Header
Home | Set as homepage | Add to favorites
  Search the Site     » Advanced Search
Sections
Syndication


Blogroll:

||||| ALL Cisco-Network ARTICLES |||||  
CCIE Journey,
The CCIE Journey,

Home : Intrusion Detection System : The FLOOD Micro-Engine

The FLOOD Micro-Engine

Nov 24,2008 by admin

small font medium font large font
image

The FLOOD Micro-Engine

Simply stated, FLOOD engines analyze flood type traffic, that is traffic from many sources to a single host (n to 1), specified in FLOOD.HOST or floods to the network, traffic from many sources to many destinations (n to n), specified in FLOOD.NET. Host floods use a counter that counts the packets-per-second (PPS) to the destination. Net floods, however, do not use the address for counting, but instead utilize the count rate on a virtual sensor basis. Analysis is done on a per-second basis for both host and net floods.

FLOOD engines have one configuration restriction. You have to specify the Rate parameter in both the host and net flood engine groups. FLOOD engines also ignore the WantFrag, MaxInspectLength, and ResetAfterIdle parameters from the Master engine parameters.


 Note 

The concept of a virtual sensor is that if the physical sensor is monitoring more than one interface, all the interfaces are configured into interface groups. There can be more than one interface group. But virtual sensors are attached to only one interface group.

There are three FLOOD micro-engines. We will look at each in detail in the following sections.

FLOOD.HOST.ICMP

FLOOD.HOST.ICMP analyzes ICMP floods directed at a single host. Figure 7.12 shows the two signatures 2152 – ICMP Flood, and 2153 – ICMP Smurf attack that are host flood signatures based on ICMP traffic.

Start Figure
Selection> 6
   
2152  (SubSig 0)  ICMP Flood :
2153  (SubSig 0)  ICMP Smurf attack :
(Sig Number to EDIT) or (ENTER to CONTINUE) >
End Figure

Figure 7.12: SigWizMenu Option 6 FLOOD.HOST.ICMP

Table 7.6 shows the configurable parameters for FLOOD.HOST.ICMP signatures.

Table 7.6: FLOOD.HOST.ICMP Parameters

Name

Data Type

Protected

Required

Description

IcmpType

Number 0–256

No

No

ICMP header TYPE

Rate

Some number

No

Yes

The maximum allowed packets-per-second (PPS)

FLOOD.HOST.UDP

FLOOD.HOST.UDP analyzes UDP floods directed at a single host. Figure 7.13 shows the single signature, 4002 – UDP Flood, that is a host flood signature based on UDP traffic.

Start Figure
Selection> 7
   
4002  (SubSig 0)  UDP Flood :
   
(Sig Number to EDIT) or (ENTER to CONTINUE) >
End Figure

Figure 7.13: SigWizMenu Option 7 FLOOD.HOST.UDP

Table 7.7 shows the configurable parameters for FLOOD.HOST.UDP signatures.

Table 7.7: FLOOD.HOST.UDP Parameters

Name

Data Type

Protected

Required

Description

ExcludeDst1

Number 0–65536

No

No

Destination port to exclude from flood counting.

ExcludeDst2

Number 0–65536

No

No

Destination port to exclude from flood counting.

ExcludeDst3

Number 0–65536

No

No

Destination port to exclude from flood counting.

Exclude1

Number 0–65536

No

No

Source port to exclude from flood counting.

Exclude2

Number 0–65536

No

No

Source port to exclude from flood counting.

Exclude3

Number 0–65536

No

No

Source port to exclude from flood counting.

Rate

Some number

No

Yes

Threshold number of PPS. When the PPS is greater than the specified Rate, an alarm fires.

FLOOD.NET

FLOOD.NET analyzes network floods directed at a single network segment. Figure 7.13 displays the current signatures in the FLOOD.NET micro-engine. Of special interest in the FLOOD.NET micro-engine is FLOOD.Net Learning Mode. This configuration option is feedback mode. Feedback mode replaces the normal inspection of packets with a diagnostic alarm. Simply stated, the alarm with have the maximum count of PPS in the alertDetails values seen during the interval. This is good for baselining network traffic in order to tune the signatures. The configuration is set to feedback mode when the Rate parameter is set to 0. Figure 7.14 shows the five signatures that are part of the FLOOD.NET micro-engine.

Start Figure
Selection> 8 
   
6901  (SubSig 0)  NET FLOOD Icmp Reply :
6902  (SubSig 0)  NET FLOOD Icmp Request :
6903  (SubSig 0)  NET FLOOD Icmp Any :
6910  (SubSig 0)  NET FLOOD UDP :
6920  (SubSig 0)  NET FLOOD TCP :
   
(Sig Number to EDIT) or (ENTER to CONTINUE) >
End Figure

Figure 7.14: SigWizMenu Option 8 FLOOD.NET

Table 7.8 shows the configurable parameters for FLOOD.NET signatures.

Table 7.8: FLOOD.NET Parameters

Name

Data Type

Protected

Required

Description

Gap

Number

No

No

The number of seconds allowed within the ThrottleInterval where PPS < Rate.

Alarms will not be triggered if you get greater than Gap seconds that are not suspects and counting is reset.

IcmpType

Number 0–256

No

No

This is the ICMP type value found in the header.

Only valid when Protocol is set to ICMP.

Peaks

Number

No

No

The threshold of suspect seconds.

       

Alarm is triggered when the Peaks suspect seconds is reached in a ThrottleInterval.

Rate

Number

No

No

The threshold for PPS.

       

Suspect second occurs when PPS > Rate.

Remember for diagnostics/feedback mode to set the Rate value to 0.


292 times read

Related news
» Well-Known DoS Attacks
by alperen posted on Jun 30,2009
» Cisco IDS Signature Micro-Engines
by admin posted on Nov 24,2008
» Switch Flood Broadcast Frames
by alperen posted on Nov 23,2008
» Reducing OSPF Traffic in Stable Networks
by admin posted on Jul 21,2008
» Routing Protocol Information
by alperen posted on Nov 28,2008
Did you enjoy this article?
1 2 3 4 5
(total 0 votes)

comment Comments (0 posted) 

More Top News
CCSP-Cisco Certified Security Professional
arrow Cisco SAFE Implementation
arrow Preparation Documents
arrow Exam Topics
arrow Skills Required for the Exam
arrow Cisco SAFE Implementation Questions and Answers
arrow Access Control Lists Cisco
arrow Access List Basics
arrow Standard Access Lists
arrow Verifying ACLs
arrow Extended Access Lists
arrow TCP Access Lists
arrow UDP Access Lists
arrow ICMP Access Lists
arrow Named Access Lists
arrow Signature and Alarm Management Review
arrow Signature and Alarm Management Review Questions and Answers
arrow Event Viewer
arrow Managing Alarms
arrow Event Viewer Customization
arrow Preference Settings
arrow Sensor Installation
arrow Connecting to Your Network Sensor Appliance
arrow Sensor Bootstrap
arrow Sensor Installation and Configuration Review
arrow Sensor Installation and Configuration Questions and Answers
arrow Signature and Alarm Management
arrow CIDS Signatures
arrow Signature Series
arrow Signature Implementations
arrow Signature Classes
arrow Signature Types
arrow Signature Severity
Most Popular
Most Commented
Featured Author

admin

image
<| Cisco Articles | Maximum Learning | All Cisco-Network Study Notes | Privacy Policy |>
If you think you own the material being used without permission, contact alperenmad[at]hotmail.com. material will be removed from the site.