example, a 5.1 sensor), by configuring a sensor to request a Cisco IOS router to reject IP traffic that you specify. A Cisco IOS router used in this manner is called a blocking device. Before you can use a Cisco IOS router as a blocking device, you must identify it in IPS MC and specify its properties.
Note This procedure applies to 4.X and 5.X sensors.
To identify a blocking device and specify its properties, follow these steps:
Step 1 Select Configuration > Settings.
Step 2 Click the Object Selector handle.
Step 3 In the Object Selector, select the sensor for which you want to specify a blocking device and its properties.
The Object Selector closes.
Step 4 In the TOC, select Blocking Devices.
The Blocking Devices page appears.
Step 5 Select the blocking device that you want to respond to an attack or rate limit condition detected by the selected sensor. Alternatively, you can edit or delete existing blocking devices, or add a blocking device by performing the following steps:
a. To add a Cisco IOS router to use as a blocking device click Add.
The Enter Blocking Device page appears.
b. From the Device Type list, select the type of blocking device you want to add.
c. Enter the IP address of the new blocking device.
d. Enter the username and password of the new blocking device.
e. If you have chosen a router as the blocking device for a sensor that is capable of supporting rate limiting, select one or both of the following Response Capabilities:
•Block
•Rate Limit
Tip The option to configure Response Capability appears only when you have selected a sensor that supports rate limiting (for example, a 5.1 sensor); otherwise the default, Block, is configured as the Response Capability.
f. Complete the NAT Address, Comment, and Enable Password fields, as required.
g. Select a Secure Communications mode, as required.
h. Click Edit Interfaces.
The Enter Blocking Device Interface page appears.
This screen defines the blocking device interfaces for which ACL rules should be generated by the sensor when responding to an attack or rate limit condition. You can either select a listed interface or identify an additional interface.
i. To identify a new interface, click Add.
The Blocking Device Interface table appears.
Enter the Blocking Interface Name. For the new interface, specify the Blocking Direction, the Pre-block ACL Name, and the Post-block ACL Name, as required, and then click OK.
j. Select an interface, and click OK.
The Blocking Device table reappears.
Step 6 Click OK.
Tip For more information on pre-block ACLs and post-block ACLs, refer to Cisco IDS technical documentation. Log in at http://www.cisco.com/go/ids.
Configuring Rate Limiting
You can apply rate limiting for any sensor that supports rate limiting (for example, a 5.1 sensor), by configuring the sensor to request a Cisco IOS router to reject IP traffic according to the rate that you specify. A Cisco IOS router in that situation is referred to as a blocking device. Before you can use a Cisco IOS router as a blocking device, you must identify it in IPS MC and specify its properties.
To configure rate limiting, follow these steps:
Step 1 To identify a blocking device, if you have not already done so, follow these steps:
a. Select Configuration > Settings
b. In the TOC, click the Object Selector handle.
c. In the Object Selector, select the 5.X sensor for which you want to identify a blocking device.
The Object Selector closes.
d. In the TOC, select Blocking Devices.
The Blocking Devices page appears.
e. Select the blocking device that you want to respond to a rate limit condition detected by the selected sensor.
Tip For information on how to add a blocking device, see Using Blocking Devices.
Step 2 To set rate limiting as the response capability for the blocking device, if you have not already done so, follow these steps:
a. Click Edit
The Blocking Device page appears.
b. In the Response Capabilities field, select the Rate Limit check box.
Tip A blocking device can have one or more Response Capabilities selected.
c. Click OK.
Step 3 To specify the maximum number of rate limit entries, follow these steps:
a. In the TOC under Blocking, select 5.x Blocking Properties.
The 5.x Blocking Properties table appears.
Note The 5.x Blocking Properties table differs according to what you selected in the Object Selector. If you selected a group, the table includes a Mandatory check box that, when selected, enforces the settings made here for all sensors and subgroups within the selected group (however, if the group contains both 5.0 and 5.1 sensors, the Maximum Rate Limit Entries field will be enforced on 5.1 sensors only). In addition, the Maximum Rate Limit Entries field appears in the 5.x Blocking Properties table when the selected sensor supports rate limiting (for example, IPS 5.1 sensors) or when you select a group.
b. Enter a value for the Maximum Rate Limit Entries. The maximum rate limit should be equal to or less than the maximum blocking entries. If you configure more rate limit entries than block entries, you receive an error. The default is 250. Minimum value is 0; maximum value is 32767.
c. Click Apply.
Step 4 To set the event action override, follow these steps:
a. In the TOC, under Event Actions (IPS 5.x), click Action Overrides.
The Signature Event Action Overrides Summary Table page appears.
b. Click Add.
The Event Action Override table appears.
c. From the Signature Event Action list, select request-rate-limit.
d. Specify the Risk Rating Inclusive Range as two numbers, each from 0 to 100, separated by a hyphen.
Note The Risk Rating Inclusive Range is the range used to trigger this event action override. If an event occurs with a risk rating that falls within the minimum-maximum range you configure here, the event action is added to this event.
e. To enable the event action override, select the Enable action check box.
Note You can add an event action override without immediately enabling it.
f. Click OK.
The new event action override is detailed in the Event Action Overrides table.
Step 5 To specify the rate limit percentage that a particular signature operates with, follow these steps:
a. In the TOC, select Signatures > IPS 5.x.
The Signatures page appears, and the Object bar displays the sensor you selected in the Object Selector.
b. Select the signature for which you want to specify the rate limit percentage.
Tip You can filter the signature list to display only those signatures with a particular engine. Signatures that support rate limiting include those with the flood-host or flood-net engine, and signature 3050.
c. Click Tune.
The Signature Tuner table appears.
d. Select the Override check box at the bottom of the table.
e. If required, click the Engine and Event Action Settings parameter names to display the lower parameters.
f. Select External Rate Limit Type and, in the Value column, select Percentage from the list that appears.
g. Select External Rate Limit Percentage and, in the Value column, enter a number from 0 to 100.
h. Click OK.
Specifying Master Blocking Sensors
In some configurations it may be more effective to have a proxy sensor generate and apply rules for attacks detected by another sensor on your network. These proxy sensors are referred to as master blocking sensors.
You cannot use SSH keys with a sensor you intend to use as a master blocking sensor.
If the master blocking sensor uses TLS, you must configure the block-forwarding sensor(s) using the IDS sensor software command-line interface (CLI). To do that, enter the following commands in the CLI on block-forwarding sensors:
1. conf term
2. tls trust ip <master blocking sensor IP address>
3. exit
Then reboot the block-forwarding sensor.
Note This procedure applies to 4.X and 5.X sensors.
To specify master blocking sensors that should be used to block attacks detected by the selected sensor, follow these steps:
Step 1 Select Configuration > Settings.
Step 2 Click the Object Selector handle.
Step 3 In the Object Selector, select the sensor for which you want to specify a master blocking sensor.
The Object Selector closes.
Step 4 In the TOC, select Master Blocking Sensors.
The Master Blocking Sensors page appears, and the Object bar displays the sensor you selected in the Object Selector.
Step 5 To identify a master blocking sensor, click Add.
The Enter Master Blocking lists the blocking sensors available for selection.
Step 6 Select a sensor from the list and click OK.
The sensor that you identified acts as a master blocking sensor for the selected sensor.
About the Configuration Comparison Tool
You can use the Configuration Comparison tool to view and compare different configurations. Choose from the following options:
•Show Configuration—Enables you to view the configuration of the selected sensor or group, before comparing any configurations.
•Current Vs Default—Enables you to compare the current configuration of a sensor or group with its default configuration.
•Current Vs Running—Enables you to compare the current configuration of a sensor with the configuration running on that sensor.
•Current Vs Last Saved—Enables you to compare the current configuration of a sensor or group with its last saved configuration.
•Current Vs Last Generated—Enables you to compare the current configuration of a sensor or group with its last generated configuration.
•Current Vs Last Deployed—Enables you to compare the current configuration of a sensor or group with its last deployed configuration.
•Configurations on the same Sensor or Group—Enables you to compare two different configurations on a sensor or group.
•Configurations on different Sensors or Groups—Enables you to compare the configuration on one sensor or group with the configuration on another sensor or group
Note You cannot use the Configuration Comparison Tool to compare configurations between sensors that are operating with different major versions of IPS software, IPS 5.x and IDS 4.x, for example.
To use this tool, select Configuration > Compare. Then, select from the Object Selector the device or group whose configuration you want to use as a point of comparison. Finally, select Show Configuration or the type of comparison for the system to run.
Copying Configuration Settings
You can copy configuration file settings from one device or device group to another device, multiple devices, or a device group.
Note You cannot copy configuration file settings to a Target Object that has any pending changes.
To copy configuration file settings, follow these steps:
Step 1 Select Configuration > Copy.
The Copy Wizard appears.
Step 2 Click Start Copy Wizard.
Step 3 Select the Source Object. This is the device or device group whose configuration settings you are copying.
Step 4 Click Next.
Step 5 Select the Target Object(s). This is the device or device group to which you are copying the configuration settings.
Step 6 Click Next.
The Select Settings page displays the available settings according to the source object you previously selected. The following is an example of settings for a 5.x sensor:
The following is an example showing available settings for an IOS IPS device:
Step 7 Select the setting(s) you want to copy by clicking the setting(s) in the Available Settings box on the left and then clicking Add to move them to the Selected Settings box on the right.
Note When you are copying SDF settings, select the Discard signature tuning on target device(s) when copying SDF Type check box if you want to discard the tuning information after copying SDF settings.
Step 8 Click Finish to activate the copying.
Reviewing Pending Configuration File Settings
You can review pending configuration file settings before saving them to the database or deleting them.
To review pending configuration file settings, follow these steps:
Step 1 Select Configuration > Pending.
The Pending page appears.
Step 2 Select the check box next to the sensor for which you want to view pending configuration settings.
Step 3 Click Save to save the configuration, or click Delete to delete it.
The Pending configuration page no longer shows the pending configuration that you just saved or deleted.
Unlocking Pending Configuration Settings
A user who has pending configuration settings has a lock on those settings. No other users can commit those settings to the database or delete them. If a user has configuration settings that are pending, and the account of that user is deleted, you can use this procedure to take ownership of the pending settings. This procedure is also referred to as a "take lock" procedure because it can be thought of as "taking ownership" of or "unlocking" the settings. After you have unlocked a pending configuration setting you can save it or delete it.
Note You must be logged in with administrative privileges to perform this procedure.
To unlock a pending configuration, follow these steps:
Step 1 Select Admin > System Configuration.
Step 2 In the TOC, select View Current Locks.
The View Current Locks page appears.
Step 3 Select the check box next to the pending configuration you want to unlock.
Step 4 Click Take Lock.
The View Current Locks page now shows you as the owner of the pending configuration.
Step 5 Save or delete the pending configuration.
Reviewing Historical Configuration File Settings
You can review historical configuration file settings for a sensor.
To review historical configuration file settings, follow these steps:
Step 1 Select Configuration > Settings.
Step 2 Click the Object Selector.
Step 3 In the Object Selector, select the sensor for which you want to review historical configuration file settings.
The Object Selector closes.
Step 4 Select Configuration > History.
The History page appears, and the Object bar displays the sensor you selected in the Object Selector.
Step 5 To view a configuration file, select the corresponding check box and click View.
The View Sensor Configuration page shows the configuration history.
Note You can use the Configuration Components drop-down list to view different aspects of the configuration such as Custom Signatures or Allowed Hosts.
Step 6 To delete a configuration file, select the corresponding check box and click Delete.
The page refreshes with the deleted file no longer listed.
Identifying Allowed Hosts
By default, all hosts on your network can connect to a sensor to configure it and receive alarm data from it. However, you can identify the hosts that are allowed to connect to a sensor, and no other hosts will be allowed to connect.
To identify allowed hosts for a sensor, follow these steps:
Step 1 Select Configuration > Settings.
Step 2 In the TOC, select Communications > Allowed Hosts.
The Allowed Hosts page appears.
Step 3 To add a remote host, click Add.
The Enter Allowed Host page appears.
Step 4 Enter the IP address of the allowed host in the IP Address field.
Step 5 Enter the netmask of the allowed host in the Net Mask field.
Step 6 To discard your changes and close the Enter Allowed Host page, click Cancel.
Step 7 To save your changes and close the Enter Allowed Host page, click OK.
Configuring 4.x Sensor and Signature Settings
This section details settings you can configure for 4.x devices supported by IPS MC.
This section contains the following topics:
•Specifying Reassembly Options for a 4.x Sensor
•Configuring Port Mapping on a 4.x Device
•Configuring Automatic IP Logging on a 4.x Sensor
•Defining Identification Properties for a 4.x Sensor
•Configuring Sensing Interfaces for 4.x Sensors
•Using Signatures in 4.x Devices
•Defining Filters for a 4.x Device
Specifying Reassembly Options for a 4.x Sensor
Setting reassembly options ensures that the sensor does not allocate all of its resources to datagrams that cannot be completely reconstructed, either because the sensor missed some frame transmissions or because an attack is generating random fragmented datagrams. These settings ensure that valuable system resources are not reserved for sessions that are no longer active. These settings apply to sensors globally, not to individual settings such as signatures.
For information on defining reassembly settings for 5.x sensors supported by IPS MC, see Setting Miscellaneous Signature Parameters for 5.x Devices. For information on defining reassembly settings for IOS IPS devices supported by IPS MC, see Specifying Reassembly Options for an IOS IPS Device.
To specify reassembly options for a 4.x sensor, follow these steps:
Step 1 Select Configuration > Settings.
Step 2 Click the Object Selector handle.
Step 3 In the Object Selector, select the 4.x sensor for which you want to specify reassembly options.
The Object Selector closes.
Step 4 In the TOC, select Reassembly Options.
The Reassembly Options page appears.
Step 5 In the IP Reassemble Mode list box, select the operating system.
Step 6 In the IP Reassemble Timeout field, specify the value in seconds.
Step 7 To specify that the sensor track only sessions for which the three-way handshake is completed, select the TCP Three Way Handshake check box.
Step 8 To specify how strict the reassembly requirements for this sensor should be when it attempts to reassemble the entire TCP session, select strict or loose from the TCP Reassembly list box.
Step 9 To specify the number of seconds that can elapse before the sensor frees the resources allocated to a fully established TCP session, enter that value in the TCP Open Establish Timeout field.
Step 10 To specify the number of seconds that can elapse before the sensor frees the resources allocated for an initiated, but not fully established, TCP session, enter that value in the TCP Embryonic Timeout field.
Step 11 To accept your changes and close the Reassembly Options page, click Apply.
Configuring Port Mapping on a 4.x Device
When using 4.x devices supported by IPS MC, you can specify additional ports that should be considered by signatures that study specific network services (identified by the web port used by that network service). These port settings enable you to identify any well-known network service ports that you have reassigned on your internal network. These port settings also enable you to identify any custom web-based services, running across your internal networks, that you want the sensor to study for specialized attacks that target these network services.
To configure port mapping on a 4.x device, follow these steps:
Step 1 Select Configuration > Settings.
Step 2 Click the Object Selector handle.
Step 3 In the Object Selector, select the 4.x device or group for which you want to configure port mapping.
The Object Selector closes.
Step 4 In the TOC, select Port Mapping.
The Port Mapping page appears.
Step 5 To specify additional ports that should be considered by signature that detect and prevent web-based attacks, enter each port number in the Web Ports field, separating entries with a comma.
Step 6 To accept your changes and close the Port Mapping page, click Apply.
Configuring Automatic IP Logging on a 4.x Sensor
You can configure a 4.x sensor to generate an IP session log when the sensor detects an attack. To do so, you must specify for individual signatures how long, in minutes, IP logging is performed when a sensor detects an attack.
This procedure can be performed for the 4.x sensor appliance but not for 4.x IDSMs.
To configure IP logging, follow these steps:
Step 1 Select Configuration > Settings.
Step 2 In the TOC, select Logging > Automatic IP Logging.
The Automatic IP Logging page appears.
Step 3 On the Automatic IP Logging page, you can specify global settings, or you can override global settings by selecting the Override check box.
Step 4 Specify logging parameters:
•Number of IP log files
•Maximum number of concurrently open log files
•Maximum log file size
•Maximum number of packets in a log event
•Duration of log event
•Maximum number of bytes in a log event
Step 5 To save your changes, click Apply.
Step 6 To discard your changes, click Reset.
Defining Identification Properties for a 4.x Sensor
You can change many of the properties of a sensor that you have already added to your network. However, some properties cannot be changed.
To define identification properties for a 4.x sensor, follow these steps:
Step 1 Select Configuration > Settings.
The Settings page and TOC appear.
Step 2 Click the Object Selector handle.
Step 3 In the Object Selector, select the sensor for which you want to define identification properties.
The Object Selector closes.
Step 4 In the TOC, select Identification.
The Identification page appears, and the Object bar displays the sensor you selected in the Object Selector. The properties of the sensor are shown.
Step 5 To determine which version of sensor software is installed on the sensor, click Query Sensor. This action updates the information displayed on the Identification page, if necessary.
Step 6 If the queried version is different from the current version, when you then click Apply the configuration is upgraded to the new version. (If you click Cancel, no changes are applied.)
Step 7 On the Identification page, make any desired changes to the values in the IP Address, Sensor Name, and Comment fields. You can change the group that the sensor belongs to by using the Group list box. You cannot change the value in the Version field on this page.
Step 8 To discard your changes and restore the previous settings, click Reset and skip the rest of this procedure.
Step 9 To save your changes, click Apply.
Caution Your changes will have no effect on your sensor configuration until you commit them to the database in the final step of this procedure.
Step 10 To verify the new identification properties, select Configuration > Pending.
The Pending page shows the device whose identification properties you just changed:
Step 11 To delete a pending configuration without committing it to the database, select the check box for the configuration that you want to delete and click Delete.
Step 12 To commit a pending configuration to the database, select the check box for the configuration that you want to commit and click Save.
Configuring Sensing Interfaces for 4.x Sensors
If you are using Cisco Intrusion Prevention System 4.1 or later, you can configure more than one sensing interface on a sensor.
To configure sensing interfaces, follow these steps:
Step 1 Select Configuration > Settings.
Step 2 Click the Object Selector handle.
Step 3 In the Object Selector, select the sensor for which you want to configure sensing interfaces. The sensor must be using Cisco Intrusion Prevention System 4.1 or later.
The Object Selector closes.
Step 4 In the TOC, select Interfaces (IDS 4.x).
The Sensing Interfaces page appears.
The Sensing Interfaces page displays sensors in two ways:
•A list of sensing interfaces and an enabled/disabled status indicator appear for a sensor whose configuration was imported.
•No sensing interfaces appear for a sensor whose configuration consists of default settings.
Step 5 To detect the sensing interfaces for a sensor whose configuration consists of default settings, click Query Interfaces.
Note You have to click Query Interfaces before you can deploy a sensor whose configuration consists of default settings.
Step 6 To change the state of a particular interface, click Enable or Disable.
Step 7 To add or remove an interface, click Add or Remove.
Using Signatures in 4.x Devices
Network intrusions can be defined as attacks or other misuses of network resources. Cisco Intrusion Prevention System sensors use a signature-based technology to detect network intrusions. A signature specifies the types of network intrusions that you want the sensor to detect and report. A signature can be thought of as a set of rules that your sensor uses to detect typical intrusive activity, such as denial of service (DoS) attacks. As sensors scan network packets, they use signatures to detect known attacks and respond with actions that you define.
On a basic level, signature-based intrusion detection technology can be compared to virus-checking programs. Cisco Systems produces a set of signatures that the sensor compares with network activity. When a match is found, the sensor takes some action, such as logging the event or sending an alarm to the Event Viewer provided with Security Monitor.
Signature-based intrusion detection can produce false positives, because certain normal network activity can be construed as malicious. For example, some network applications or operating systems may send out numerous ICMP messages, which a signature-based detection system might interpret as an attempt by an attacker to map out a network segment. You can minimize false positives by tuning your sensors.
This section contains the following topics:
•Configuring and Tuning Signatures for 4.X Sensors
•Adding a 4.x Custom Signature By Using the Signature Wizard
Configuring and Tuning Signatures for 4.X Sensors
You can configure signatures at the group level or at the device level. You can configure the following properties of 4.x signatures:
•Severity—Categorizes the attack. The severity setting is used in Event Viewer in Security Monitor to distinguish among the types of attacks being logged.
•Enabled—Configures the sensor to scan network traffic for that particular signature and to generate an alarm when an attack is detected. Disabling a signature causes the sensor to disregard any network traffic that displays the signature.
•Action—Determines the action or actions the sensor will take, in addition to generating an alarm, when it detects an attack.
•Signature Name—Used when adding a new signature (not used for all categories and groupings of signatures).
You can not configure the following properties of 4.x signatures:
•Signature ID—The ID of the signature, which is generated by IPS MC and is a value that you cannot change (used only for custom signatures).
•Subsig ID—Specifies the subsignature ID (not used for all signatures). For example, every string-matching signature has a subsignature ID, which is generated by IPS MC and is a value that you cannot change. Also, every ACL violation signature has a subsignature ID. When you create a new ACL violation signature, the Subsig ID field will be populated with a value that is greater by 1 than the subsignature having the highest number in the list.
Some signatures can be tuned. Tuning signatures at the group level can become complex, because a group can have any sensors of any version. If you need to tune a signature at the group level, and the group involved has different micro-engines, the IDS MC GUI shows you a context. The context uniquely identifies a grouping of signature versions and a signature micro-engine.
Some signatures have special characteristics:
•Built-in signatures cannot be added, deleted, or renamed, because they are provided with the sensor software.
The information for built-in signatures, such as their names and IDs, reflects the way it appears in the Cisco Network Security Database (NSDB). To view the NSDB from the Signatures page, click a signature ID, such as 2000, in the ID column. The entries in the ID column are hyperlinks to the NSDB.
•No custom signatures are provided with a new 4.x sensor. You can create custom signatures and modify any existing custom signatures. However, you cannot create a custom signature with the same ID as another custom signature.
Some signatures have special requirements. For example, to configure a sensor to detect ACL violation signatures, you must first configure one or more Cisco IOS routers to log ACL violations. Then, you must configure those routers to communicate with the sensor. Finally, you must configure the sensor to accept syslog traffic from those routers.
To configure a signature, follow these steps:
Step 1 Navigate to the Signatures page and select a signature to configure:
a. Select Configuration > Settings.
b. In the TOC, click the Object Selector handle.
c. In the Object Selector, select the sensor for which you want to configure a signature.
The Object Selector closes.
d. In the TOC, select Signatures.
The Signatures page appears, and the Object bar displays the sensor you selected in the Object Selector.
The Group Signatures list box displays the Signature ID category. You can also use the Group Signatures list box to display the L2/L3/L4 Protocol Signatures, Service Signatures, Attack Signatures, and OS Signatures categories.
The Signature ID category contains the groupings Built-in and Custom. "Built-in" means all signatures other than those that you create.
e. Continue using the categories and groupings to select a signature to configure.
Tip You can filter the display of the signature table. Using the Filter Source list, select any of the displayed columns as the filter source. Next, enter a value in the adjacent field and click Filter. For example, select Severity in the list box and enter the value High in the adjacent field. When you click Filter, the signature table displays all signatures that have a high severity. Clearing the search string or entering the wildcard character ("*") cancels filtering. Note that this filter is not the same as Filters in the Configuration > Settings TOC.
Step 2 To enable or disable all signatures in a particular grouping, follow these steps:
a. In the category you want, such as Signature ID for 4.x sensors, select a grouping, such as General.
b. To enable all the signatures in, for example, the General grouping, select the check box corresponding to general signatures and click Enable. By default, the most critical signatures are enabled when you install IPS MC.
Step 3 To configure one or more signatures in a particular grouping, follow these steps:
a. In the category Signature ID for 4.x sensors, select a grouping, such as General.
The Signature(s) in Group page appears, and the Object bar displays the group name and sensor name. The Signature Group list displays General in this example.
b. Select the check box for the signature that you want to configure. Configure in this context means to enable or disable, set severity, and select an action.
Tip You can select more than one check box, but you cannot configure as many properties if you do.
Tip You can select all signatures by selecting the check box in the heading of the signature table. Also, you can sort a column by clicking the column header.
c. Click Edit.
The Edit Signature(s) page appears, showing the name of the signature that you selected. Depending upon the category and grouping of signature that you are configuring, the Edit Signature(s) page will have different fields.
d. To edit a signature name (not possible for all categories and groupings of signatures), make changes in the Signature field.
Note A module is available for Cisco 2600/3600 IOS routers. We do not recommend that you enable all signatures on these modules. Doing so may affect performance and functionality, as there is only 512 MB of RAM on this system.
e. To disable a signature that is enabled, deselect the Enable check box. To enable a signature that is disabled, select the Enable check box.
f. To change the severity of a signature, use the Severity list box. You can select one of the following values for each signature:
•Info—Categorizes an event that is the result of standard activity on your network.
•Low—Categorizes the attack as mildly severe. These attacks are shown with a green icon in the Event Viewer in Security Monitor.
•Medium—Categorizes the attack as moderately severe. These attacks are shown with a yellow icon in the Event Viewer in Security Monitor.
•High—Categorizes the attack as highly severe. These attacks are shown with a red icon in the Event Viewer in Security Monitor.
g. To specify the action (or actions) that you want the sensor to take upon detecting a particular attack, select one or more of the following check boxes.
Note Some actions are not available to certain versions of sensor software.
•shunConnection and shunHost—The sensor issues a command to a PIX Firewall, a Cisco router, a Catalyst 6000 switch, or another supported device. That device then denies the host or network from which the attack originated entry to the monitored network.
•reset—The sensor resets the TCP session in which the attack signature was detected. Reset is available only to TCP-based attack signatures. If not available, this action is dimmed.
•log—The sensor generates an IP session log with information about the attack. This action is not available in all versions of sensor software. If not available, this action is dimmed.
h. To accept your changes and close the Edit Signature(s) page, click OK.
The Signature(s) in Group page shows the changes that you just made.
Step 4 To tune a signature, follow these steps:
Note You cannot tune a signature that does not have an entry in the Engines column. Also, you cannot tune signatures that use the engine named Other.
a. In the category Signature ID for 4.x sensors, select a grouping, such as General.
b. Select the Engine Name corresponding to the signature that you want to tune.
The Tune Signature page shows the name of the signature that you selected. On this page, for the engine that you selected, you can edit parameters or set them to their defaults.
Click Default to retrieve the built-in micro-engine parameter information for the signature that you are tuning. You can adjust the defaults if needed. Only the deviations from the built-in micro-engine parameter information need to be saved by IPS MC.
c. To accept your changes and close the Tune Signature page, click OK.
The Signature(s) in Group page appears.
Step 5 To add a signature, follow these steps:
a. In the category Signature ID for 4.x sensors, select Custom.
The Signature(s) in Group page appears, and the Object bar displays the group name and sensor name. The Signature Group list displays Custom in this example.
b. Click Add.
The Tune Signature page appears.
c. Enter the name of the signature that you want to add.
d. Select a signature engine in the Engine list box.
e. Tune the new signature as described in Step 4 of this procedure.
f. Configure the new signature as described in Step 3 of this procedure.
Step 6 You can also add a signature by using the Signature Wizard. See Adding a 4.x Custom Signature By Using the Signature Wizard
Adding a 4.x Custom Signature By Using the Signature Wizard
You can use the Signature wizard to create custom signatures at the device level, but not at the group level.
To use the Signature wizard, follow these steps:
Step 1 Select Configuration > Settings.
Step 2 Click the Object Selector handle.
Step 3 In the Object Selector, select the sensor for which you want to add a custom signature.
The Object Selector closes.
Step 4 In the TOC, select Signature Wizard > IDS 4.x.
The Signature Wizard page appears, and the Object bar displays the sensor you selected in the Object Selector.
Step 5 Select the sensor version, IDS 4.x.
The Signature Wizard welcome page appears.
Step 6 Select Start the Wizard.
Step 7 Complete the following pages in the Signature wizard:
•Signature type
•Engine (also called signature micro-engine)
•Engine parameters, which are different for different engines
•Alert response actions, such as block connection
•Alert behavior
If the final wizard page, signature summary, displays the correct details for the new custom signature, click Finish.
Step 8 Verify that the new custom signature has been added correctly:
a. Select Configuration > Settings.
b. In the TOC, select Signatures.
c. On the Signatures page, select the sensor version, IDS 4.x.
d. In the Select Group list box, select Custom.
e. Confirm that the new custom signature appears in the list.
Defining Filters for a 4.x Device
You define filters to reduce the number of false positives reported by your sensors. This is a primary method of tuning your sensors. Filtering an alarm means that the sensor analyzes the data stream but does not generate an alarm. Filtering all alarms from a particular signature is not the same thing as disabling that signature, which results in no analysis of the data stream for that signature.
Note Do not confuse filters for a sensor in IPS MC with event filters that are part of an event rule in Security Monitor.
You define a filter by specifying the signature, the source address, the destination address, and whether the filter is inclusive or exclusive. When you define more than one filter, IPS MC applies them in the order that you defined them.
For example, say you want to exclude all alarms that originate from Network 10.10.10.0/24 because that network is using some applications that generate large numbers of false positives. However, there are two signatures that are important to you, so you don't want them to be excluded: They are 994 (Traffic Flow Started) and 995 (Traffic Flow Stopped).
1. First define an exclusive filter. Specify the source address as 10.10.10.0, which is the network that is generating large numbers of false positives. Specify all signatures so that no alarms are sent to Security Monitor.
2. Next, define an inclusive filter. Specify the same source address, which is Network 10.10.10.0. But specify Signatures 994 and 995, which are the ones that you want to include because they are important to you.
By using these two filters, and in this order, you can filter out a large number of alarms that would be false positives. But you can selectively let some of them (Signatures 994 and 995) pass through. This is possible because you defined the exclusive filter first and the inclusive filter next. If you had defined the inclusive filter first, the exclusive filter would have filtered out all the alarms from Network 10.10.10.0. This is because filters are evaluated in order.
This procedure defines filters for a sensor as described in this example. For the purpose of the example, assume that you have added Device11 in GroupW to your network. Device11 is a 4.x appliance sensor in this example.
To define a filter for a 4.x sensor (as described in the example), follow these steps:
Step 1 Select Configuration > Settings.
Step 2 Click the Object Selector handle.
Step 3 In the Object Selector, select Device11, the sensor for which you want to define a filter in this example. Device11 is a 4.x sensor.
The Object Selector closes.
Step 4 In the TOC, select Filters.
The Filters page shows that no filters have been defined for Device11.
Step 5 To begin defining the exclusive filter in this example, click Add.
The Enter Filter page appears.
Step 6 Enter a name for the filter: "First Filter--Exclusive."
Step 7 Select Exclude from the Action list box.
The Enter Filter page appears as shown here:
Step 8 Click the Signatures link.
The Enter Signatures page appears.
Step 9 On the Enter Signatures page, add All Signatures from the Available Signatures field to the Selected Signatures field.
The Enter Signatures page appears as shown here:
Step 10 Click OK.
The Enter Filter page appears again.
Step 11 Click the Source Addresses link.
The Filter Source Addresses page appears.
Step 12 Click Add.
The Enter Filter Address page appears.
Step 13 Click the radio button next to Network and enter 10.10.10.0 (the network address being used in this example) along with its network mask of 255.255.255.0. The Enter Filter Address page appears as shown here:
Step 14 Click OK.
Step 15 The Filter Source Addresses page shows the addition of Network 10.10.10.0 with a subnet mask of 255.255.255.0.
Step 16 Click OK.
The Enter Filter page appears again.
Step 17 Click the Destination Addresses link.
The Filter Destination Addresses page appears.
Step 18 Click Add.
The Enter Filter Address page appears.
Step 19 Click the radio button next to the address Any and click OK.
The Filter Destination Addresses page shows the addition of Any.
Step 20 Click OK.
The Enter Filter page appears again.
Step 21 Click OK.
The Filters page appears. You have just finished defining the exclusive filter in this example.
Step 22 To define the inclusive filter in this example, click Add.
Step 23 Add a filter with the name "Second Filter--Inclusive" with an action of Include.
Step 24 Add Signature 994 and Signature 995.
Step 25 Add the same source address and destination address that you used for the first filter, and then display the Filters page again. It should now appear as shown here.
The filter named First Filter--Exclusive is applied first. It will exclude all alarms from Network 10.10.10.0. The filter named Second Filter--Inclusive is applied next. It will allow alarms from Network 10.10.10.0 if they result from Signatures 994 or 995. Signatures 994 and 995 are not disabled.
Configuring 5.X Sensor and Signature Settings
This section details settings you can configure for 5.X devices supported by IPS MC.
The model for IPS MC settings comprises three basic stages: configure, import, and deploy. This chapter details the interface IPS MC uses to enable you to configure and edit sensor configurations and tune Cisco Intrusion Prevention System 5.x sensors and signatures. Configuration is a task that is usually done only once. The system uses reasonable defaults to minimize the scope of the modifications you must make. You may tune (or edit) settings more frequently, until IPS MC is operating effectively and producing information you deem most useful. You may find additional tuning necessary when you create custom signatures, enable a feature for the first time, or apply an update or service pack.
This section contains the following topics:
•Defining Identification Properties for a 5.X Sensor
•Configuring Event Actions for 5.X Sensors
•Configuring Interfaces for IPS 5.X Sensors
•Configuring Analysis Engine Settings for 5.X Sensors
•Configuring SNMP Settings for IPS 5.X Sensors
•Using Signatures in 5.x Devices
Defining Identification Properties for a 5.X Sensor
You can configure identification properties at the sensor level. You can change some of the identification properties, however, some settings cannot be changed after their initial configuration.
To define identification properties for a sensor, follow these steps:
Step 1 Select Configuration > Settings.
Step 2 In the TOC, click the Object Selector handle.
Step 3 In the Object Selector, select the 5.x sensor for which you want to define identification properties.
Tip You cannot define identification properties at the group or global levels.
The Object Selector closes.
Step 4 In the TOC, select Identification.
Step 5 To determine which version of sensor software is installed on the sensor and which type of platform the sensor represents, click Query Sensor. This action updates the information displayed on the Identification page, if necessary.
Step 6 Click Apply to upgrade the configuration.
If the queried version is different from the current version, the configuration is upgraded to include the new version and platform information.
Tip If you click Cancel, no changes will be applied.
Step 7 Edit the NAT address to MC, as required.
Step 8 Edit the Comment field contents, as required.
Step 9 To change the group that the sensor belongs to, use the Group list.
Step 10 Edit the Sensor Contact, as required. This field contains sensor contact information that may include a name or mail ID.
Step 11 Edit the Sensor Location, as required. This field contains information on where the contact is located.
Step 12 To discard your changes and restore the previous settings, click Reset and skip the rest of this procedure.
Step 13 To save your changes, click Apply.
Caution Your changes will have no effect on your sensor configuration until you save them to the database.
Step 14 To see the identification properties you just changed, you can select Configuration > Pending.
Step 15 To delete a pending configuration, select the check box for the configuration that you want to delete and click Delete.
Step 16 To save a pending configuration to the database, select the check box for the configuration that you want to save to the database, and click Save.
Configuring Event Actions for 5.X Sensors
An event action is the term for alarms in IDS 5.x sensors. Beginning with IPS MC 2.1, you can configure a variety of event actions to add or remove activities associated with a signature event. The Event Action Configuration page, located within the Configuration Settings area of the interface, provides the following choices for configuring event actions:
•Event Variables
•Target Value Ratings
•Signature Event Action Overrides
•Signature Event Action Filters
•General Settings
This section contains the following topics:
•Using Event Variables
•Using Target Value Ratings
•Using Event Action Overrides
•Using Event Action Filters
•Configuring Signature EAFs at the Group Level
•Configuring Event Action General Settings
Using Event Variables
IPS MC enables you to define event variables, a type of system variable that you define once and then is used in multiple event action configurations. For IPS MC, the only type of event variable supported is address. Event variables can be applied to the device, group, and global levels. Event variables defined at a parent level are inherited by the children of that parent.
Note You can delete an event variable only at the object at which you created it; that is, an event variable you create at a device level can not be deleted at the global level.
You must preface all system variables with a dollar sign ($) or a pound sign (#) when you use them. Some event variables are defined by the system and, therefore, you cannot delete them. You can create new user-defined variables for application with IPS 5.x sensors. You can also edit or delete these user-defined variables. You can edit or delete only one variable at a time.
At any given level in the object hierarchy, the Event Variable Summary page displays not only the event variables for the specified object, but the event variables for all parent objects as well. The Source column in the Event Variables table indicates the level at which the variable was defined.
This section contains the following topics:
•Adding Event Variables
•Editing Event Variables
Adding Event Variables
For IPS MC you must specify the event variable type as address.
To add an event variable, follow these steps:
Step 1 Select Configuration > Settings.
Step 2 In the Object Selector, select a group or any IPS 5.x sensor for which you want to add an event variable.
Step 3 In the TOC, under Event Actions (IPS 5.x), select Event Variables.
The Event Variable Summary page appears.
Step 4 Click Add.
The Add Event Variable page appears.
Step 5 Specify the Name.
Note This must be an alphanumeric string with no spaces.
Step 6 Confirm that the Type is set to address.
Note For IPS MC, the only type of event variable supported is address.
Step 7 Specify the variable Value.
Tip For IPS MC, the Value field must represent an IP address.
Step 8 Click OK.
The Event Variable Summary page appears with the new variable listed and its parameters detailed.
Editing Event Variables
To edit an event variable, follow these steps:
Step 1 Select Configuration > Settings.
Step 2 In the Object Selector, select a group or any IPS 5.x sensor for which you want to edit an event variable.
Step 3 In the TOC, under Event Actions (IPS 5.x), select Event Variables.
The Event Variable Summary page appears.
Step 4 Designate the variable you want to edit by selecting the check box next to its name.
Step 5 Click Edit.
The Edit event variable page appears.
Step 6 Confirm that the Type is set to address.
Note For IPS MC, the only type of event variable supported is address.
Step 7 Edit the variable Value, as required.
Step 8 Click OK.
The Event Variable Summary page shows the edited variable listed and its parameters detailed.
Using Target Value Ratings
IPS MC enables you to configure target value ratings (TVRs). A TVR is one weight factor that is used to calculate the Risk Rating (RR) value for each alert. You can assign different TVR values to different targets based on the importance of the target. You have the following choices for TVR values: Low, Medium, High and Mission Critical. You can configure TVRs at the device, group, or global levels. The addresses you specify in the TVR are one of the following possible choices: a single IP address, a range of IP addresses, or a variable. For more information on risk ratings and how you use them, see Cisco IPS Risk Rating Explained.
This section contains the following topics:
•Adding Target Value Ratings
•Editing Target Value Ratings
Adding Target Value Ratings
You can configure TVRs at the device, group, or global levels. The addresses you specify in the TVR are one of the following possible choices: a single IP address, an IP address range, a set of IP address ranges, a variable.
When you add a TVR you specify its type, a value that corresponds to that type, and value rating. The following configuration elements and corresponding values apply:
•Variable—The name of a variable.
•Single IP—An IP address in standard form.
•Range—The Start IP Address and the End IP Address, both in standard form.
•Value Rating—One of the following: Low, Medium, High, Mission Critical.
To add a TVR, follow these steps:
Step 1 Select Configuration > Settings.
Step 2 In the Object Selector, select a group or any IPS 5.x sensor for which you want to add a TVR.
Step 3 In the TOC, under Event Actions (IPS 5.x), select Target Value Rating.
The Target Value Rating Summary Table page appears.
Step 4 Click Add.
The Target Value Rating page appears.
Step 5 Select the type of TVR you want to add and specify its value in the corresponding field or fields.
Step 6 Select a Value Rating from the following options:
•Low
•Medium
•High
•Mission Critical
Step 7 Click OK.
The Target Value Rating Summary Table page shows the new TVR and its details listed.
Editing Target Value Ratings
You can edit the Type, Value, and Value Rating for a TVR.
To edit a TVR, follow these steps:
Step 1 Select Configuration > Settings.
Step 2 In the Object Selector, select a group or any IPS 5.x sensor for which you want to edit a TVR.
Step 3 In the TOC, under Event Actions (IPS 5.x), select Target Value Rating.
The Target Value Rating Summary Table page appears.
Step 4 Select the check box next to the TVR you want to edit.
Step 5 Click Edit.
The Target Value Rating page shows the designated TVR detailed in the Addresses table.
Step 6 Edit the type of TVR and its value, as required.
Step 7 Edit the Value Rating setting, as required.
Step 8 Click OK.
The Target Value Rating Summary Table page shows the TVR and its new details.
Using Event Action Overrides
You can configure signature event action overrides (EAOs) in IPS MC. EAOs add actions to the signature event, based on some criteria. The following actions are supported by IPS MC are as follows:
Event Action Name
|
Description
|
produce-alert
|
Write the event to the event store as an <evIdsAlert>.
|
produce-verbose-alert
|
Include an encoded dump of the offending packet in the <evIdsAlert>.
|
deny-attacker-inline
|
Do not transmit this packet and future packets originating from the attacker address for a specified period of time (INLINE only).
|
deny-connection-inline
|
Do not transmit this packet and future packets on the TCP Flow (INLINE only).
|
deny-packet-inline
|
Do not transmit this packet (INLINE only).
|
log-attacker-packets
|
Start IPLOGGING packets containing the attacker address.
|
log-pair-packets
|
Start IPLOGGING packets containing the attacker-victim address pair.
|
log-victim-packets
|
Start IPLOGGING packets containing the victim address.
|
reset-tcp-connection
|
Send TCP RESETS to hijack and terminate the TCP Flow.
|
request-snmp-trap
|
Send request to Notification App to perform snmp notification.
|
request-block-connection
|
Send request to NAC to shun this connection.
|
request-block-host
|
Send request to NAC to shun this host (the attacker).
|
request-rate-limit
|
Send a rate limit request to perform rate limiting
|
deny-attacker-service-pair-inline
|
Do not transmit this packet and future packets on the attacker address victim port pair for a specified period of time (INLINE only).
|
deny-attacker-victim-pair-inline
|
Do not transmit this packet and future packets on the attacker address/victim address pair for a specified period of time (INLINE only).
|
modify-packet-inline
|
Modify packet to remove ambiguity about what the end point might do with the packet.
|
Overrides operate based on the risk rating of a signature event. Risk rating is calculated as a function of the following signature event parameters:
•Severity
•Signature Fidelity Rating (SFR)
•Target Value Rating (TVR)
An action is added to the signature event when the risk rating of the signature event is within the specified range. If the risk rating of a signature event is very high (>80) it represents a genuine attack. The applicable list of actions are determined by the selected sensor or the group, using a helper class. Otherwise, the helper class will query the configuration/meta data, to determine the applicable actions. When a group is selected, the list of actions is the union of actions supported by all sensors in the group. When an action is added to a sensor, if it is not applicable, it is ignored. You can modify the risk rating range values.
At any given level in the object hierarchy, the Event Action Overrides table displays not only the EAO for the selected object, but the EAOs for all parent objects as well.
This section contains the following topics:
•Adding Event Action Overrides
•Editing Event Action Overrides
Adding Event Action Overrides
Event action overrides (EAOs) add actions to the signature event, based on some criteria. You configure the following configuration elements when adding an EAO:
•Signature Event Action—A selection from the list of signature event actions.
•Risk Rating Inclusive Range (0-100)—The range of RR values at which the EAO is valid. This is expressed as two numbers, each from 0 to 100, separated by a hyphen. For example, 0-66.
•Enable action—A check box that when selected enables EAO.
To add an EAO, follow these steps:
Step 1 Select Configuration > Settings.
Step 2 In the Object Selector, select a group or any IPS 5.x sensor for which you want to add an EAO.
Step 3 In the TOC, under Event Actions (IPS 5.x), select Action Overrides.
The Signature Event Action Overrides Summary Table page appears.
Step 4 Click Add.
The Event Action Override table appears.
Step 5 Select a Signature Event Action to associate with this EAO.
Step 6 Specify the Risk Rating Inclusive Range as two numbers, each from 0 to 100, separated by a hyphen.
Note The Risk Rating Inclusive Range specifies the range used to trigger this event action override. If an event occurs with a risk rating that falls within the minimum-maximum range you configure here, the event action is added to this event.
Step 7 To enable the EAO, select Enable action.
Tip You can add an EAO without immediately enabling it.
Step 8 Click OK.
The Signature Event Action Overrides Summary Table page shows the new EAO detailed in the Event Action Overrides table.
Editing Event Action Overrides
You must edit or delete an EAO at the object level at which it was created; that is, you cannot edit an EAO created at the group or global level when you have a device as the object selected.
To edit an EAO, follow these steps:
Step 1 Select Configuration > Settings.
Step 2 In the Object Selector, select a group or any IPS 5.x sensor for which you want to edit an EAO.
Step 3 In the TOC, under Event Actions (IPS 5.x), select Action Overrides.
The Signature Event Action Overrides Summary Table page appears.
Step 4 Designate the EAO you want to edit by selecting the check box next to its name.
Step 5 Click Edit.
The Enter Event Action Override page appears.
Step 6 Select a Signature Event Action to be associated with this EAO.
Step 7 Specify the Risk Rating Inclusive Range as two numbers, each from 0 to 100, separated by a hyphen.
Step 8 To enable the EAO, select the Enable action check box.
Step 9 Click OK.
The Signature Event Action Overrides Summary Table page shows the edited EAO detailed in the Event Action Overrides table.
Using Event Action Filters
You can configure event action filters (EAFs) in IPS MC. An EAF removes one or more actions from the signature event. For a given signature event, filters are applied in the order specified in the Signature Event Action Filters summary table. EAFs are processed on a first-match basis. You can move filters up or down in the summary table to change the order of their application, but you cannot sort the columns by clicking the table headers.
Beginning with IPS MC 2.2, you can define filters on the basis of signature categories such as operating system signatures and web signatures.
This section contains the following topics:
•Adding Event Action Filters
•Editing Event Action Filters
•Copying Event Action Filters
Adding Event Action Filters
A Cisco Intrusion Prevention System 5.x EAF removes one or more actions from the signature event. For any given signature event, the filters are applied in the order specified in the summary table. EAFs are listed as either default or mandatory.
Note Beginning with IPS MC 2.2, you can use the Copy/Paste function to add an EAF from one group or device to another group or device. You can also copy and paste between the default and mandatory lists.
The elements of configuration on the Enter Filter page are detailed in the following table:
Configuration Element
|
Description
|
Filter Name
|
The name of the filter. If you create a filter in IPS MC 2.1 or 2.2 on an IPS 5.x device, its name will be in the form <filtername>. However, if you view that same filter in IDM or the CLI, you will see metadata appended to <filtername>. This is normal behavior, and the integrity of the filter is not affected. Remember that we do not recommend using IDM or the CLI to manage filters on sensors for which you are otherwise managing with IPS MC.
|
Signature Id
|
Integer in the range defined in the NSDB. This can be one or more signature IDs.
|
Sub Signature Id
|
If a single signature ID is specified, this field contains an integer in the range defined in NSDB. When multiple signature IDs have been specified, all subsignature IDs of all the signature IDs are used. You designate this by entering "*".
|
Attacker Addresses
|
IP address or IP address range in the form 10.91.144.23-10.91.144.27, for example. You can also use a variable to specify the address or address range; see Adding Event Variables.
|
Attacker Ports
|
Valid TCP/UDP port. An integer or range of integers between 0 and 65535.
|
Victim Addresses
|
IP address or IP address range in the form 10.91.144.23-10.91.144.27, for example. You can also use a variable to specify the address or address range; see Adding Event Variables.
|
Victim Ports
|
Valid TCP/UDP port. An integer or range of integers between 0 and 65535.
|
Sig Event Actions
|
The signature event action to subtract; this is a character string that you select.
|
Risk Rating Inclusive Range
|
The range of risk ratings that apply. This is expressed as two integers, separated by a hyphen, expressing a range within the range 0-100.
|
Stop on Match
|
When true, this list box directs the system not to process any more filters in the list after a match is identified.
|
Enable action
|
Activates the EAF when true; deactivates the EAF when false.
|
To add an EAF, follow these steps:
Step 1 Select Configuration > Settings.
Step 2 In the Object Selector, select a group or any IPS 5.x sensor for which you want to add an EAF.
Step 3 In the TOC, under Event Actions (IPS 5.x), select SigEvent Action Filters.
The Signature Event Action Filters Table page appears.
Step 4 Click Add.
The Enter Filter page appears.
Step 5 Enter a filter name.
Step 6 Specify one or more signature ID values and one or more subsignature ID values.
Step 7 To use an event variable that you have previously created to specify the Attacker Addresses, select the Variable option and then select the variable name from the drop down list.
Step 8 To specify the range of Attacker Addresses, follow these steps:
a. Click Add.
The Enter attacker address page appears.
b. Specify the Start IP Address.
c. Specify the End IP Address.
d. Click OK.
Step 9 Specify the Attacker Ports, as required. The value can be specified as an integer or range of integers between 0 and 65535.
Note The default is all ports. You can edit the value to narrow the filter scope.
Step 10 To use an event variable that you have previously created to specify the Victim Addresses, select the Variable option and then select the variable name from the drop down list.
Step 11 To specify the range of Victim Addresses, follow these steps:
a. Click Add.
The Enter victim address page appears.
b. Specify the start IP address.
c. Specify the end IP address.
d. Click OK.
Step 12 Specify the Victim Ports, as required. The value can be specified as an integer or range of integers between 0 and 65535.
Note The default is all ports. You can edit the value to narrow the filter scope.
Step 13 Specify a signature event action to subtract by selecting an action from the Sig Event Actions list.
Step 14 To direct the system not to process more filters after a match is identified, select true in the Stop on Match list box.
Step 15 To specify that this new EAF should be activated, select true in the Enable action list box.
Step 16 Click OK.
The Signature Event Action Filters table shows the new EAF details.
Editing Event Action Filters
To edit an EAF, follow these steps:
Step 1 Select Configuration > Settings.
Step 2 In the Object Selector, select the group or IPS 5.x sensor for which you want to edit an EAF.
Step 3 In the TOC, under Event Actions (IPS 5.x), select SigEvent Action Filters.
The Signature Event Action Filters Table page appears.
Step 4 Select the check box next to the EAF you want to edit.
Step 5 Click Edit.
The Enter Filter page shows the information of the EAF you selected.
Note The name of the EAF is greyed out indicating that you cannot change it.
Step 6 Edit, add, or remove one or more Signature Ids, as required.
Step 7 To select a different event variable to specify the Attacker Addresses, select the new variable name from the drop down list. (To edit the event action variable itself, see Editing Event Variables.)
Step 8 To edit the range of Attacker Addresses, follow these steps:
a. Select an Attacker Address.
Tip To delete the selected address, click Delete.
b. Click Edit.
The Enter attacker address page appears.
c. Edit the Start IP Address, as required.
d. Edit the End IP Address as required.
e. Click OK.
Tip To add a new address range, click Add, complete the new address range information, and click OK.
Step 9 Edit the Attacker Ports, as required.
Step 10 To select a different event variable to specify the Victim Addresses, select the new variable name from the drop down list. (To edit the event action variable itself, see Editing Event Variables.)
Step 11 To edit the range of Victim Addresses, follow these steps:
a. Select a Victim Address.
Tip To delete the selected address, click Delete.
b. Click Edit.
The Enter victim address page appears.
c. Edit the Start IP Address, as required.
d. Edit the End IP Address, as required.
e. Click OK.
Tip To add a new address range, click Add, complete the new address range information, and click OK.
Step 12 Edit the Victim Ports, as required.
Step 13 Change the signature event action to subtract by selecting a new action from the Sig Event Actions list, as required.
Step 14 Change the Stop on Match check box selection, if desired.
Step 15 Change the Enable action check box selection, if desired.
Step 16 Click OK.
The Signature Event Action Filters table shows the edited EAF details.
Copying Event Action Filters
To copy an event action filter, follow these steps:
Step 1 Select Configuration > Settings.
Step 2 In the Object Selector, select the group or IPS 5.x sensor from which you want to copy an EAF.
Step 3 In the TOC, under Event Actions (IPS 5.x), select SigEvent Action Filters.
The Signature Event Action Filters Table page appears.
Step 4 Select the check box next to the EAF you want to copy.
Step 5 Click Copy.
Step 6 In the Object Selector, select the group or IPS 5.x sensor to which you want to copy the EAF.
Step 7 Click Paste.
Step 8 Click OK.
The Signature Event Action Filters Table shows the copied EAF details.
Tip You can view the EAF details, as required, by clicking View.
Configuring Signature EAFs at the Group Level
Beginning with IPS MC 2.2, you can configure signature event action filters (EAFs or, more simply, "event filters") at the group level on an IPS 5.x sensor. (An event action is the new term for alarms in IPS 5.x sensors.) IPS MC 2.2 does not change how filters are configured for a 4.x device. For more information, see Defining Filters for a 4.x Device.
You can define event filters at each level in the IPS MC hierarchy. Those event filters are divided into two groups at each level: mandatory event filters and default event filters. Mandatory event filters are taken first in order from the Global group down to the device, and default event filters are taken in order from the device back up to the Global group in the hierarchy.
You can define mandatory event filters and default event filters at every level except at the device level, where only default event filters are defined.
You can view the complete hierarchical list of event filters at each level to see the order that the event filters will be deployed to a device. You can edit mandatory filters or default filters that are defined at the currently selected level in the hierarchy.
Event filters are listed on the Signature Event Action Filters page. Each row on the Signature Event Action Filters page represents one filter. The IPS MC applies the filters in the order prescribed by the onion model of hierarchical configuration, so the rows cannot be sorted.
The following fields are found on the Signature Event Action Filters page:
•View Filters (required)—Default or Mandatory, selected from a list box.
•Name (required)—A name of your choosing to identify the filter as you define and work with it.
•Sig Id (required)—The ID of the IPS signature as listed in the NSDB.
•Sub Sig Id (required)—The subsignature ID of the IPS signature as listed in the NSDB.
•Attacker Addr (required)—The IP address or IP address range of the attacker detected by the IPS MC.
•Ports [for Attacker Addr] (required)—An integer or integers from 0 to 65535.
•Victim Addr (required)—The IP address or IP address range of the victim as identified by the IPS MC.
•Ports [for Victim Addr] (required)—An integer or integers from 0 to 65535.
•RR Thrsh Range (required)—Risk Rating Inclusive Range, represented by an integer in the range 0 to 100.
•Actions to Subtract—The event action or actions that you do not want IPS MC to take as a result of your defining this filter.
•Stop on Match (required)—true or false. Allows you to specify whether you want the IPS MC to continue processing the filters listed on the Signature Event Action Filters page.
•Enabled (required)—true or false. Allows you to enable a particular filter.
•Deny Attacker Percentage (required)—An integer from 0 to 100. Applies to IPS 5.1 and later.
•Comment (optional)—A comment of your choosing for this filter.
This section contains the following topics:
•Determining the Order of Signature EAFs at the Group Level
•Moving a Signature EAF Up or Down at the Group Level
•Adding a Signature EAF at the Group Level
•Editing a Signature EAF at the Group Level
•Viewing a Signature EAF at the Group Level
•Copying, Cutting, Pasting, and Deleting a Signature EAF at the Group Level
Determining the Order of Signature EAFs at the Group Level
for each device, IPS MC applies signature EAFs in the following order:
1. Mandatory filters defined at the Global group level.
2. Mandatory filters defined at each group and subgroup in the order they appear below the Global group.
3. Any filters at the device level. There are no mandatory or default filters at this level.
4. Default filters defined at the group that the device is in.
5. Default filters defined at all remaining group levels up to and including the Global group.
Moving a Signature EAF Up or Down at the Group Level
To move a signature EAF up or down at the group level, follow these steps:
Step 1 Select Configuration > Settings.
Step 2 Click the Object Selector handle.
Step 3 In the Object Selector, select a group that contains at least one 5.x sensor. You can select the Global group if it contains at least one 5.x sensor.
The Object Selector closes.
Step 4 In the TOC, select Event Actions (IPS 5.x) > SigEvent Action Filters.
The Signature Event Action Filters page displays any defined event filters, and the Object bar displays the group that you selected in the Object Selector.
Step 5 On the Signature Event Action Filters page, select a filter to move up or down.
Step 6 On the Signature Event Action Filters page, click Move Up or Move Down.
The Signature Event Action Filters page appears again, updated to show the event filter that you just moved.
Adding a Signature EAF at the Group Level
To add a signature EAF (also called an "event filter") at the group level, follow these steps:
Step 1 Select Configuration > Settings.
Step 2 Click the Object Selector handle.
Step 3 In the Object Selector, select a group that contains at least one 5.x sensor. You can select the Global group if it contains at least one 5.x sensor.
The Object Selector closes.
Step 4 In the TOC, select Event Actions (IPS 5.x) > SigEvent Action Filters.
The Signature Event Action Filters page displays any defined event filters, and the Object bar displays the group that you selected in the Object Selector.
Step 5 On the Signature Event Action Filters page, select Mandatory or Default in the View Filters list box.
Step 6 On the Signature Event Action Filters page, click Add.
The Enter Default Filter page or the Enter Mandatory Filter page appears, depending upon your selection.
Step 7 Enter the following required values: Filter Name, Signature Id, Sub Signature Id, Attacker Addresses, Attacker Ports, Victim Addresses, Victim Ports, Sig Event Actions, Risk Rating Inclusive Range, Deny Attacker Percentage (applies to IPS 5.1 and later, not 5.0), Stop on Match, Enable action. Enter Comments (optional), if desired.
Step 8 Click OK to save your changes.
The Signature Event Action Filters page shows the event filter that you just added.
Editing a Signature EAF at the Group Level
To edit a signature EAF (also called an "event filter") at the group level, follow these steps:
Step 1 Select Configuration > Settings.
Step 2 Click the Object Selector handle.
Step 3 In the Object Selector, select a group that contains at least one 5.x sensor. You can select the Global group if it contains at least one 5.x sensor.
The Object Selector closes.
Step 4 In the TOC, select Event Actions (IPS 5.x) > SigEvent Action Filters.
The Signature Event Action Filters page displays any defined event filters, and the Object bar displays the group that you selected in the Object Selector.
Step 5 On the Signature Event Action Filters page, select a filter to edit.
Step 6 On the Signature Event Action Filters page, click Edit.
The Enter Default Filter page or the Enter Mandatory Filter page appears, depending upon your selection.
Step 7 Edit, as required, the Filter Name (required), Signature Id (required), Sub Signature Id (required), Attacker Addresses (required), Attacker Ports (required), Victim Addresses (required), Victim Ports (required), Sig Event Actions (required), Risk Rating Inclusive Range (required), Deny Attacker Percentage (required) (applies to IPS 5.1 and later, not 5.0), Stop on Match (required), Enable action (required), and Comments (optional).
Edit, as required, any of the following values: Filter Name, Signature Id, Sub Signature Id, Attacker Addresses, Attacker Ports, Victim Addresses, Victim Ports, Sig Event Actions, Risk Rating Inclusive Range, Deny Attacker Percentage (applies to IPS 5.1 and later), Stop on Match, Enable action, Comments (optional).
Step 8 Click OK to save your changes.
The Signature Event Action Filters page shows the event filter that you just edited.
Viewing a Signature EAF at the Group Level
You can view one signature EAF, or all signature EAFs, at the group level.
To view signature EAFs at the group level, follow these steps:
Step 1 Select Configuration > Settings.
Step 2 Click the Object Selector handle.
Step 3 In the Object Selector, select a group that contains at least one 5.x sensor. You can select the Global group if it contains at least one 5.x sensor.
The Object Selector closes.
Step 4 In the TOC, select Event Actions (IPS 5.x) > SigEvent Action Filters.
The Signature Event Action Filters page displays any defined event filters, and the Object bar displays the group that you selected in the Object Selector.
Step 5 To view a single filter, select that filter and click View.
The View Default Filter page or the View Mandatory Filter page appears, depending upon your selection.
Step 6 To view all filters, click View All.
The Signature Event Action Filters page shows all default and mandatory event filters.
Copying, Cutting, Pasting, and Deleting a Signature EAF at the Group Level
To copy, cut, paste, or delete a signature EAF at the group level, follow these steps:
Step 1 Select Configuration > Settings.
Step 2 Click the Object Selector handle.
Step 3 In the Object Selector, select a group that contains at least one 5.x sensor. You can select the Global group if it contains at least one 5.x sensor.
The Object Selector closes.
Step 4 In the TOC, select Event Actions (IPS 5.x) > SigEvent Action Filters.
The Signature Event Action Filters page displays any defined event filters, and the Object bar displays the group that you selected in the Object Selector.
Step 5 To delete a filter, select that filter and click Delete.
The Signature Event Action Filters page refreshes, and the deleted filter is no longer listed.
Step 6 To copy a filter and paste it into a different group,
a. Select the filter that you want to copy.
b. In the Object Selector, select the group to which you want to copy the filter.
c. On the Signature Event Action Filters page, select Paste.
Step 7 To cut a filter and paste it into a different group,
a. Select the filter that you want to cut.
b. In the Object Selector, select the group to which you want to copy the filter.
c. On the Signature Event Action Filters page, select Paste.
Configuring Event Action General Settings
You can configure the general settings that apply to event action rules, such as whether you want to use the summarizer and the meta event generator. The summarizer groups events into a single alert, thus decreasing the number of alerts the sensor sends out. The meta event generator processes the component events, which lets the sensor watch for suspicious activity transpiring over a series of events. You can configure how long you want to deny attackers, the maximum number of denied attackers, and how long you want blocks to last.
The following configuration elements and corresponding values apply:
•Enable SigEvent Action Override—When selected, the signature event override function is enabled. The default setting of this function is enabled.
•Enable SigEvent Action Filtering—When selected, the signature event action filtering function is enabled. The default setting of this function is enabled.
•Enable Summarizer—When selected, the signature event summarizer is enabled. The default setting of this function is enabled.
•Enable Meta Event Generator—When selected, the signature event meta event generator is enabled. The default setting of this function is enabled.
•Deny Attacker Duration—Number of seconds to deny the attacker inline. The valid range is from 0 to 518400. The default is 3600.
•Block Action Duration—The period of time, in minutes, to block a host or connection. The valid range is from 0 to 10000000. The default is 30.
•Maximum Denied Attackers—Limits the number of denied attackers possible in the system at any one time. The default is 10,000.
•Override—When you select this check box, it overrides these general settings made at any higher level. The default setting is selected.
•Mandatory—When you select this check box, it prevents these general settings from being overridden at a lower level. The default setting is unselected.
To configure event action general settings, follow these steps:
Step 1 Select Configuration > Settings.
Step 2 In the Object Selector, select a group or any IPS 5.x sensor for which you want to configure event action general settings.
Step 3 In the TOC, under Event Actions (IPS 5.x), select General Settings.
The Event Action General Settings page appears.
Step 4 To override the Event Action General settings made at a higher group level, select the Override check box.
Tip If the Override check box appears and is not selected, you must select it before you can make other General Settings.
Step 5 To change whether the Enable SigEvent Action Override function is disabled or enabled, deselect or select the Enable SigEvent Action Override check box.
Tip For more information, see Using Event Action Overrides.
Step 6 To change the whether the Event Action Filtering function is disabled or enabled, deselect or select the Enable Sig Event Action Filtering check box, as required.
Tip For more information see Using Event Action Filters.
Step 7 To enable the Summarizer feature, select the Enable Summarizer check box.
Step 8 To enable the Meta Event Generator feature, select the Enable Meta Event Generator check box.
Tip The summarizer and meta event generator operate at a global level, so enabling them affects all sensor processing of these features.
Step 9 Specify a new value for Deny Attacker Duration.
Step 10 Specify a new value for Block Action Duration.
Step 11 Specify a new value for Maximum Denied Attackers.
Step 12 To specify that the event action general settings cannot be overridden, select the Mandatory check box. check box.
Note The Mandatory check box appears at the bottom of the page only when you have selected a group or subgroup as the operating scope.
Step 13 Click Apply.
Tip Alternatively, you can click Reset to return the settings to their previous condition.
The event action general settings are saved.
Configuring Interfaces for IPS 5.X Sensors
You use the Interface Configuration section to perform interface and inline interface configuration. You can select the following functional areas from the TOC selection Interfaces (IPS 5.x):
•Summary—Enables you to view a summary of all interfaces, including VLAN pairs and interface pairs.
•Interfaces—Enables you to enable or disable the available sensing interfaces.
•Interface Pairs—Enables you to edit/delete the existing interface pair(s).
•VLAN Pairs—Enables you to configure VLAN pairs for an inline interface on an IPS 5.1 sensor.
•Bypass—Enables you to configure the sensor analysis engine, by selecting an appropriate mode.
•Traffic Flow Notifications—Enables you to configure the sensor to monitor the flow of packets across an interface and to send notification if that flow changes during a specified interval.
This section contains the following topics:
•Editing Interfaces for IPS 5.X Sensors
•Configuring Interface Pairs for IPS 5.X Sensors
•Configuring VLAN Pairs
•Configuring Bypass for IPS 5.X Sensors
•Configuring Traffic Flow Notifications for IPS 5.X Sensors
Editing Interfaces for IPS 5.X Sensors
You must enable a sensing interface and assign it to a virtual sensor before the sensor can monitor that interface. This procedure details how to edit these interfaces.
Tip For information on editing interface pairs or inline interfaces, see Configuring Interface Pairs for IPS 5.X Sensors.
The Interfaces page lists the physical sensing interfaces on a selected device and the settings for the following interface attributes:
•Interface Name—The unique name of this interface on this device. You cannot edit this name.
•Admin State—The current state of the interface as either enabled or disabled.
•Media Type—The media type of the interface. Options are:
–backplane—Signifies backplane.
–sx—Signifies gigabyte fiber short haul.
–tx—Signifies gigabit copper.
–xl—Signifies gigabit fiber long haul.
•Duplex—The duplex setting of the interface (auto, full, or half).
•Speed—The speed at which the interface operates. Options are 10, 100, 1000, and auto.
•Alternate TCP Reset Interface—The alternate TCP reset interface for this interface. The available options for this attribute are computed every time an edit interface request is made.
The following rules determine what values appear as options for the alternate TCP reset interface:
–It cannot be None.
–It can be any other physical sensing interface that is not part of an inline pair.
–More than one interface can have the same reset interface.
–It cannot be itself.
–It cannot be a command and control interface.
•Description—An optional description of the interface.
Note You can edit only unprotected attributes of a sensor.
To edit sensing interface attributes, follow these steps:
Step 1 Select Configuration > Settings.
Step 2 In the Object Selector, select any IPS 5.x sensor for which you want to configure sensing interfaces.
The Object Selector closes, and the Object bar displays the group or sensor you selected in the Object Selector.
Note The TOC presents different sets of options depending on the group or object you select in the Object Selector.
Step 3 In the TOC, under Interfaces (IPS 5.x), select Interfaces.
The Interfaces page appears.
Step 4 Select the check box next to the interface you want to edit.
Note You can select only one interface to edit at one time.
The Edit Interface page appears.
Step 5 To detect the sensing interfaces for a sensor whose configuration consists of default settings, click Query Interfaces.
Note You must click Query Interfaces before you can deploy a sensor whose configuration consists of default settings.
Note The Query Interfaces operation takes a considerable amount of time to perform.
Step 6 Change one or more of the interface parameters, as required, and then click OK.
Note You can edit only unprotected attributes of a sensor.
The Interfaces tables shows the changes you have made.
Step 7 To change the state of a particular interface, click Enable or Disable.
Configuring Interface Pairs for IPS 5.X Sensors
Caution You must save and deploy to the device any interface configuration changes done in IPS MC before you perform this procedure. When you query the device, the interface settings on the device overwrite the settings in IPS MC.
To configure interface pairs, follow these steps:
Step 1 Select Configuration.
Step 2 In the Object Selector, select an IPS 5.x sensor.
The Object Selector closes, and the Object bar displays the sensor you selected in the Object Selector.
Step 3 Select Settings.
Step 4 In the TOC, under Interfaces (IPS 5.x), select Interface Pairs.
Note The TOC presents different sets of options depending on the group or object you selected in the Object Selector. You cannot view the Interface Pairs function if you have a group, because it only operates at the sensor level.
The Interface Pairs table lists the interface pairs configured for the selected device.
Step 5 To add an interface pair, follow these steps:
a. Click Add.
The Add Interface Pair page appears.
b. In the Interface Pair Name field, enter a name.
Note The Interface Pair Name must be unique on the selected device.
c. Press and hold the Ctrl key while you select the two interfaces to be paired.
d. Click OK.
Tip The OK button is not available when there are not enough interfaces to accommodate pairing.
The Interface Pairs table appears with the newly configured interface pair listed.
Step 6 To edit an interface pair, follow these steps:
a. Select the check box next to the Interface Pair Name.
b. Click Edit.
The Edit Interface Pair page appears.
Note The interfaces of the pair you are editing are highlighted.
c. Edit the parameters you want to change.
d. Click OK.
The Interface Pairs table lists the edited interface pair attributes.
Step 7 To delete an interface pair, follow these steps:
a. Select the check box next to the name of the Interface Pair or pairs you want to delete.
b. Click Delete.
The interface pairs are deleted and removed from the Interface Pair table.
Configuring VLAN Pairs
Beginning with IPS MC2.2, you can configure VLAN pairs for an inline interface on an IPS 5.1 sensor. You can configure VLAN pairs only at the device level, not at the group level. The term "configure" more specifically means that you can add, edit, and delete VLAN pairs and assign the VLAN pairs to a virtual sensor.
A VLAN (virtual local area network) is a group of devices on one or more LANs that are configured so that they can communicate as if they were attached to the same wire, when in fact they are located on a number of different LAN segments. Because VLANs are based on logical instead of physical connections, they are extremely flexible.
A virtual sensor is a logical grouping of sensing interfaces and the configuration policy for the signature engines and alarm filters to apply to them.
Other tools and features within IPS MC work with VLAN pair configuration, as follows:
•When you import a configuration from a sensor, the VLAN pair configuration is imported as well.
•When you deploy a configuration from IPS MC to a sensor, the VLAN pair configuration is included in the configuration that you deploy.
•When you use the Configuration Comparison Tool, the VLAN pairs are included in the output.
This section contains the following topics:
•Adding a VLAN Pair
•Editing a VLAN Pair
•Deleting a VLAN Pair
Adding a VLAN Pair
To add a VLAN pair, follow these steps:
Step 1 Select Configuration > Settings.
Step 2 Click the Object Selector handle.
Step 3 In the Object Selector, select the 5.1 sensor for which you want to add a VLAN pair.
The Object Selector closes.
Step 4 In the TOC, select VLAN Pairs.
The VLAN Pairs page displays any inline VLAN pairs that exist on each physical interface, and the Object bar displays the sensor that you selected in the Object Selector.
Step 5 Click Add.
The Add VLAN Pair page appears.
Step 6 Select the Interface Name from the list box, which is populated with the names of the interfaces for the sensor that you selected.
Step 7 Enter VLAN 1 (1-4095) (any integer in the range 1-4095).
Step 8 Enter VLAN 2 (1-4095) (any integer in the range 1-4095).
Step 9 Enter a Description.
Step 10 Click OK to save your changes.
The VLAN Pairs page appears again, updated to show the VLAN pair that you just added.
Editing a VLAN Pair
To edit a VLAN pair, follow these steps:
Step 1 Select Configuration > Settings.
Step 2 Click the Object Selector handle.
Step 3 In the Object Selector, select the 5.1 sensor for which you want to edit a VLAN pair.
The Object Selector closes.
Step 4 In the TOC, select VLAN Pairs.
The VLAN Pairs page displays any inline VLAN pairs on each physical interface, and the Object bar displays the sensor that you selected in the Object Selector.
Step 5 Select the check box next to the VLAN pair that you want to edit, and then click Edit.
The Edit VLAN Pair page appears.
Note You cannot edit the Interface Name, the Subinterface number, or the Description on this page.
Step 6 Edit VLAN 1 (1-4095) (any integer in the range 1-4095).
Step 7 Edit VLAN 2 (1-4095) (any integer in the range 1-4095).
Step 8 Click OK.
The VLAN Pairs page shows the VLAN pair that you just edited.
Deleting a VLAN Pair
To delete a VLAN pair, follow these steps:
Step 1 Select Configuration > Settings.
Step 2 Click the Object Selector handle.
Step 3 In the Object Selector, select the 5.1 sensor for which you want to delete a VLAN pair.
The Object Selector closes.
Step 4 In the TOC, select VLAN Pairs.
The VLAN Pairs page displays any inline VLAN pairs on each physical interface, and the Object bar displays the sensor that you selected in the Object Selector.
Step 5 Select the check box corresponding to the VLAN pair that you want to delete, and then click Delete.
The VLAN Pairs page no longer shows the VLAN pair that you just deleted.
Configuring Bypass for IPS 5.X Sensors
You can use the Bypass feature either as a diagnostic tool or as a failover mechanism to ensure that packets continue flowing through the device if the software fails on an IPS 5.x sensor.
There are three bypass modes from which you can choose:
•auto—Bypass the inspection when the analysis engine is stopped. This is the default bypass mode. When you configure the auto configuration, and the sensor goes down, traffic bypasses the sensor and is saved until the sensor is running again; the sensor then inspects the traffic.
•off—Always inspect inline traffic. When you configure the off configuration, a warning message emphasizes the risk of that selection. The risk involved is that if the sensor ceases to function, traffic stops flowing.
•on—Never inspect inline traffic. When you configure the on configuration, a warning message emphasizes the risk of that selection. The risk is that if the sensor ceases to function, traffic stops flowing.
You can configure the Bypass feature at the group or device level. However, you can configure the Bypass feature at the sensor level only when all the following are true:
•A sensor is selected (not a group).
•The parent group of the sensor has disabled the mandatory option.
•The Override check box is selected.
To configure the bypass mode for an IPS 5.x sensor or group of sensors, follow these steps:
Step 1 Select Configuration.
Step 2 In the Object Selector, select a group or any IPS 5.x sensor for which you want to configure bypass.
Step 3 In the TOC, under Interfaces (IPS 5.x), select Bypass.
The Bypass page appears.
Step 4 If you selected a group node, you can select the Mandatory check box to mandate that all children inherit the settings made at this group and that the setting cannot be modified at the child level.
Step 5 If you selected a sensor node and the mandatory check box is deselected for the parent group of this sensor, you can check the Override check box to enable configuration of the bypass mode at the sensor level.
Tip The source of the configuration that would be overridden is shown, as applicable, when the Override check box is deselected.
Step 6 Select the Bypass Mode setting you want to apply to the selected sensor.
Step 7 Click Apply.
Tip Alternatively, to revert the bypass setting to the last saved mode and override settings, click Reset
The Bypass mode is set for the sensor or group selected.
Configuring Traffic Flow Notifications for IPS 5.X Sensors
You can use the Traffic Flow Notifications feature to configure a sensor to monitor the flow of packets across an interface and to send notification when that flow changes during a specified interval.
You must set three parameters when configuring a traffic flow notification:
•Missed Packet Threshold—The acceptable limit of missed packets measured as a percentage. Values range from 0 to 100 percent. The default value is 0.
•Notification Interval—The notification interval measured in seconds. Values range from 5 to 3600 seconds. The default is 30.
•Idle Interface Delay—The idle interface delay in seconds. Values range from 5 to 3600 seconds. The default is 30.
To configure a traffic flow notification for an IPS 5.x sensor or group of sensors, follow these steps:
Step 1 Select Configuration.
Step 2 In the Object Selector, select a group or any IPS 5.x sensor for which you want to configure a traffic flow notification.
Step 3 In the TOC, under Interfaces (IPS 5.x), select Traffic Flow Notifications.
The Traffic Flow Notifications page appears.
Step 4 If you selected a group node, you can select the Mandatory check box to mandate that all children inherit the settings made at this group and the setting cannot be modified at the child level.
Step 5 If you selected a sensor node and the Mandatory check box is deselected for the parent group of this sensor, you can select the Override check box, to enable configuration of Traffic Flow Notifications at the sensor level.
Tip The source of the configuration that would be overridden is shown, as applicable, when the Override check box is deselected.
Step 6 Set the Missed Packet Threshold value.
Step 7 Set the Notification Interval value.
Step 8 Set the Idle Interface Delay value.
Step 9 Click Apply.
Tip Alternatively, to revert settings to the last saved configuration, click Reset.
Traffic Flow Notifications are set for the sensor or group selected.
Configuring Analysis Engine Settings for 5.X Sensors
The configuration of Analysis Engine settings for IPS MC 5.X sensors involves two separate categories, virtual sensor settings, and global settings.
The Analysis Engine monitors traffic that flows through specified interfaces or interface pairs. In IPS MC only one Analysis Engine runs per sensor. This section details how you configure virtual sensors and how you set global variables for a virtual sensor.
This section contains the following topics:
•Editing Virtual Sensors
•Editing Global Parameters
Editing Virtual Sensors
Using IPS MC you can monitor traffic that traverses interfaces or interface pairs assigned to a virtual sensor. Virtual sensors are device specific and therefore are not available at the group level and apply only to IPS 5.x sensors. You can view, change the description of, or assign and remove interfaces (or interface pairs) assigned to a virtual sensor by editing that virtual sensor.
To edit a virtual sensor, follow these steps:
Step 1 Select Configuration > Settings.
Step 2 Click the Object Selector handle to open the Object Selector.
Step 3 In the Object Selector, select any IPS 5.x sensor for which you want to edit the virtual sensor.
The Object Selector closes, and the Object bar displays the sensor you selected in the Object Selector.
Note The TOC presents different sets of options depending on the object you select in the Object Selector.
Step 4 In the TOC, under Analysis Engine (IPS 5.x), select Virtual Sensor.
The Virtual Sensor page appears.
Step 5 Click the radio button for the sensor you want to edit.
Tip In IPS MC there is only one virtual sensor for each sensor. You cannot edit the name of this default sensor.
Step 6 Click Edit.
The Edit Virtual Sensor page appears.
Step 7 To edit this sensor's assigned interface or interface pairs, select the applicable interface name(s).
Tip When you add a device with default configuration, you need to query the sensor for an interface to assign to the virtual sensor. Click Query Interfaces to query the sensor for a list of interfaces.
Tip To select multiple interfaces, hold the control key while clicking on the interface names.
Step 8 To modify the description, edit the Description field.
Step 9 To save the virtual sensor configuration, click OK.
Editing Global Parameters
You use the Global Settings feature of the Analysis Engine to configure the maximum number of open IP logs permitted.
Note In this instance, the term global settings refers only to settings within the Analysis Engine.
To edit Analysis Engine global parameters, follow these steps:
Step 1 Select Configuration > Settings.
Step 2 Click the Object Selector handle to open the Object Selector.
Step 3 In the Object Selector, select a group or any IPS 5.x sensor for which you want to edit the global parameters.
The Object Selector closes, and the Object bar displays the group or sensor you selected in the Object Selector.
Note The TOC presents different sets of options depending on object you select in the Object Selector.
Step 4 In the TOC, under Analysis Engine (IPS 5.x), select Global Parameters.
The Global Parameters page appears.
Step 5 Specify a value, from 20 to 100, for Max Open IP Log Files.
Step 6 To override the global parameters value set at a parent level, select the Override check box.
Step 7 Click Apply.
Configuring SNMP Settings for IPS 5.X Sensors
While IPS MC does not use Simple Network Management Protocol (SNMP) to manage IDS sensors, the 5.x sensors support SNMP and therefore require a means of configuration in IPS MC.
There are three parts to the SNMP configuration feature in IPS MC:
•General Configuration—Enables you to configure general SNMP parameters and applies to IPS 5.x sensors and to the group level.
•Traps Configuration—Enables you to configure traps and applies to IPS 5.x sensors and to the group level.
•Traps Destination—Enables you to configure interested parties to whom the traps should be sent.
This section contains the following topics:
•Configuring General SNMP Parameters
•Configuring SNMP Traps
•Adding SNMP Trap Destination Addresses
•Editing SNMP Trap Destination Addresses
Configuring General SNMP Parameters
The SNMP General Configuration page enables you to configure certain general SNMP parameters. SNMP General Configuration applies to IPS 5.x sensors and to the group level. This feature supports mandatory and override functions.
The following are elements of configuration on this page:
•Enable SNMP Sets/Gets—Allows you to enable the sensor to respond to get and set queries. If this field is disabled, the sensor does not respond to the query.
•Read-Only Community—Sets the read-only community string of the sensor/group to a string you specify. When a sensor receives an SNMP get request with the specified read-only community string, it responds. This string gives access to all SNMP get requests.
•Read-Write Community—Sets the read-write community string of the sensor/group to a string you specify. When a sensor receives an SNMP get request, or an SNMP set request, with the specified read-write community string, it responds. This string gives access to all SNMP get requests and set requests.
•Sensor Agent Port—Instructs a sensor to run SNMP Agent in the specified port. Valid port numbers range from 1 to 65535.
•Protocol—Instructs a sensor to run SNMP on top of particular transport protocol. The options available are TCP (Transmission Control Protocol) and UDP (User Datagram Protocol).
To configure the general SNMP parameters for an IPS 5.x sensor or group of sensors, follow these steps:
Step 1 Select Configuration > Settings.
Step 2 In the Object Selector, select a group or any IPS 5.x sensor for which you want to configure SNMP parameters.
Step 3 In the TOC, under SNMP (IPS 5.x), select General Configuration.
The General Configuration page appears.
Step 4 To enable the sensor to respond to get and set queries, select the Enable SNMP Get/Sets check box.
Step 5 Specify the Read-Only Community String.
Step 6 Specify the Read-Write Community String.
Step 7 Specify the Sensor Agent Port.
Step 8 Select either UDP or TCP from the Protocol list.
Step 9 If you selected a sensor node and the Mandatory check box is deselected for the parent group of this sensor, you can select the Override check box to enable the general SNMP configuration parameters set at the sensor level.
Step 10 Click Apply.
Tip Alternatively, to revert to the last saved configuration, click Reset.
The general SNMP configuration is set for the sensor or group selected.
Configuring SNMP Traps
The SNMP Traps Configuration page enables you to configure SNMP traps, to enable error events notification, to enable detailed traps, and to modify the default trap community string. The SNMP Traps Configuration function applies to IPS 5.x sensors and to the group level. This feature supports the mandatory and override functions.
The following are elements of configuration on this page:
•Enable Traps—Allows you to enable the sensor to notify interested parties whenever a specific type of event occurs in a sensor. When you select this check box, the sensor is instructed to perform notification. (You can also use the Traps Destination function to configure interested parties.) If the Enable Traps check box is not selected, the sensor does not respond to the query.
•Select the error events to notify through SNMP—You use this set of check boxes to specify the level of notifications that are enabled. The three levels of notification are Fatal, Error, and Warning. When you select one or more of these check boxes, you enable the sensor to send notification of events that correspond to the levels selected.
•Enable detailed traps for alerts—When you select this check box, you enable the sensor to send the detailed traps for all alerts.
•Default Trap Community String—All traps that are being notified carry a community string. All traps that have a community string identical to that of the destination are taken by the destination. All other traps are discarded by the destination. This is a primary default condition, but this default can also be overridden at any destination.
To configure the SNMP trap parameters for an IPS 5.x sensor or group of sensors, follow these steps:
Step 1 Select Configuration > Settings.
Step 2 In the Object Selector, select a group or any IPS 5.x sensor for which you want to configure SNMP trap parameters.
Step 3 In the TOC, under SNMP (IPS 5.x), select Traps Configuration.
The Traps Configuration page appears.
Step 4 To enable the sensor to notify interested parties whenever a specific type of event occurs in sensor, select Enable Traps.
Step 5 To specify the level of notifications that are enabled, in the Select the error events to notify through SNMP set of check boxes, select one or more of the following check boxes:
•Fatal
•Error
•Warning
Note You must enable at least one level of notification.
Step 6 To enable the sensor to send the detailed traps for all alerts select the Enable detailed traps for alerts check box.
Step 7 Specify the Default Trap Community String.
Step 8 If you selected a sensor node and the Mandatory check box is deselected for the parent group of this sensor has disabled the mandatory condition, you can select the Override check box to enable the SNMP traps configuration parameters at the sensor level
Step 9 Click Apply.
Tip Alternatively, to revert to the last saved configuration, click Reset.
The SNMP traps configuration is set for the sensor or group selected.
Adding SNMP Trap Destination Addresses
The SNMP Traps Destination page enables you to specify or edit the list of interested parties to whom the traps should be sent. The SNMP Trap Destination Address function applies to IPS 5.x sensors and to the group level. A maximum of ten destinations are allowed at any level.
The values you specify from this page are:
•IP Address—The IP address of the destination to which the notifications should be sent.
•Port—The port number to which the notification should be addressed.
•Trap Community String—All traps that are being notified carry a community string. All traps that have the community string set the same as that of the destination are taken by the destination.
To add an SNMP trap destination for an IPS 5.x sensor or group of sensors, follow these steps:
Step 1 Select Configuration.
Step 2 In the Object Selector, select a group or any IPS 5.x sensor for which you want to add an SNMP trap destination.
Step 3 In the TOC, under SNMP (IPS 5.x), select Traps Destination.
The Traps Destination page appears.
Step 4 Click Add.
The Add Trap Destination Address page appears.
Step 5 Specify the IP Address.
Step 6 Specify the Port.
Step 7 Specify the Trap Community String.
Step 8 To save the new SNMP trap destination, click OK.
The SNMP trap destination is set for the sensor or group selected.
Editing SNMP Trap Destination Addresses
The SNMP Traps Destination page enables you to specify or edit the list of interested parties to whom the traps should be sent. The SNMP Trap Destination Address function applies to IPS 5.x sensors and to the group level. A maximum of ten destinations are allowed at any level.
The values you specify from this page are:
•IP Address—The IP address of the destination to which the notifications should be sent.
•Port—The port number to which the notification should be addressed.
•Trap Community String—All traps that are being notified carry a community string. All traps that have the community string set the same as that of the destination are taken by the destination.
To edit an SNMP trap destination for an IPS 5.x sensor or group of sensors, follow these steps:
Step 1 Select Configuration.
Step 2 In the Object Selector, select the group or IPS 5.x sensor for which you want to edit an SNMP trap destination.
Step 3 In the TOC, under SNMP (IPS 5.x), select Traps Destination.
The Traps Destination page appears.
Step 4 Click Edit.
The Edit Trap Destination Address page appears.
Step 5 Edit one or more of the following fields, as required:.
•IP Address
•Port
•Trap Community String
Step 6 To save the edited SNMP trap destination, click OK.
The edited SNMP trap destination is saved.
Using Signatures in 5.x Devices
Configuring signatures for 5.x devices consists of two categories: editing and tuning. Editing consists of enabling or disabling the signature, setting its severity, and similar configurations. Tuning consists of changing the signature micro-engine parameters. Besides configuring signatures, you can also set miscellaneous signature parameters, create signature variables, and create custom signatures. Each of these activities is detailed in this section.
This section contains the following topics:
•Creating Signature Variables for 5.x Devices
•Editing Signatures for 5.x Devices
•Tuning Signatures for 5.x Devices
•Setting Miscellaneous Signature Parameters for 5.x Devices
•Adding a 5.x Custom Signature By Using the Signature Wizard
Creating Signature Variables for 5.x Devices
Signature variables are available beginning with Cisco Intrusion Prevention System 5.x. You use signature variables when you need to define the same value in more than one signature. When you need to update the value of a signature variable, all signatures that use that variable are also updated.
Signature variables have a Name, Type, and Value.
Only two types of signature variables are defined in Cisco Intrusion Prevention System 5.x:
•ip-addr-range—An IP address range.
•web-ports—A valid port.
Only one signature variable is defined in IPS MC. The name of that signature variable is WEBPORTS. The Type associated with WEBPORTS is web-ports.
You can create variables, update the value of any variable (including the WEBPORTS variable), and delete any variable (except for the WEBPORTS variable).
To create a signature variable for a 5.x device or group of devices, follow these steps:
Step 1 Select Configuration > Settings.
Step 2 In the Object Selector, select a 5.x device or group of devices for which you want to create signature variables.
Step 3 In the TOC, under Signatures, select Signature Variables.
The Signature Variables Summary Table page appears.
Step 4 To add a signature variable, click Add.
The Add signature variable page appears.
Step 5 Enter the variable name.
Step 6 Select the type of variable from the Type list.
Step 7 Enter the variable value (for example, the IP address range).
Step 8 Click OK.
The Signature Variables table shows details of the new variable.
Note The Source column indicates the scope of the variable's application.
Step 9 To edit a signature variable, select the check box next to a single signature variable, click Edit, and edit values as required. Then click OK.
Step 10 To delete signature variables, select the check box next to one or more signature variables, and then click Delete.
Editing Signatures for 5.x Devices
Configuring signatures for 5.x devices consists of two categories: editing and tuning. Editing consists of enabling or disabling the signature, setting its severity, and similar configurations.
You can configure signatures at the group level or at the device level. You can configure the following properties of 5.x signatures:
•Enable—Configures the sensor to scan network traffic for that particular signature and to generate an alarm when an attack is detected. Disabling a signature causes the sensor to disregard any network traffic that displays the signature.
•Retire—Removes the signature from the signature micro-engine.
Note You can enable a signature that is retired, but it then is not used to scan traffic, because it is not in the signature micro-engine. If you want a sensor to scan network traffic for a particular signature, you must enable it and not retire it.
•Activate—Changes the value in the Retired field from No to Yes
•Sig Fidelity Rating (SFR)—Identifies the weight associated with how well this signature might perform in the absence of specific knowledge of the target. This rating can be any number from 0 to 100, with 100 indicating the most confidence in the signature.
•Severity—Categorizes the attack. The severity setting is used in Event Viewer in Security Monitor to distinguish among the types of attacks being logged.
•Action—Determines the action or actions the sensor will take, in addition to generating an alarm, when it detects an attack.
•Signature Name—Used when adding a new signature (not used for all categories and groupings of signatures).
You cannot edit the following properties of 5.x signatures:
•Signature ID—The ID of the signature, which is generated by IPS MC (used only for custom signatures).
•Subsig ID—Specifies the subsignature ID (not used for all signatures). For example, every string-matching signature has a subsignature ID, which is generated by IPS MC. Also, every ACL violation signature has a subsignature ID, which is generated by IPS MC. When you create an ACL violation signature, the Subsig ID field is populated with a value that is greater by 1 than the subsignature having the highest number in the list.
Some signatures have special characteristics:
•Build-in signatures cannot be added, deleted, or renamed, because they are provided with the sensor software.
The information for built-in signatures, such as their names and IDs, reflects how it is recorded in the Cisco Network Security Database (NSDB). To view the NSDB from the Signatures page, click a signature ID, such as 2000, in the ID column. The entries in the ID column are hyperlinks to the NSDB.
•No custom signatures are provided with a new 5.x sensor. You can create custom signatures and modify any existing custom signatures. However, you cannot create a custom signature that has the same ID as another custom signature.
Some signatures have special requirements. For example, to configure a sensor to detect ACL violation signatures, you must first configure one or more Cisco IOS routers to log ACL violations. Then, you must configure those routers to communicate with the sensor. Finally, you must configure the sensor to accept syslog traffic from those routers.
To edit a signature for a 5.x device, follow these steps:
Step 1 Navigate to the Signatures page and select a signature to edit:
a. Select Configuration > Settings.
b. Click the Object Selector handle.
c. In the Object Selector, select the sensor for which you want to edit a signature.
The Object Selector closes.
d. In the TOC, select Signatures > IPS 5.x.
The Signatures page appears, and the Object bar displays the sensor you selected in the Object Selector.
The Group by list box displays the Signature ID category. You can also use the Group by list box to sort the list to display the L2/L3/L4 Protocol Signatures, Service Signatures, Attack Signatures, and OS Signatures categories.
The Signature ID category contains the groupings Built-in and Custom. "Built-in" means all signatures other than those that you create.
e. Continue using the categories and groupings to select a signature to configure.
Tip You can filter the display of the signature table. Using the Filter Source list, select any of the displayed columns as the filter source. Next, enter a value in the adjacent field and click Filter. For example, select Severity in the list box and enter the value High in the adjacent field. When you click Filter, the signature table displays all signatures that have a high severity. Clearing the search string or entering the wildcard character ("*") cancels filtering. This filter is not the same as Filters in the Configuration > Settings TOC.
Step 2 To enable or disable all signatures in a particular grouping, follow these steps:
a. In the category you want, such as Signature ID for 5.x sensors, select a grouping, such as Service.
b. To enable all the signatures in, for example, the DHCP group, click Enable. By default, the most critical signatures are enabled when you install IPS MC.
Step 3 To restore signature settings and tunings to their factory defaults, select one or more signatures and click Restore.
Step 4 To edit one or more signatures in a particular grouping, follow these steps:
a. In the category you want, such as Signature ID for 5.x sensors, select a group such as Service from the Group by list box.
The Signature(s) in Group page appears, and the Object bar displays the group name and sensor name.
b. Select the check box next to the signature that you want to edit. (Edit in this context means to enable, retire, set the Signature Fidelity Rating, set the severity, and select an action.)
Tip You can select more than one check box, but you cannot configure as many properties if you do.
Tip You can select all signatures by selecting the check box in the heading of the signature table. Also, you can sort a column by clicking the column header.
c. Click Edit.
The Edit Signature(s) page shows the name of the signature that you selected. Depending upon the category and grouping of signature that you are configuring, the Edit Signature(s) page has different fields.
d. To edit a signature name (not possible for all categories and groupings of signatures), make changes in the Signature field.
Note A module is available for Cisco 2600/3600 IOS routers. We do not recommend that you enable all signatures on these modules. Doing so may affect performance and functionality, as there is only 512 MB of RAM on that system.
e. To disable a signature that is enabled, deselect the Enable check box. To enable a signature that is disabled, select the Enable check box.
f. To activate a signature that is retired, deselect the Retire check box. To retire a signature that is active, select the Retire check box.
g. To change the severity of a signature, use the Severity list box. You can select one of the following values for each signature:
•Info—Categorizes an event that is the result of standard activity on your network.
•Low—Categorizes the attack as mildly severe. These attacks are shown with a green icon in the Event Viewer in Security Monitor.
•Medium—Categorizes the attack as moderately severe. These attacks are shown with a yellow icon in the Event Viewer in Security Monitor.
•High—Categorizes the attack as highly severe. These attacks are shown with a red icon in the Event Viewer in Security Monitor.
h. To specify the action (or actions) that you want the sensor to take upon detecting a particular attack, select one or more of the Actions check boxes.
i. To accept your changes and close the Edit Signature(s) page, click OK.
The Signature(s) in Group page shows the changes that you just made.
Step 5 To add a signature, follow these steps:
a. In the category Signature ID for 5.x sensors, select Custom.
The Signature(s) in Group page appears, and the Object bar displays the group name and sensor name. The Signature Group list displays Custom.
b. Click Add.
The Signature Wizard Welcome page appears. See Adding a 5.x Custom Signature By Using the Signature Wizard
Tuning Signatures for 5.x Devices
Configuring signatures for 5.x devices consists of two categories: editing and tuning. Tuning consists of changing the signature micro-engine parameters.
Some signatures can be tuned. You can tune signatures at the group level or at the device level. Tuning signatures at the group level can be complex, because a group can have any sensors of any version. If you need to tune a signature at the group level, and the group involved has different micro-engines, the IDS MC GUI displays to you a context. The context uniquely identifies a grouping of signature versions and a signature micro-engine.
To tune a signature for a 5.x device, follow these steps:
Step 1 Navigate to the Signatures page and select a particular signature to tune:
a. Select Configuration > Settings.
b. Click the Object Selector handle.
c. In the Object Selector, select the sensor for which you want to tune a signature.
The Object Selector closes.
d. In the TOC, select Signatures > IPS 5.x.
The Signatures page appears, and the Object bar displays the sensor you selected in the Object Selector.
Notice that the Group by list box displays the Signature ID category. You can also use the Group by list box to display the L2/L3/L4 Protocol Signatures, Service Signatures, Attack Signatures, and OS Signatures categories.
The Signature ID category contains the groupings Built-in and Custom. "Built-in" means all signatures other than those that you create.
e. Continue using the categories and groupings to select a signature to tune.
Tip You can filter the display of the signature table. Using the Filter Source list, select any of the displayed columns as the filter source. Next, enter a value in the adjacent field and click Filter. For example, select Severity in the list box and enter the value High in the adjacent field. When you click Filter, the signature table displays all signatures that have a high severity. Clearing the search string or entering the wildcard character ("*") cancels filtering. This filter is not the same as Filters in the Configuration > Settings TOC.
Step 2 To tune a particular signature:
Note Not all signatures can be tuned. If a particular signature does not have an entry in the Engines column, that signature cannot be tuned. Also, signatures that use the engine named Other cannot be tuned.
a. In the category you want, such as Signature ID for 5.x sensors, select a grouping, such as Service.
b. Select the Engine Name corresponding to the signature that you want to tune.
The Tune Signature page appears, showing the name of the signature that you selected. On this page, for the engine that you selected, you can edit parameters or set them to their defaults.
Checking the Override check box retrieves the built-in (default) micro-engine parameter information for the signature that you are tuning; in this way micro-engine parameter information is not retrieved from the group that the device is in. You can then adjust the defaults if needed. Only deviations from the built-in micro-engine parameter information are saved by IPS MC, because only such deviations need to be saved.
The individual defaults for the built-in micro-engine parameters are indicated by green squares. Values that you select are indicated by red diamonds.
You can restore a tuned parameter's value by clicking on the red diamond. The default value will be displayed, and the icon will change to a green square.
c. To accept your changes and close the Tune Signature page, click OK.
The Signature(s) in Group page appears.
Setting Miscellaneous Signature Parameters for 5.x Devices
Miscellaneous signature parameters for 5.x devices are set at the global, group, or device level. You control the inheritance of parameters by using the Override and Mandatory settings, as applicable.
For information on defining reassembly settings for 4.X sensors supported by IPS MC, see Specifying Reassembly Options for a 4.x Sensor.
For information on defining reassembly settings for IOS IPS devices supported by IPS MC, see Specifying Reassembly Options for an IOS IPS Device.
To set miscellaneous signature parameters for 5.x devices, follow these steps:
Step 1 Select Configuration > Settings.
Step 2 In the Object Selector, select a 5.x device or group of devices for which you want to set miscellaneous signature parameters.
Step 3 In the TOC, under Signatures, select Miscellaneous (IPS 5.x).
Step 4 To enable the parameters you set for a particular group or device to override the settings made at a higher group level, select the Override check box at the bottom of the table.
Step 5 If you have selected a group, you can enable the parameters you set to be mandatory for all lower level groups and devices (children). To set the parameters as mandatory, select the Mandatory check box at the bottom of the table.
Step 6 To set Application-Policy parameters, follow these steps:
a. Select either Yes or No from the Enable HTTP list box.
b. In Max HTTP Requests, enter an integer from 1 to 16 to specify the maximum number of HTTP requests allowed.
c. List the AIC Web Ports. You can list multiple ranges as comma-separated values.
d. Select either Yes or No from the Enable FTP list box.
Step 7 Under Fragmentation-Reassembly, set the IP Reassembly Mode. Choices include the following:
•nt
•solaris
•linux
•bsd
Step 8 Under Stream Reassembly, select either Yes or No from the TCP Handshake Required list box.
Step 9 Also under Stream Reassembly, select the TCP Reassembly Mode setting. Choices include the following:
•strict
•loose
•asym
Step 10 To set IP Log parameters, follow these steps:
a. Enter a Max IP Log Packets value from 0 to 65535.
b. Enter a IP Log Time as a number of seconds from 30 to 300.
c. Enter a Max IP Log Bytes value from 0 to 2147483647.
Step 11 Click Apply.
Tip Alternatively, you can click Reset to reset all parameters to their previous settings.
Adding a 5.x Custom Signature By Using the Signature Wizard
You can create custom signatures using the Signature Wizard. The Signature Wizard creates custom signatures at the device level, not at the group level.
To use the Signature Wizard, follow these steps:
Step 1 Select Configuration > Settings.
Step 2 In the TOC, click the Object Selector handle.
Step 3 In the Object Selector, select the 5.x sensor for which you want to create a custom signature.
The Object Selector closes.
Step 4 In the TOC, select Signature Wizard > IPS 5.x.
The Signature Wizard welcome page appears.
Step 5 Click Start the Wizard.
a. Select either Engine Type or Protocol Type as the type of signature you want to create.
The Select Engine drop-down list appears.
b. Select the engine that you want from the drop-down list and then click Next>.
The Signature Identification page appears.
c. Enter the signature name in the Signature Name field and then click Next>.
The Alert Response page appears.
d. To specify whether the new signature is enabled, select either Yes or No from the Enable drop-down list.
e. Enter the signature fidelity rating in the Signature Fidelity Rating field.
f. Select the Severity of the Alert from the drop-down list. Choices include high, medium, low, and informational.
g. Select the action or actions that should be taken from the Event Action list. Then click Next>.
Tip You can press and hold the Ctrl key while selecting, to select more than one Event Action from the list.
The Summary page appears.
h. Review the Summary to verify that the new custom signature has been specified correctly.
i. Click Finish>.
The system displays a message that notifies you that the signature has been successfully created.
j. Click OK to acknowledge and close the message.
Step 6 Verify that the new custom signature has been specified correctly:
a. Select Configuration > Settings
b. In the TOC, select Signatures.
c. On the Signatures page, select the sensor version, IPS 5.x.
d. In the Select Group list box, select Custom.
e. Confirm the appearance of the new custom signature in the list, which signifies that it was added.
Configuring IOS IPS Sensor Settings
This section details settings you can configure for IOS IPS devices supported by IPS MC.
The minimum configuration requirements for IPS MC to successfully generate a configuration for an IOS IPS device include the following:
•One signature selected.
•One rule configured.
This section contains the following topics:
•Using Signature Definition Files (SDFs) in IOS IPS Devices
•Defining Identification Properties for an IOS IPS Device
•Using Signatures in IOS IPS Devices
•Specifying IOS IPS Rules
•Identifying Different Ports to be Monitored by IOS IPS Devices
•Specifying IOS IPS General Properties
•Specifying IOS IPS SDEE Properties
•Defining Filters for an IOS IPS Device
•Specifying Reassembly Options for an IOS IPS Device
Using Signature Definition Files (SDFs) in IOS IPS Devices
Beginning with version 2.2, IPS MC supports Signature Definition Files (SDFs) for IOS IPS devices from 12.3(8)T and later. SDFs are predefined sets of signatures that can be manually imported or automatically downloaded from CCO.
The SDFs have been developed as a convenient way to select and load the most vital signatures. SDF files on CCO are updated on bi-weekly basis to address potential new threats. IPS MC comes with the most recent SDF files at the time of release.
IOS can support more than 1400 signatures, which is beyond the memory capacity of routers to accept. The SDFs have been developed as a convenient way to select and load the most vital signatures and are regularly updated by Cisco engineers. Currently there are three SDFs that you can choose from. Each SDF was designed according to the DRAM capacity of your routers. Choices include the following:
•UNSET—The SDF type is not set.
•ATTACK-DROP—For routers with 64MB of DRAM
•256MB—For routers with 256MB of DRAM
•128MB—For routers with 128MB of DRAM
Note The 128MB and 256MB SDFs require an IOS IPS 2.001 engine, or later.
Warning IPS MC does not include memory management functionality for IOS IPS devices.
You set the SDF file choice from the Identification screen. For more information on this setting see Defining Identification Properties for an IOS IPS Device.
You download the SDFs from CCO the same way you download other signature files and that can be done manually or automatically. The site on CCO to locate the files is http://www.cisco.com/pcgi-bin/tablebuild.pl/ios-sigup. For more information on downloading the files, see Downloading Update Files Automatically, page 8-15.
After you have loaded one or more SDFs into the IPS MC database, you can select, unselect, and modify signatures in accordance with your network requirements and deploy the resultant signature definitions to multiple routers. Also, you can copy SDF settings from one device to another. For more information see Copying Configuration Settings.
You can set IPS MC to download SDFs from CCO automatically. If you view a router in the object selector that has an SDF type set but does not have the most recent SDF file deployed to it, its icon appears yellow, and the "tooltip" yellow box indicates the newer version available, for example:
After you have successfully configured, generated, and deployed the new SDF file to device, the yellow icon returns to blue.
Defining Identification Properties for an IOS IPS Device
You can change the properties of an IOS IPS device that you have already added to your network. However, you cannot change all properties.
To define identification properties for an IOS IPS device, follow these steps:
Step 1 Select Configuration > Settings.
The Settings page and TOC appear.
Step 2 In the TOC, click the Object Selector handle.
Step 3 In the Object Selector, select the IOS IPS device for which you want to define identification properties.
The Object Selector closes.
Step 4 In the TOC, select Identification.
The Identification page shows the sensor properties, and the Object bar displays the sensor you selected in the Object Selector.
Step 5 To determine which version of sensor software is installed on the sensor, click Query Sensor; this action updates the information displayed by the Identification page, if necessary.
Note If you then click Apply, and the queried version is different from the current version, the configuration is upgraded to the new version. If you click Cancel, no changes are applied.
Step 6 On the Identification page, make any desired changes to the values in the IP Address, Sensor Name, and Comment fields. You can change the group that the sensor belongs to by using the Group list box. You cannot change the value in the Version field on this page.
Step 7 Use the SDF Type list box to set or change the pre-built SDF type for this IOS IPS device. The choices may differ according to the DRAM capacity of your routers (128MB and 256MB SDFs are listed only for devices with versions 2.001 or greater). Options for the SDF Type may include the following:
•UNSET—The SDF type is not set.
•128MB—For routers with 128MB of DRAM
•256MB—For routers with 256MB of DRAM
•ATTACK-DROP—For routers with 64MB of DRAM
The following dialog window appears:
Tip You can view signature properties from the Signature(s) in Group table. In particular, by looking at the Prop Src and Param Src columns on that page, you can determine the source of a signature's editing and tuning information.
Tip For more information on SDF support, see Using Signature Definition Files (SDFs) in IOS IPS Devices.
Step 8 Do one of the following:
a. To discard any signature tuning information on the selected device(s) for signatures contained by the SDF, click OK.
Caution If you choose
OK to the SDF change, tuning information for this device is discarded when you apply the change and the SDF settings overwrite any signature tuning information on the device(s).
b. To preserve signature tuning information on the selected device(s) from being overwritten by signature configurations contained in the SDF, click Cancel.
Step 9 If an SSH key already exists on the IPS MC server, selecting the Use Existing SSH Keys check box forces IPS MC to use the existing key.
Caution If the SSH key changes on the router, and the
Use Existing SSH Keys check box is selected, IPS MC cannot communicate with the router.
Step 10 To discard your changes and restore the previous settings, click Reset and skip the rest of this procedure.
Step 11 To save your changes, click Apply.
Note Your changes will have no effect until you save them to the database.
Step 12 To see the identification properties you just changed, select Configuration > Pending.
The Pending page shows the device whose identification properties you just changed:
Step 13 To delete a pending configuration without saving it to the database, select the check box for the configuration that you want to delete and click Delete.
Step 14 To save a pending configuration to the database, select the check box for the configuration that you want to save and click Save.
Using Signatures in IOS IPS Devices
You can configure and tune IOS IPS signatures and you can use the signature wizard to add a custom IOS IPS signature.
This section contains the following topics:
•Configuring and Tuning Signatures for IOS IPS Devices
•Adding an IOS IPS Custom Signature By Using the Signature Wizard
Configuring and Tuning Signatures for IOS IPS Devices
You can configure signatures at the group level or at the device level. You can configure the following properties of IOS IPS signatures:
•Signature—You can assign a signature name when creating a custom signature. (Signature names cannot be changed.)
•Enable—Enables the sensor to monitor network traffic for that particular signature. Disabling a signature causes the sensor not to take action if the signature is detected in monitored network traffic.
•Severity—Categorizes the attack. The severity setting is used in Event Viewer in Security Monitor to distinguish among the types of attacks being logged.
•Selected—Directs IPS MC to take the following actions during deployment of an IOS IPS device:
–Signatures that are selected (marked "yes") are deployed to the IOS IPS device.
–Signatures that are not selected (marked "no") are not deployed to the IOS IPS device.
Caution When configuring an IOS IPS device, select only the signatures that you need. If you select all signatures that are available in IPS MC, the IOS IPS device may fail from loading the signatures or performance may be significantly degraded.
•Actions—Determines the action or actions the sensor will take, in addition to generating an alarm, when it detects an attack.
Properties that you can not configure include the following:
•Signature ID—A Cisco-defined number that uniquely identifies a signature. (IPS MC automatically assigns the Signature ID for custom signatures).
•Subsig ID—Specifies the subsignature ID. Subsig IDs are signatures that are closely related. Each subsignature is a unique signature, but the subsignature ID allows closely related signatures to be grouped together.
Some signatures can be tuned. Tuning signature parameters should not be confused with tuning sensor configurations.
Note Whenever you tune signature parameters you may be adding to the amount of memory consumed on the device.
Tuning signatures at the group level can be complex, because a group can have any sensors of any version. If you need to tune a signature at the group level, and the group involved has different micro-engines, the IDS MC GUI displays the Signature Context field at the top of the signature page. The context uniquely identifies a grouping of signature versions and a signature micro-engine. An example of a Signature Context listing is shown in the figure that follows:
Some signatures have special characteristics:
•Built-in signatures cannot be added, deleted, or renamed, because they are provided with the sensor software itself.
The information for built-in signatures, such as their names and IDs, appears as it does in the Cisco Network Security Database (NSDB). To view the NSDB from the Signatures page, click a signature ID, such as 2000, in the ID column. The entries in the ID column are hyperlinks to the NSDB.
•No custom signatures are provided with a new IOS IPS device. You can create custom signatures and modify any existing custom signatures. However, you cannot create a duplicate custom signature. A duplicate custom signature is defined as a custom signature with the same ID as another custom signature.
•Signatures for IOS IPS devices have special characteristics. The built-in signature set in IPS MC (which has a number of signatures that is based on the latest signature update to the IPS MC server) and the built-in signature set on IOS IPS devices (the number of which varies with the particular device) are different.
To configure an IOS IPS signature, follow these steps:
Step 1 Navigate to the Signatures page and select a signature to configure:
a. Select Configuration > Settings.
b. Click the Object Selector handle.
c. In the Object Selector, select the IOS IPS device for which you want to configure a signature.
The Object Selector closes.
d. In the TOC, select IOS IPS under the heading Signatures.
The Signatures page appears, and the Object bar displays the IOS IPS device that you selected in the Object Selector.
The Group by list box displays the Signature ID category. You can also use the Group by list box to display signatures by Engine, L2/L3/L4 Protocol, Service, Attack, OS, or Releases.
For IOS IPS devices, the Select Group list box contains the groupings Built-in and Custom. "Built-in" refers to all signatures other than those that you create.
e. Continue using the categories and groupings to display a signature or group of signatures you want to edit.
Tip You can filter the display of the signature table. Using the Filter Source list, select any of the displayed columns as the filter source. Next, enter a value in the adjacent field and click Filter. For example, select Severity in the list box and enter the value High in the adjacent field. When you click Filter, the signature table displays all signatures that have a high severity. Clearing the search string or entering the wildcard character ("*") cancels filtering. This filter is not the same as Filters in the Configuration > Settings TOC.
Step 2 Select the check boxes next to the signature or signatures that you want to edit. Edit in this context means to enable or disable, set severity, and select an action.
Tip You can select more than one check box, but you cannot configure as many properties if you do.
Tip You can select all signatures by selecting the check box in the heading of the signature table. Also, you can sort a column by clicking the column header.
a. Click Edit.
The Edit Signature(s) page appears.
b. Click the Override check box at the bottom of the Edit Signatures table.
c. To disable a signature that is enabled, deselect the Enable check box. To enable a signature that is disabled, select the Enable check box.
d. To change the severity of a signature, use the Severity list box. You can select one of the following values for each signature:
•Info—Categorizes an event that is the result of standard activity on your network.
•Low—Categorizes the attack as mildly severe. These attacks are shown with a green icon in the Event Viewer in Security Monitor.
•Medium—Categorizes the attack as moderately severe. These attacks are shown with a yellow icon in the Event Viewer in Security Monitor.
•High—Categorizes the attack as highly severe. These attacks are shown with a red icon in the Event Viewer in Security Monitor.
e. To specify the action (or actions) that you want the sensor to take upon detecting a particular attack, select one or more of the items from the Actions list box. (For example alarm.)
Tip Hold the CTRL key to enable the selection of more than one Action item.
Note Some actions are not available to certain versions of sensor software.
f. To accept your changes and close the Edit Signature(s) page, click OK.
The Signature(s) in Group page appears, showing the changes that you just made.
Step 3 To tune a particular signature, follow these steps:
a. Select a signature.
b. Click Tune.
The Tune Signature page appears, showing the name of the signature that you selected. On this page, for the associated engine, you can edit parameters or set them to their defaults.
c. To accept your changes and close the Tune Signature page, click OK.
The Signature(s) in Group page appears.
Adding an IOS IPS Custom Signature By Using the Signature Wizard
You can create custom signatures using the Signature wizard. The Signature wizard creates custom signatures at the device level, not at the group level.
To use the Signature Wizard, follow these steps:
Step 1 Select Configuration > Settings.
Step 2 Click the Object Selector handle.
Step 3 In the Object Selector, select the IOS IPS device for which you want to create a custom signature.
The Object Selector closes.
Step 4 In the TOC, select Signature Wizard > IOS IPS.
The Signature Wizard page appears, and the Object bar displays the sensor you selected in the Object Selector.
Step 5 Select Start the Wizard.
The Signature Wizard takes you through a number of pages to create a custom signature. These vary according to the choices you make and may include:
•Signature Type
•Signature Identification
•Engine (also called signature micro-engine)
•Engine parameters, which are different for different engines
•TCP Packet Signature
•UDP Packet Signature
•Alert Response Actions
•Alert Behavior
•Advanced Alert Behavior
•Summary
If the signature summary displays the correct details for the new custom signature, select Finish.
Step 6 To verify that the new custom signature has been added correctly, follow these steps:
a. Select Configuration > Settings
b. In the TOC, select Signatures > IOS IPS.
c. In the Select Group list box, select Custom.
d. Confirm the appearance of the new custom signature in the list, which signifies that it was added.
Specifying IOS IPS Rules
Caution Entering an Access Control List (ACL) on the IPS Rules page identifies the ACL name or number only. It does not create the ACL. To create the ACL, use the command line on the IOS IPS device that you are configuring. If you enter an ACL name or number and deploy the configuration while no corresponding ACL exists in the router, IOS IPS does not monitor any traffic.
To create an IOS IPS rule, follow these steps:
Step 1 Select Configuration > Settings.
Step 2 Click the Object Selector handle.
Step 3 In the Object Selector, select the IOS IPS device for which you want to specify an IOS IPS rule.
The Object Selector closes.
Step 4 In the TOC, select IOS IPS Rules.
The IPS Rules page appears, and the Object bar displays the IOS IPS device that you selected in the Object Selector.
Step 5 To add an IOS IPS rule, click Add.
The Enter IPS Rules Details page appears.
Step 6 Enter the required data.
Note You must click Query Interface to create an IPS rule, otherwise, the Interface drop-down list will be empty. This note applies only to devices that are added with default settings; if the device is imported into IPS MC, the interfaces are populated already.
Step 7 To discard your changes and close the Enter IPS Rules Details page, click Cancel.
Step 8 To save your changes and close the Enter IPS Rules Details page, click OK.
Identifying Different Ports to be Monitored by IOS IPS Devices
When using IOS IPS devices supported by IPS MC, you can specify different ports to be monitored for specific network protocols. This process is known as port mapping. IOS IPS port mapping is similar to the port mapping used by sensors operating with version 4.x of IDS sensor software.
Port mapping enables you to specify port numbers for IOS IPS devices to monitor for FTP,HTTP, SMTP, DNS, and SUNRPC based attacks.
Caution Entering an ACL on the IOS IPS Port Mapping page identifies the ACL number only. It does not create the ACL. To create the ACL, use the command line on the IOS IPS device that you are configuring. If you enter an ACL number and deploy the configuration while no corresponding ACL exists in the router, this command has no effect.
To identify different ports to be used by IOS IPS devices, follow these steps:
Step 1 Select Configuration > Settings.
Step 2 Click the Object Selector handle.
Step 3 In the Object Selector, select the IOS IPS device for which you want to identify a different port.
The Object Selector closes.
Step 4 In the TOC, select IOS IPS Port Mapping.
The IOS IPS Port Mapping page appears.
Step 5 On the IOS IPS Port Mapping page, you can add, edit, or delete ports that are different from the defaults for specific protocols.
Specifying IOS IPS General Properties
IOS IPS devices have some general properties that you can define. These include the following:
•Engine Fail Closed—When a signature engine already exists in the router, IOS IPS continues to inspect packets while it compiles a new engine. If the compilation fails, IOS IPS keeps inspecting packets with the existing engine. When a signature engine does not already exist in the router and the compilation fails, if the Enable Engine Fail Closed check box is not selected (default), the router permits packets through that are configured to be inspected by the engine. If the Enable Engine Fail Closed check box is selected, the router drops all packets that are configured to be inspected by the engine.
•Enable Built-In Signatures—If you select the Built-in Signatures check box, the IOS IPS device loads the built-in signatures if it cannot load or compile the signature definition file (SDF).
To specify general properties for an IOS IPS device, follow these steps:
Step 1 Select Configuration > Settings.
Step 2 Click the Object Selector handle.
Step 3 In the Object Selector, select the IOS IPS device or group for which you want to specify general properties.
The Object Selector closes.
Step 4 In the TOC, select IOS IPS General Properties.
The IOS IPS General Properties page appears.
Step 5 If necessary, click the Override check box to activate the GUI.
Step 6 Select or deselect the Enable Engine Fail Closed check box.
Step 7 Select or deselect the Built-In Signatures check box.
Note We do not recommend that you enable Engine Fail Closed and disable Built-In Signatures because, if the SDF load fails, this configuration would stop the traffic through the interface in the direction on which the IPS rule is applied.
Step 8 Click Apply to save the settings. Alternatively, to restore any previous settings, you can click Reset.
Specifying IOS IPS SDEE Properties
Event management for IOS IPS devices is done using the Security Device Event Exchange (SDEE) protocol, which is also known as RDEP v2. This is important because Security Monitor uses SDEE in its collection system to pull events from IOS IPS devices. Also, IPS MC uses SDEE to query IOS IPS devices after deployment to verify that the deployment was successful.
To specify SDEE properties for an IOS IPS device, follow these steps:
Step 1 Select Configuration > Settings.
Step 2 In the TOC, click the Object Selector handle.
Step 3 In the Object Selector, select the sensor or group for which you want to specify SDEE properties. (SDEE is available only for IOS IPS devices and groups having IOS IPS.)
The Object Selector closes.
Step 4 In the TOC, select Communications > IOS IPS SDEE Properties.
The IOS IPS SDEE Properties page appears.
Step 5 Specify a value for maximum subscriptions. Maximum subscriptions refers to the maximum number of concurrent SDEE subscriptions that are allowed.
Step 6 Specify a value for maximum events. Maximum events refers to the maximum number of SDEE events that can exist in the device event storage at a given instant.
Note If you set the maximum events parameter to a very low value, you can overwrite events in the IOS IPS device buffer before you can collect them with your monitoring software. (IOS IPS devices use a circular buffer.) The maximum events parameter is a device setting that has an effect on the device.
Defining Filters for an IOS IPS Device
Defining filters for an IOS IPS device is similar to defining filters for a sensor. As for sensors, filters for an IOS IPS device reduce the number of false positives reported by your IOS IPS device.
IOS IPS defines filters for a specific signature by applying an ACL. The IPS MC can apply a filter to a range of signatures.
Caution Entering an ACL on this page identifies the ACL name or number only. It does not create the ACL. To create the ACL, use the command line on the IOS IPS device that you are configuring. If you enter an ACL name or number and deploy the configuration while no corresponding ACL exists in the router, the filter has no effect.
To define a filter for an IOS IPS device, follow these steps:
Step 1 Select Configuration > Settings.
Step 2 In the TOC, click the Object Selector handle.
Step 3 In the Object Selector, select the IOS IPS device for which you want to define a filter. Specifying IOS IPS filters can be done only for IOS IPS devices (not groups).
The Object Selector closes.
Step 4 In the TOC, select IOS IPS Filters.
The IOS IPS Filters page appears.
Step 5 To add a filter, click Add.
The Filter Name page appears.
Step 6 In the Filter Name field, enter a name for the filter you are creating.
Step 7 In the Access Control List field, enter the designation of the ACL as it appears on the selected IOS IPS device.
Step 8 Click the Signatures link.
The Filter Signatures page appears.
Step 9 From the list of Available Signatures on the left side of the Enter Signatures table, select one or more signatures to be part of the filter and then click > Add >>.
The signatures appear in the Selected Signatures column on the right.
Tip You can reverse this step by selecting a signature and clicking << Remove <.
Step 10 When you have finished selecting signatures, click OK.
The Filter Name page reappears.
Step 11 Click OK.
The IOS IPS Filters page reappears, and the IOS Filters table lists the new filter.
Specifying Reassembly Options for an IOS IPS Device
As for sensors, the goal of defining reassembly settings for an IOS IPS device is to ensure that the IOS IPS device does not allocate all its resources to datagrams that cannot be completely reconstructed, either because the IOS IPS device missed some frame transmissions or because an attack is generating random fragmented datagrams.
These settings ensure that valuable system resources are not reserved for sessions that are no longer active. These settings apply to IOS IPS devices globally, per specified router interface, not to individual signatures.
For IOS IPS devices, reassembly is specified for a particular interface, not for the entire device.
To specify reassembly options for an IOS IPS device, follow these steps:
Step 1 Select Configuration > Settings.
Step 2 In the TOC, click the Object Selector handle.
Step 3 In the Object Selector, select the IOS IPS device for which you want to specify reassembly options.
The Object Selector closes.
Step 4 In the TOC, select IOS IPS Reassembly.
The IOS IPS Reassembly Options page appears.
Step 5 Click Edit to edit the current reassembly information stored by the IOS IPS device.
Note You must click Query Interface to edit the current reassembly information stored by the IOS IPS device. Otherwise, the Interface column will be empty. This note applies only to devices that are added with default settings; if the device is imported into IPS MC, the interfaces are populated already.
