Configuring IOS-Based IDS Signatures
IOS-IDS will trigger an alarm when a packet matches a
certain behavior defined in a signature. It is critical that no alarms are
generated for an event that will not be harmful for the network. A large number
of these so-called false positives will drain resources and can become very
costly to a company. It is also critical that alarms are generated when needed.
False negatives occur when an IDS fails to detect an intrusion. You can prevent
false negatives by making sure you have the IOS with the latest signatures
available installed. Fine-tuning an IDS configuration by disabling or excluding
signatures will help prevent a large number of false positives in your
network.
In this section, we look at how we can manage signatures to
prevent false positives. We do so by doing the following:
-
Disabling signatures globally
-
Excluding signatures by host or network
-
Configuring the spam signature threshold
Disabling
Signatures Globally
All signatures available in IOS are enabled
by default when IDS is configured on a router. A number of these signatures are
application- or operating system–specific, and might not pose a threat to your
network. Still, intrusions occur and keep your Operations Department busy. You
might for instance have no UNIX-based servers in your network, yet alarms keep
getting triggered for the mountd Portmap Request signature and fill up your
management GUI. In such cases, you want to disable a certain signature, and by
doing so lower the administrative burden that results from these false
positives.
We disable the mountd Portmap Request signature and the Majordomo
Execute Attack signature by entering the following command in global
configuration mode:
aRouter(config)#ip audit signature 6155 disable
aRouter(config)#ip audit signature 3107 disable
When the need arises to track traffic for signature 6155 (Portmap)
again, you can enable this signature using the no keyword
in front of the ip audit signature command. Doing so may
look like you're disabling the signature, but that's not the case. It simply
enables the signature. Here's an example:
aRouter(config)#no ip audit signature 6155
Excluding
Signatures by Host or Network
One of the major disadvantages of disabling signatures
globally is that network traffic is no longer being tracked for intrusions with
that specific signature. This is especially true when you have a mixed
environment. You may be receiving a lot of false positives from a Windows-based
host, but disabling the signature globally will make those UNIX-based hosts
vulnerable to attack. Excluding signatures by host or network will ensure that
if an attack takes place on a UNIX-based host, it is detected and actions are
taken. The following example shows how to exclude a signature for a certain
host.
We are back at Prince Partners Inc. In Figure 11.3, we see
Router1 connecting Prince Partners LAN to the Internet. Router1 is acting as a
Firewall/IDS device, has all signatures enabled, and is protecting network
172.16.20.0/24. Server1 is a Windows 2000 Exchange server, and traffic to that
server is creating false positives for signature 6155, the mountd Portmap
Request signature. The alarms generated are false positives because Server1 does
not have mountd running and is therefore not vulnerable for this intrusion.
Server2 is a UNIX server that might be vulnerable for this attack and traffic to
this server must still be tracked for signature 6155.
To prevent false positives on Server1 from happening we will
exclude Server1 from this signature, and do so by using the following
commands:
Router1(config)#ip audit signature 6155 list 10
Router1(config)#ip access-list standard 10
Router1(config-std-nacl)#deny host 172.16.20.3
Router1(config-std-nacl)#permit any
Router1(config-std-nacl)#end
Router1#
In this example, we see that the ip audit
signature command refers to a standard access-list that specifies which
hosts are to be excluded when tracking network traffic for signature 6155. Here,
we have excluded Server1 and permitted all other hosts. Remember that at the end
of an access-list there is an implicit deny. If we had not used the permit any statement in the access-list, all hosts would have
been excluded from this signature.
You can make the signature available again for tracking traffic to
Server1 by using the following commands:
Router1(config)#no ip audit signature 6155 list 10
Router1(config)#no access-list 10
Router1(config)#end
Using the
Spam Signature
The ip audit smtp
spam command is used to change the recipient threshold of the spam signature
(Signature 3106). This signature will detect an e-mail message whose number of
recipients exceeds the threshold and take appropriate action. The default value
of this threshold is 250 recipients. Depending on your existing mail environment
and traffic, you can change this value to a higher or lower number. Be careful
you don't set this value so low that e-mail gets lost.
Let's take another look at Figure 11.3. Prince
Partners Inc. is using an Exchange 2000 e-mail environment. Server1 is the only
mail server at this moment. The server administrator has come to you requesting
something be done about the spam mail appearing on Server1. You decide to lower
the value of the spam signature, so more spam is detected. You do this by
entering the following command at the Router1 prompt:
Router1(config)#ip audit smtp spam 150
The spam signature value can be set to its default of 250 again by
using the following command. Although it looks like you are disabling the spam
signature, you are, in fact, resetting the threshold value back to 250
recipients.
Router(config)#no ip audit smtp
The spam signature can be disabled using the ip
audit signature command.
Router1(config)#ip audit signature 3106 disable
The show ip audit configuration command will
show you that signature 3106 is disabled. The default threshold value still
shows up in the output, but IDS will now ignore e-mails with recipient lists
over 250 recipients. The following shows part of the show ip
audit configuration command output after disabling the spam signature.
Default threshold of recipients for spam signature is 250
Signature 3106 disable
Sections
Comments (0 posted)
Syndication
