Intrusion Detection System

Manually Blocking and Removing a Block Another option given to use with Cisco Secure IDS is to manually block, or remove a block from, an IP address. Some administrators may like this option, as it will give much more freedom to ... [full story]

The SWEEP Micro-Engine All of the SWEEP signatures alarm conditions depend on the count of the Unique parameter. Unique is the threshold parameter that causes the signature to fire the alarm when more than the configured "Unique" number of ports and ... [full story]

The STRING Micro-Engine The STRING micro-engine provides pattern inspection and alarm generation against regular expressions. It works against TCP, UDP, and ICMP. There are currently four STRING micro-engines. STRING HTTP has eight signatures (shown in Figure 7.16). These are specifically tailored ... [full story]

The STATE.HTTP Micro-Engine The STATE micro-engine encompasses the 3000 and 5000 series signatures. There are approximately 415 signatures covered in this micro-engine. The STAT.HTTP micro-engine is especially helpful if you are running a web server on nonstandard HTTP ports. Use the ... [full story]

The FLOOD Micro-Engine Simply stated, FLOOD engines analyze flood type traffic, that is traffic from many sources to a single host (n to 1), specified in FLOOD.HOST or floods to the network, traffic from many sources to many destinations (n to ... [full story]

The SERVICE Micro-Engine Of all the different service micro-engines (see Table 7.5), SERVICE.DNS and SERVICE.RPC are two of the more important engines. SERVICE works at layer 5 and above to analyze traffic between two hosts. Service engine signatures are one-to-one signatures ... [full story]

The ATOMIC Micro-Engines The ATOMIC engine is used to create or tune existing signatures for simple, single packet conditions that cause alarms to be triggered. Every packet's conditions have specialized parameters that deal with each of the protocol-specific inspections within the ... [full story]

Cisco IDS Signature Micro-Engines The Cisco Secure IDS software divides signature processing into different categories or engines. We can see the types of engines in Table 7.1. Table 7.1: Cisco IDS Signature Micro-Engine Overview Engine Type Description Atomic This is used for single packets. Flood This ... [full story]

Understanding Cisco IDS Signatures It is important to understand what a signature is, and what exactly a signature does. A signature is a known type of activity. It has already been detected in the wild and someone has captured the personality ... [full story]

Cisco IDS Alarms and Signatures Introduction Once the Cisco IDS sensor is racked and operational, and the IDS management device or director is configured and communicating properly, it is time to tune the IDS signatures to the traffic patterns that occur on ... [full story]

Troubleshooting the Cisco IDSM Sensor Troubleshooting the IDSM might feel somewhat overwhelming at first, but in reality you know a lot of the procedure already. There are commands and even LEDs that we can look at to get an idea of ... [full story]

Sensing Properties As you have read in Chapter 4, the Sensing tab allows you to configure what signature configuration file the sensor is using, what Packet Capture Device (Interface) the sensor is using, and how to handle IP fragment reassembly. You ... [full story]

Excluding or Including Specific Signatures After viewing events for several days and analyzing the traffic along with the source and destination addresses, you may want to turn certain signatures off and others on. There could be several reasons why you would ... [full story]

Excluding or Including Signatures in CSPM To exclude or include a signature in CSPM, perform these steps: Select the signature file you want to edit from the topology map (as seen in Figure 7.24). Figure 7.24: Signature Files Click the Signatures ... [full story]

Using the Master Blocking Sensor We previously discussed master blocking and its methods for securing various entrances to our networks. If we have a large network with master blocking in place, our sensors will dynamically update each other to protect all ... [full story]

The Never Block IP Addresses Setup The Never Block Addresses tab is an answer to the critical host issue mentioned earlier in this chapter. As we mentioned, some systems on our networks should never be blocked like a DNS server or ... [full story]

Configuring the Sensor Now we need to set up the sensor for the blocking devices it will monitor by using the Cisco Secure Policy Manager (CSPM). These settings indicate to the sensor which routers, by Telnet IP address, will be governed ... [full story]

Configuring a Router for a Sensor Telnet Session First, we will configure the router for Telnet access and assign a login password. The login password is essential for allowing us to Telnet to a router and should be something complex and ... [full story]

Configuring the Sensor to Block In this section, let's delve into how to actually configure IP blocking step by step. As we mentioned earlier in the chapter, there are many different possibilities for network set-ups. Thus, different options may work poorly ... [full story]

Using ACLs to Perform Blocking As previously discussed, Cisco's ACLs are a list of rules that will either permit or deny traffic entering or leaving the network. We can use either standard ACLs, for controlling network access for a particular source ... [full story]

Understanding Master Blocking In some network architectures, for reasons such as redundancy or perhaps cost, another ISP may be a feasible solution. An Extranet connection or two may also be present. These connections create multiple entryways to our network and thus ... [full story]

Understanding the Blocking Process Threats to our networks never sleep or wait until Monday to become a burden. While there are many mitigating tools available to the security administrator such as firewalls, password security, encryption standards, and even complex networks with ... [full story]

Configuring Cisco IDS Blocking Introduction Blocking… This is a word that just sounds like security, doesn't it? We will block you from our network. In the world of Cisco, blocking is another name for "shunning," which is the art of actively interacting ... [full story]

Excluding or Including Signatures in IDM To exclude or include signatures using the Cisco IDM, follow these steps: Once you have logged in to IDM, go to Configuration | Signature Groups. Click the group name that your signature is associated with (see ... [full story]

Updating the Cisco IDSM Sensor Updating the IDSM sensor might result from a need to move to newer code, or because the current image has been corrupted. A different reason for updating (or more appropriately: to recover the IDSM sensor) is ... [full story]

Understanding the Cisco IDSM Sensor The IDSM sensor module differs from other, more conventional IDS sensors from Cisco by being a blade- or module-based solution. Unlike the 4230 sensor that uses a form of Solaris as the OS and runs on ... [full story]

Configuring the Cisco IDSM Sensor Introduction The Cisco IDSM sensor blade is viewed with a mixture of awe, dread, and ignorance. This sensor is certainly one of the least understood and underutilized sensors in the Cisco IDS product line. In part, this ... [full story]

Configuring Automatic IP Logging You can configure a sensor to generate an IP session log when the sensor detects an attack. All packets to and from the source address of the alarm are logged for a specific period of time when ... [full story]

Exporting Event Logs By default, the IDS sensor logs all events locally on the sensor by both severity and type. A feature of the IDS sensors is that you can export the event logs to an FTP server. This allows you ... [full story]

Configuring Event Logging (IDS version 3.1) Depending on what the sensor had been configured to watch, it can generate audit event logs locally on the sensor based on syslog data streams, network data streams, or both. Follow these steps and examine ... [full story]

Configuring Logging Logging provides a way to record the events that the IDS sensor sees for later analysis either by security personnel, network operations, or event correlation software. This section covers how to configure event logging as well as IP logging, ... [full story]

Adding Interfaces to an Interface Group To group monitoring interfaces into one logical virtual sensor, you will use an interface group. At this time, only interface Group 0 is supported. More than one monitoring interface can be assigned to the interface ... [full story]