Table of Contents

Tuning Sensor Configurations

After configuring your sensors, you need to tune them to achieve optimal performance on your network, particularly to minimize false positives and false negatives.

Note   Tuning sensor configurations should not be confused with tuning signature parameters.

Some legitimate network activity, such as virus scanning, can appear to be an attack on your network. When legitimate network activity is reported as an attack, that report is called a false positive. More generally, a false positive can be defined as the interpretation of an instance of legitimate and expected network activity as an attack because that activity meets criteria that were specified to identify an attack prior to the occurrence of the attack. You can decrease the number of false positives by tuning your sensor configurations.

Tuning your sensor configurations can also help you solve another problem. You can decrease the number of false negatives by tuning your sensor configurations. A false negative can be defined as an attack that was not detected.

You can tune sensor configurations by using four general methods:

Reassembly Options, Port Mapping, Never Block Addresses, and Filtering are in the TOC that appears when you select Configure > Settings in IDS MC.

You can tune sensor configurations by specifying reassembly options for IP fragments and TCP sessions. Specifying reassembly options prevents false negatives that are caused because the sensor cannot reconstruct the datagram or session.

When using IDSM devices supported by IDS MC, you can identify additional ports that should be considered by a sensor signature. This process is known as port mapping. Examples of these additional ports are those used by custom TCP services and those used by well-known services that you have reassigned to another port. Identifying additional ports is important because some sensor signatures are based on specific port numbers.

You can tune sensor configurations by identifying hosts and networks that should be exempt from blocking.

For example, your sensor configuration may include instructions to block sources of a particular attack whenever that attack is detected; you may also have a trusted network device whose normal, expected behavior appears to be that attack. (This situation results in a false positive.) In this situation, you can tune your sensor configuration to ignore that particular perceived attack when its source is your trusted network device. In that way, you avoid false positives: You avoid the generation of alarms from your trusted network device, and your trusted network device is not blocked. You still receive alarms if that particular attack is detected in traffic from other sources. Also, you can still block other, untrusted devices if your sensor detects that particular attack in traffic from those other, untrusted devices.

You can tune sensor configurations by filtering audit events. Tuning a sensor by filtering audit events reduces the number of false positives. You can set the minimum level of events that will be reported to you. Also, you can enable and disable alarms from specific hosts and networks.

When using IDSM devices supported by IDS MC, you can define rules that prevent the sensor from generating alarms and audit event records for suspicious behavior based on traffic originating from or destined to specific networks and hosts. You can use the Filters page to define these rules.

Task List for Tuning Sensor Configurations

After configuring your sensors, you need to tune them. You can tune sensor configurations by using four general methods:

You can tune sensor configurations by performing one of the following tasks. For step-by-step procedures on performing a specific task, refer to the corresponding section.

Specifying IP Fragment and TCP Session Reassembly Settings for a Sensor

The goal of defining these reassembly settings is to ensure that the sensor does not allocate all of its resources to datagrams that cannot be completely reconstructed, either because the sensor missed some frame transmissions or because an attack is generating random fragmented datagrams.

These settings ensure that valuable system resources are not reserved for sessions that are no longer active. These settings apply to sensors globally, not to individual settings such as signatures.

To specify IP fragment reassembly options and TCP session reassembly options, follow these steps:

Step 2   In the TOC, click the Object Selector handle.

Step 3   In the Object Selector, select the sensor for which you want to specify reassembly options.

The Object Selector closes.

Step 4   In the TOC, select Reassembly Options.

The Reassembly Options page appears.

When configuring an IDSM or a 4.x sensor appliance, you have the option of TCP strict reassembly. The 3.x sensor appliance does not have that option.

When configuring a sensor appliance (3.x or 4.x), you have the option of specifying Maximum Total Fragments. The IDS module does not have that option.

Step 5   When configuring a 4.x sensor appliance, specify the operating system in the IP Reassemble Mode list box.

Step 6   To specify that you want the sensor to reassemble IP datagrams, select the Reassemble Fragments check box under IP Fragment Reassembly. Reassembling fragments is done by default by all sensors, both appliances and modules.

Step 7   To specify the maximum number of partial datagrams that the sensor can attempt to reconstruct at one time, enter that value in the Maximum Partial Datagrams field. Maximum Partial Datagrams is not available for 4.x sensor appliances.

Step 8   To specify the maximum number of fragments that can be accepted into a single datagram, enter that value in the Maximum Fragments Per Datagram field. Maximum Fragments Per Datagram is not available for 4.x sensors.

Step 9   To specify the maximum total fragments, enter that value in the Maximum Total Fragments field. Maximum Total Fragments is available for sensor appliances but not for IDS modules.

Step 10   To specify the maximum number of seconds that can elapse before the sensor stops keeping track of a particular exchange for which it is trying to reassemble a datagram, enter that value in the Fragmented Datagram Timeout field.

Step 11   To specify that the sensor track only sessions for which the three-way handshake is completed, select the TCP Three Way Handshake check box.

Step 12   To specify how strict the reassembly requirements for this sensor should be when it attempts to reassemble the entire TCP session, select that type from the TCP Strict Reassembly list box. TCP Strict Reassembly is available for IDS modules but not for sensor appliances.

Step 13   To specify the number of seconds that can elapse before the sensor frees the resources allocated to a fully established TCP session, enter that value in the TCP Open Establish Timeout field.

Step 14   To specify the number of seconds that can elapse before the sensor frees the resources allocated for an initiated, but not fully established, TCP session, enter that value in the TCP Embryonic Timeout field.

Step 15   To accept your changes and close the Reassembly Options page, click Apply.

Identifying Additional Ports Used by Specific Signatures Applied to a Sensor

When using IDSM devices supported by IDS MC, you can specify additional ports that should be considered by signatures that study specific network services (identified by the TCP port used by that network service). These port settings enable you to identify any well-known network service ports that you have reassigned on your internal network. These port settings also enable you to identify any custom TCP-based services, running across your internal networks, that you want the sensor to study for specialized attacks that target these network services.

Port mapping applies only to 3.x IDS modules, 4.x sensor appliances, and IDS MC groups. It does not apply to 3.x sensor appliances.

To identify additional or remapped ports for more extensive evaluation by specific signatures, follow these steps:

Step 2   Click the Object Selector handle.

Step 3   In the Object Selector, select the device or group for which you want to identify additional or remapped ports.

The Object Selector closes.

Step 4   In the TOC, select Port Mapping.

The Port Mapping page appears.

Step 5   To specify additional ports that should be considered by the signature that studies for hijacked ports on a TCP-based service, enter each port number in the TCP HIJACK Ports field, separating entries with a comma.

Step 6   To specify additional ports that should be considered by the signature that studies for TCP-based flood attacks, enter each port number in the TCP SYNFLOOD Ports field, separating entries with a comma.

Step 7   To specify additional ports that should be considered by the attack signature that studies for Telnet-based attacks, enter each port number in the TCP TELNET Ports field, separating entries with a comma.

Step 8   To specify additional ports that should be considered by the attack signature that studies for HTTP-based attacks, enter each port number in the TCP HTTP Ports field, separating entries with a comma.

Step 9   To accept your changes and close the Port Mapping page, click Apply.

Defining Filters for a Sensor

Filters can be used to reduce the number of false positives reported by your sensors, so they are considered a method of tuning your sensors.

Filtering an alarm means that the sensor will analyze the data stream but will not generate an alarm. Filtering all alarms from a particular signature is not the same thing as disabling that signature, which results in no analysis of the data stream for that signature.

Note   Filters for a sensor in IDS MC should not be confused with event filters that are part of an event rule in Security Monitor.

A filter is defined by specifying the signature, the source address, and the destination address and whether it is an inclusive or exclusive filter. You cannot define any particular part of the filter (such as the source address) as inclusive or exclusive; you have to define the entire filter as inclusive or exclusive. Also, if you define more than one filter, IDS MC will apply them in the order in which you defined them.

An example of how filters work can be helpful in seeing how to define them. In this example, you want to exclude all alarms that originate from Network 10.10.10.0/24 because that network is using some applications that generate large numbers of false positives. However, there are two signatures that are important to you, so you don't want them to be excluded: They are 994 (Traffic Flow Started) and 995 (Traffic Flow Stopped).

1. Begin by defining an exclusive filter. Specify the source address as 10.10.10.0, which is the network that is generating large numbers of false positives. Specify all signatures so that no alarms are sent to Security Monitor.

2. Next, define an inclusive filter. Specify the same source address, which is Network 10.10.10.0. But specify Signatures 994 and 995, which are the ones that you want to include because they are important to you.

By using these two filters, and in this order, you can filter out a large number of alarms that would be false positives. But you can selectively let some of them (Signatures 994 and 995) pass through. This is possible because you defined the exclusive filter first and the inclusive filter next. Note that if you had defined the inclusive filter first, then the exclusive filter would have filtered out all the alarms from Network 10.10.10.0. This is because filters are evaluated in order.

This procedure defines filters for a sensor as described in this example. The example assumes that you have added Device11 in GroupW to your network. Device11 is a 4.x appliance sensor in this example.

To define a filter for a sensor as described in the example, follow these steps:

Step 2   In the TOC, click the Object Selector handle.

Step 3   In the Object Selector, select Device11, the sensor for which you want to define a filter in this example. Device11 is a 4.x sensor.

The Object Selector closes.

Step 4   In the TOC, select Filters.

The Filters page appears. This page shows that no filters have been defined for Device11, the sensor that you selected.

Step 5   To begin defining the exclusive filter in this example, click Add.

The Enter Filter page appears.

Step 6   Enter a name for the filter: Use "First Filter--Exclusive"

Step 7   Select the action of Exclude.

The Enter Filter page now appears as shown here.

Step 8   Click the Signatures link.

The Enter Signatures page appears.

Step 9   On the Enter Signatures page, add All Signatures from the Available Signatures field to the Selected Signatures field.

The Enter Signatures page now appears as shown here.

Step 10   Click OK.

The Enter Filter page appears again.

Step 11   Click the Source Addresses link.

The Filter Source Addresses page appears.

Step 12   Click Add.

The Enter Filter Address page appears.

Step 13   Select the radio button corresponding to Network and enter 10.10.10.0, the network address being used in this example, along with its network mask of 255.255.255.0. The Enter Filter Address page now appears as shown here.

Step 14   Click OK.

Step 15   The Filter Source Addresses page appears, showing the addition of Network 10.10.10.0 with a subnet mask of 255.25.255.0.

Step 16   Click OK.

The Enter Filter page appears again.

Step 17   Click the Destination Addresses link.

The Filter Destination Addresses page appears.

Step 18   Click Add.

The Enter Filter Address page appears.

Step 19   Select the radio button corresponding to an address of Any and click OK.

The Filter Destination Addresses page appears, showing the addition of Any.

Step 20   Click OK.

The Enter Filter page appears again.

Step 21   Click OK.

The Filters page now appears as shown here. You have just finished defining the first filter in this example.

Step 22   To begin defining the inclusive filter in this example, click Add.

Step 23   Add a filter with the name "Second Filter--Inclusive" with an action of Include.

Step 24   Continue with this example by adding Signature 994 and Signature 995.

Step 25   Add the same source address and destination address that were used for the first filter, and then display the Filters page again. It should now appear as shown here.

The filter named First Filter--Exclusive will be applied first. It will exclude all alarms from Network 10.10.10.0. The filter named Second Filter--Inclusive will be applied next. It will allow alarms from Network 10.10.10.0 if they result from Signatures 994 or 995. Signatures 994 and 995 will not be disabled.

Specifying Networks and Hosts that Should Never Be Blocked

You can configure a sensor to block an attack by generating ACL rules for publication to an Cisco IOS router. However, it is important to tune your sensor signatures to identify hosts and networks that should never be blocked. For example, you may have a trusted network device whose normal, expected behavior appears to be an attack. But such a device should never be blocked. Also, trusted, internal networks should never be blocked. Proper tuning reduces the number of false positives and helps ensure proper network operation.

To specify the networks or hosts that should never be blocked when an attack is detected, follow these steps:

Step 2   Click the Object Selector handle.

Step 3   In the Object Selector, select the sensor for which you want to identify hosts and networks that should be exempt from blocking.

Step 4   In the TOC, select Blocking > Never Block Addresses.

The IP Addresses page appears. This page shows the list of devices and networks that are capable of being blocked by configuring the sensor that you selected. On this page, you can add, edit, and delete hosts and networks.

Step 5   To add a host or network to the list of those that should never be blocked by the sensor that you selected, click Add.

The Enter Network page appears.

Enter the following information in the Enter Network page:

Step 6   To edit information associated with a host or network on the list of those that should never be blocked by the sensor that you selected, select the check box adjacent to the address of that host or network, and click Edit.

The Enter Network page appears.

Enter the following information on the Enter Network page:

Step 7   To delete a host or network from the list of those that should never be blocked by the sensor that you selected, select the check box corresponding to the address of that host or network, and click Delete.

The host or network that you selected is deleted.

Step 8   To add, edit, or delete additional hosts or networks, repeat Step 2 through Step 7.

Step 9   To continue configuring sensors, select Configuration > Settings.