Header
Home | Set as homepage | Add to favorites
  Search the Site     » Advanced Search
Sections
Syndication


Blogroll:

||||| ALL Cisco-Network ARTICLES |||||  
CCIE Journey,
The CCIE Journey,

Home : CCSP-Cisco Certified Security Professional : Signature Severity

Signature Severity

Mar 10,2010 by alperen

small font medium font large font
image

The signature severity represents the probability that the matched signature represents a real and immediate security threat to your systems and network. Each signature has a default severity assigned to it by Cisco security engineers and these default severities are normally adequate for most network environments.

While each signature already has an assigned severity, this is a configurable parameter and can be changed by security personnel. The three severity levels are low, medium, and high. The severity is based on the alarm level. Alarms can be assigned an alarm level of one to five. Table 26-2 shows how the alarm levels match the alarm severities.

Table 26-2: Alarm Levels and Severities

Severity/
Alarm Level

Description

Probability of an Actual Attack

Immediate Threat

Low, Levels 1–2

Benign activity, but recorded for informational purposes.

Very Low

No

Medium, Levels 3–4

Abnormal activity that could be malicious.

Medium

Low

High, Level 5

Actual attacks are detected that allow access or used for DoS.

Very High

Yes

Low Severity

Signatures configured (default) with low-severity alarm levels represent the lowest threat to your network. Many of the signatures configured for a low-severity level are actual informational signatures. Alarms generated by these signatures don’t usually indicate intrusive activity. Some signatures configured for a low-severity level are as follows:

Medium Severity

Signatures configured with a medium-severity alarm level are used to detect abnormal network traffic that might be perceived as malicious. Some of these signatures are triggered on techniques that were effective in the past, but are usually no longer a threat in modern network environments. Intrusion attempts using these legacy vulnerabilities have a low probability of being successful and, therefore, are assigned a medium- severity level. Examples of signatures that have a medium-severity level include the following:

  • TCP SYN Port Sweep (Signature ID 3002)

  • ICMP network Sweep with Echo (Signature ID 2100)

High Severity

Signatures configured with a high-severity alarm level represent the most significant threats to your network and system security. Signatures that alarm with a high-severity level detect attacks that intruders use to gain access to network resources. By default, DoS attack signatures are also configured with a high-severity level. The following are examples of signatures configured with a high-severity level:

  • WWW IIS Unicode (Signature ID 5114)

  • sadmind RPC Buffer Overflow (Signature ID 6194)

  • BackOrifice BO2K TCP Non Stealth (Signature ID 3990) cp26 Event Viewer


1274 times read

Related news
» Signature and Alarm Management
by alperen posted on Mar 10,2010
» Preference Settings
by alperen posted on Mar 17,2010
» CIDS Signatures
by alperen posted on Mar 10,2010
» Signature and Alarm Management Review
by alperen posted on Mar 20,2010
» Signature and Alarm Management Review Questions and Answers
by alperen posted on Mar 20,2010
Did you enjoy this article?
1 2 3 4 5
(total 0 votes)

comment Comments (0 posted) 

More Top News
CCSP-Cisco Certified Security Professional
arrow Cisco SAFE Implementation
arrow Preparation Documents
arrow Exam Topics
arrow Skills Required for the Exam
arrow Cisco SAFE Implementation Questions and Answers
arrow Access Control Lists Cisco
arrow Access List Basics
arrow Standard Access Lists
arrow Verifying ACLs
arrow Extended Access Lists
arrow TCP Access Lists
arrow UDP Access Lists
arrow ICMP Access Lists
arrow Named Access Lists
arrow Signature and Alarm Management Review
arrow Signature and Alarm Management Review Questions and Answers
arrow Event Viewer
arrow Managing Alarms
arrow Event Viewer Customization
arrow Preference Settings
arrow Sensor Installation
arrow Connecting to Your Network Sensor Appliance
arrow Sensor Bootstrap
arrow Sensor Installation and Configuration Review
arrow Sensor Installation and Configuration Questions and Answers
arrow Signature and Alarm Management
arrow CIDS Signatures
arrow Signature Series
arrow Signature Implementations
arrow Signature Classes
arrow Signature Types
arrow Signature Severity
Most Popular
Most Commented
Featured Author

alperen

image
<| Cisco Articles | Maximum Learning | All Cisco-Network Study Notes | Privacy Policy |>
If you think you own the material being used without permission, contact alperenmad[at]hotmail.com. material will be removed from the site.