CIDS signatures form the intelligence built
into your network sensors. A signature is a set of rules
pertaining to typical intrusion activity that, when matched, generates a unique
response.
Signatures can be broken down to be included into a number of
different categories to assist with the understanding of how the signature
operates and analyzes network traffic. Each of these categories describes the
operations of each signature. Signature implementations
describe what the signature is examining. Signatures can analyze the protocol
header information (context) or the data encapsulated in the packet (content).
Signature structures categorize signatures based on the number of packets
required to match the signature. Some signatures are matched by examining a
single packet, while other signatures require multiple packets to make a match.
Signature classes detail the type of attack the specific signature is used to
detect. As discussed in Chapter 23, different attack types exist and, because there
are different attack types, signature classes describe the type of attack the
signature was created to detect. Signature types categorize each signature by
describing the type of traffic the signature is used to monitor or match. Some
signature types monitor protocol connections, while other types monitor SYSLOG
output of a router to determine when traffic was denied because of an ACL
violation. The last category used to describe a signature is the signature severity, which is a configurable parameter that
can be used to judge the seriousness of the triggered signature.
To assist you in understanding CIDS signatures, this section
discusses the following signature categories in detail:
Sections
Comments (0 posted)
Syndication
