© 2006 Cisco Systems, Inc. All rights reserved. HIPS v Configuring Rules Configuring System Correlation Rules
© 2006 Cisco Systems, Inc. All rights reserved. HIPS v Objectives At the end of this lesson, you will be able to meet these objectives: Identify the rules that you can use to categorize processes and correlate events across multiple hosts Describe how to configure the System API control rule Configure the System API control rule Describe how to configure the Network shield rule Describe how to configure the Buffer overflow rule Explain the functions of the preconfigured Worm Protection Module Explain the functions of the preconfigured Installation Applications Policy Describe how to configure Global Event Correlation
© 2006 Cisco Systems, Inc. All rights reserved. HIPS v System Correlation Rules Event sent to CSA MC Host Infected with Worm Protected Hosts CSA MC CSA MC correlates the events and updates the hosts
© 2006 Cisco Systems, Inc. All rights reserved. HIPS v Configuring the System API Control Rule
© 2006 Cisco Systems, Inc. All rights reserved. HIPS v Configuring the System API Control Rule (Cont.)
© 2006 Cisco Systems, Inc. All rights reserved. HIPS v Configuring the System API Control Rule (Cont.)
© 2006 Cisco Systems, Inc. All rights reserved. HIPS v Practice: Configuring the System API Control Rule
© 2006 Cisco Systems, Inc. All rights reserved. HIPS v Configuring the Network Shield Rule
© 2006 Cisco Systems, Inc. All rights reserved. HIPS v Configuring the Network Shield Rule (Cont.)
© 2006 Cisco Systems, Inc. All rights reserved. HIPS v Configuring the Buffer Overflow Rule
© 2006 Cisco Systems, Inc. All rights reserved. HIPS v Configuring the Buffer Overflow Rule (Cont.)
© 2006 Cisco Systems, Inc. All rights reserved. HIPS v The Worm Protection Rule Module
© 2006 Cisco Systems, Inc. All rights reserved. HIPS v The Worm Protection Rule Module (Cont.)
© 2006 Cisco Systems, Inc. All rights reserved. HIPS v Alert! Potential worm attack through XYZ.txt worm detected XYZ.txt infected! worm attack xyz.txt Worm Event Correlation
© 2006 Cisco Systems, Inc. All rights reserved. HIPS v The Installation Applications Policy
© 2006 Cisco Systems, Inc. All rights reserved. HIPS v The Installation Applications Policy (Cont.)
© 2006 Cisco Systems, Inc. All rights reserved. HIPS v The Installation Applications Policy (Cont.)
© 2006 Cisco Systems, Inc. All rights reserved. HIPS v Global Event Correlation Unauthorized Registry Attack Worm Attack Virus Scan Report Attacks Detected Network Alerted
© 2006 Cisco Systems, Inc. All rights reserved. HIPS v Configuring the Global Event Correlation
© 2006 Cisco Systems, Inc. All rights reserved. HIPS v Summary The system correlation rules allow CSA to prevent the command shells from being invoked by vulnerable application categories. The System API Control rule detects and prevents errant programs from performing malicious acts on individual systems and networks. A Network Shield rule provides network protocol stack hardening capabilities. The Buffer Overflow rule checks for the accumulation of excess data for processing. The Worm Protection module designs a dynamic application class for detecting any suspicious action occurring on a system. The Installation Application policy is a preconfigured policy applied to systems for tracing the time taken for installing a software and to add the installation processes to a dynamically built application class. Global event correlation refers to the collection, consolidation, and analysis of the information gathered as a result of intrusion from multiple and often diverse network devices.
© 2006 Cisco Systems, Inc. All rights reserved. HIPS v