Cisco IDS
Signature Micro-Engines
The Cisco Secure IDS software divides signature processing
into different categories or engines. We can see the types of engines in Table
7.1.
Table 7.1: Cisco IDS Signature Micro-Engine
Overview
|
Engine Type |
Description |
|
Atomic |
This is used for single packets. |
|
Flood |
This is used to detect attempted DoS attacks. |
|
Service |
This is used when services at layers 5,6, and 7 require
protocol analysis. |
|
State |
This is used when stateful inspection is required. At this
time, only http is supported. |
|
String |
This is used for string pattern matching. |
|
Sweep |
This is used to detect network reconnaissance sweeps or
probes. |
Each engine contains a parser and inspector and
multiple signatures are supported within specific categories. When the IDS is
sniffing the network, it reads from a signature file that contains all of the
signature definitions. Each of the definitions contains configurable parameters
that can be tweaked to define activity on your network that you would consider
intrusive and possibly malicious. Signature parameters have three attributes to
them. They can be Protected, Required, or Hidden. The Protected attribute
affects the fundamental behavior of the parameter and applies only to the Cisco
set of default signatures. The Required attribute is a parameter value that must
be declared. The Hidden attribute is that the parameter is not viewable because
modifications to the parameter are not allowed. The parameters are themselves
broken down into two categories:
The Master engine parameters apply to each of the signatures in
the subengines. Master engine parameters are the basis for parsing the input
(traffic) and producing output (alarms). Table 7.2 lists the Master
engine parameters. It is up to the subengines to provide the specific protocol
needed for the sensor to decode and inspect the traffic.
Table 7.2: Master or Global Engine Parameters
|
Parameter |
Description |
|
AlarmDelayTimer |
This is the number of seconds (1–3600) to delay further
signature inspection after an alarm. |
|
AlarmInterval |
Special handling for time events (2–1000). Uses
AlarmInterval Y with MinHits X for X alarms in a Y-second
interval. |
|
AlarmSeverity |
The severity of the alert (high, medium, low, or
informational) reported in the alarm. |
|
AlarmThrottle |
Limits the number of alarms sent to the IDS management
device. The following options can be selected:
FireAll: Send all alarms when the signature conditions are
met.
FireOnce: Send the first alarm when signature conditions are
met. Then, do not send any more alarms from the same source and destination
address combination.
Summarize: Send only one alarm per ThrottleInterval per
address combination. Usually, the first alarm that starts a summary is sent. The
ThrottleInterval is a configurable number in seconds that the sensor counts
until that number (ThrottleInterval) is reached. It then fires another alarm and
starts the count all over again.
GlobalSummarize: Similar to the Summarize parameter but
expands to all address combinations instead of one. For example, once an alarm
is sent the sensor counts the subsequent alarms per the ThrottleInterval for all
address combinations being monitored. This reduces the number of alarms
triggered during flood attacks. |
|
ChokeThreshold |
Switches between Summarize and Global Summarize. During the
ThrottleInterval, the sensor autoswitches the AlarmThrottle mode to Summarize if
the frequency of alarms from a single signature is greater than the
ChokeThreshold. The sensor will autoswitch the AlarmThrottle mode to
GlobalSummarize if the frequency of alarms from single signature is double or
twice the ChokeThreshold.
The ChokeThreshold may not be set to ANY to autoswitch the
AlarmThrottle. |
|
FlipAddr |
Swaps the addresses and ports if they are detected as being
reversed in the alarm message. |
|
MaxInspectLength |
The Maximum length in bytes to inspect. |
|
MinHits |
Throttle for firing the alarm when the minimum number of
signature hits has been detected by the sensor. |
|
ResetAfterIdle |
When a signature stops firing alarms, this is the number of
seconds the sensor waits before it resets the counters (ThrottleInterval,
MinHits, etc…). |
|
SigComment |
Comment section to input your own notes about the
signature. |
|
SIGID |
Unique number identifier for each signature.
Cisco designates 1000–19,999 as the range for default
signatures and 20,000–50,000 as the range for user signatures. |
|
SigName |
Official signature name. |
|
SigStringInfo |
Any extra information included in the alarm
message. |
|
SubSig |
ID of Subsignatures, if any. Usually a variation of the
original signature. |
|
ThrottleInterval |
A counter in seconds defining the interval that alarms are
triggered. Used in conjunction with the AlarmThrottle parameter when configuring
Summarize or Global Summarize settings. |
|
WantFrag |
Has the sensor inspect fragmented packets against the
signature.
Can be set to TRUE if you want to inspect reassem-bled
fragmented packets or fragments, FALSE if you do not want to inspect reassembled
fragmented packets or fragments, or ANY to ignore all reassembled packets and/or
fragments. |
Figure 7.3 shows all of the micro-engines available
on the 4200 series sensors.
Sections
Comments (0 posted)
Syndication
