© 2006 Cisco Systems, Inc. All rights reserved. HIPS v3.04-1 Configuring Rules Configuring System Correlation Rules.

Презентация:



Advertisements
Похожие презентации
© 2006 Cisco Systems, Inc. All rights reserved. HIPS v Configuring Rules Configuring Rules Common to Windows and UNIX.
Advertisements

© 2006 Cisco Systems, Inc. All rights reserved. HIPS v Configuring Rules Configuring UNIX-Only Rules.
© 2006 Cisco Systems, Inc. All rights reserved. HIPS v Configuring Rules Configuring Windows-Only Rules.
© 2006 Cisco Systems, Inc. All rights reserved. HIPS v Using CSA Analysis Configuring Application Behavior Investigation.
© 2006 Cisco Systems, Inc. All rights reserved. HIPS v Configuring CSA.
© 2006 Cisco Systems, Inc. All rights reserved. HIPS v Configuring Groups and Policies Managing Hosts and Deploying Software Updates.
© 2006 Cisco Systems, Inc. All rights reserved. HIPS v Using CSA Analysis Generating Application Deployment Reports.
© 2006 Cisco Systems, Inc. All rights reserved. HIPS v Administering Events and Generating Reports Managing Events.
© 2006 Cisco Systems, Inc. All rights reserved. HIPS v Configuring Rules.
© 2006 Cisco Systems, Inc. All rights reserved. HIPS v Using CSA Analysis Generating Behavior Analysis Reports.
© 2006 Cisco Systems, Inc. All rights reserved. HIPS v Module Summary CSA MC includes rules for file management, network access, registry control,
© 2006 Cisco Systems, Inc. All rights reserved. HIPS v Using CSA Analysis.
© 2006 Cisco Systems, Inc. All rights reserved. HIPS v Configuring Rules Rule Basics.
© 2006 Cisco Systems, Inc. All rights reserved. HIPS v Configuring Groups and Policies Building an Agent Kit.
© 2006 Cisco Systems, Inc. All rights reserved. HIPS v Configuring Groups and Policies Configuring Policies.
© 2006 Cisco Systems, Inc. All rights reserved. HIPS v Administering Events and Generating Reports Generating Reports.
© 2006 Cisco Systems, Inc. All rights reserved. HIPS v Creating Application Classes Working with Variables and Application Classes.
© 2006 Cisco Systems, Inc. All rights reserved. HIPS v Working with Variables and Application Classes.
© 2006 Cisco Systems, Inc. All rights reserved. HIPS v Using CSA Analysis Configuring Application Deployment Investigation.
© 2006 Cisco Systems, Inc. All rights reserved. HIPS v Administering Events and Generating Reports.
Транксрипт:

© 2006 Cisco Systems, Inc. All rights reserved. HIPS v Configuring Rules Configuring System Correlation Rules

© 2006 Cisco Systems, Inc. All rights reserved. HIPS v Objectives At the end of this lesson, you will be able to meet these objectives: Identify the rules that you can use to categorize processes and correlate events across multiple hosts Describe how to configure the System API control rule Configure the System API control rule Describe how to configure the Network shield rule Describe how to configure the Buffer overflow rule Explain the functions of the preconfigured Worm Protection Module Explain the functions of the preconfigured Installation Applications Policy Describe how to configure Global Event Correlation

© 2006 Cisco Systems, Inc. All rights reserved. HIPS v System Correlation Rules Event sent to CSA MC Host Infected with Worm Protected Hosts CSA MC CSA MC correlates the events and updates the hosts

© 2006 Cisco Systems, Inc. All rights reserved. HIPS v Configuring the System API Control Rule

© 2006 Cisco Systems, Inc. All rights reserved. HIPS v Configuring the System API Control Rule (Cont.)

© 2006 Cisco Systems, Inc. All rights reserved. HIPS v Configuring the System API Control Rule (Cont.)

© 2006 Cisco Systems, Inc. All rights reserved. HIPS v Practice: Configuring the System API Control Rule

© 2006 Cisco Systems, Inc. All rights reserved. HIPS v Configuring the Network Shield Rule

© 2006 Cisco Systems, Inc. All rights reserved. HIPS v Configuring the Network Shield Rule (Cont.)

© 2006 Cisco Systems, Inc. All rights reserved. HIPS v Configuring the Buffer Overflow Rule

© 2006 Cisco Systems, Inc. All rights reserved. HIPS v Configuring the Buffer Overflow Rule (Cont.)

© 2006 Cisco Systems, Inc. All rights reserved. HIPS v The Worm Protection Rule Module

© 2006 Cisco Systems, Inc. All rights reserved. HIPS v The Worm Protection Rule Module (Cont.)

© 2006 Cisco Systems, Inc. All rights reserved. HIPS v Alert! Potential worm attack through XYZ.txt worm detected XYZ.txt infected! worm attack xyz.txt Worm Event Correlation

© 2006 Cisco Systems, Inc. All rights reserved. HIPS v The Installation Applications Policy

© 2006 Cisco Systems, Inc. All rights reserved. HIPS v The Installation Applications Policy (Cont.)

© 2006 Cisco Systems, Inc. All rights reserved. HIPS v The Installation Applications Policy (Cont.)

© 2006 Cisco Systems, Inc. All rights reserved. HIPS v Global Event Correlation Unauthorized Registry Attack Worm Attack Virus Scan Report Attacks Detected Network Alerted

© 2006 Cisco Systems, Inc. All rights reserved. HIPS v Configuring the Global Event Correlation

© 2006 Cisco Systems, Inc. All rights reserved. HIPS v Summary The system correlation rules allow CSA to prevent the command shells from being invoked by vulnerable application categories. The System API Control rule detects and prevents errant programs from performing malicious acts on individual systems and networks. A Network Shield rule provides network protocol stack hardening capabilities. The Buffer Overflow rule checks for the accumulation of excess data for processing. The Worm Protection module designs a dynamic application class for detecting any suspicious action occurring on a system. The Installation Application policy is a preconfigured policy applied to systems for tracing the time taken for installing a software and to add the installation processes to a dynamically built application class. Global event correlation refers to the collection, consolidation, and analysis of the information gathered as a result of intrusion from multiple and often diverse network devices.

© 2006 Cisco Systems, Inc. All rights reserved. HIPS v