Signatures represent the intelligence behind your intrusion detection system. To protect your network infrastructure fully, you must understand both how these signatures are structured and each signature series. A signature is a set of rules used to match activity and traffic present on your network. Once a match is made, the signatures trigger an alarm.

Signatures are broken down into many different categories to facilitate understanding of how they operate and detect intrusions. All signatures are either content based or context based. Content-based signatures analyze the contents of the network packets, while context-based signatures analyze the protocol headers of the network packets. In addition, every CIDS signature is either:

• Atomic

• Composite

Atomic signatures can be matched by analyzing a single network packet. Composite signatures must analyze more than one network packet before a match is made. CIDS signatures also belong to one of four signature classes. The signature classes define the type of attack the signature was designed to detect. The signature classes map closely to the types of attacks discussed in Chapter 23. The four signature classes are as follows:

• Reconnaissance

• Informational

• Access

• Denial of Service

The final signature category all CIDS signatures belong to is the signature series. The signature series defines the protocol the signature is responsible for analyzing. The CIDS signature series includes the following:

• 1000 Series Signatures—IP Signatures

• 2000 Series Signatures—ICMP Signatures

• 3000 Series Signatures—TCP Signatures

• 4000 Series Signatures—UDP Signatures

• 5000 Series Signatures—Web (HTTP) Signatures

• 6000 Series Signatures—Cross Protocol Signatures

• 8000 Series Signatures—String Match Signatures

• 10000 Series Signatures—ACL Policy Violation signatures

The Event Viewer represents your view into your intrusion detection system. Without this powerful application, you would be unaware of the alarms and intrusions on your network. To use the Event Viewer correctly, you should understand the following topics:

• Managing Alarms

• Customizing the Event Viewer

• Preference Settings

You can access the Network Security Database (NSDB) to research information regarding an alarm or a vulnerability. The NSDB is an HTML database containing detailed information on all the CIDS signatures and vulnerabilities. The NSDB also has a User Notes section that allows security administrators to record additional information for later viewing. User Notes are stored within the NSDB.