© 2001, Cisco Systems, Inc. CSIDS Chapter 9 Signature and Intrusion Detection Configuration

© 2001, Cisco Systems, Inc. CSIDS Objectives Upon completion of this chapter, you will be able to perform the following tasks: View Signature settings and configure their severities and actions. Enable or disable signatures. Configure connection and string signatures. Create signature templates and change which one is used by a Sensor. Configure the minimum alarm severity level a Sensor sends to the Director.

© 2001, Cisco Systems, Inc. CSIDS Objectives (cont.) Configure signature filtering to reduce false positives and tune signature triggering in the user environment. Configure signature tuning parameters to customize triggers for the user environment. Configure signature port mapping to customize it for the user environment. Create ACL signatures that generate alarms when ACL violations are detected in a Cisco IOS router.

© 2001, Cisco Systems, Inc. CSIDS Basic Signature Configuration

© 2001, Cisco Systems, Inc. CSIDS Viewing the Signature Settings Select Signature Template

© 2001, Cisco Systems, Inc. CSIDS Signature Names and Severities Severity Signature Name Select Signature Template

© 2001, Cisco Systems, Inc. CSIDS Enabling and Disabling Signatures Enable Checkbox Select Signature Template

© 2001, Cisco Systems, Inc. CSIDS Setting Signature Actions Double-click Action Select Signature Template

© 2001, Cisco Systems, Inc. CSIDS Connection Signature Type and Port Configuration TCP or UDP Port number Select Signature Template

© 2001, Cisco Systems, Inc. CSIDS String Signatures Configuration Number of Occurrences String pattern TCP PortTraffic Direction Select Signature Template

© 2001, Cisco Systems, Inc. CSIDS Signature Templates

© 2001, Cisco Systems, Inc. CSIDS What is a Signature Template? Sensor Signatures Templates

© 2001, Cisco Systems, Inc. CSIDS Creating a New Signature Template Select and Right Click Sensor Signatures Select New>Sensor Signature

© 2001, Cisco Systems, Inc. CSIDS Assigning the Signature Template Used by the Sensor Choose the Signature Template Select the Sensor Select the Sensing tab

© 2001, Cisco Systems, Inc. CSIDS Applying the Signature Template to the Sensor Select the Sensor Select the Comman d tab Check for errors Click Approve Now

© 2001, Cisco Systems, Inc. CSIDS Signature Filtering

© 2001, Cisco Systems, Inc. CSIDS Setting the Minimum Level to Send to the Director Minimum Event Level Select the Sensor Select the Filtering tab

© 2001, Cisco Systems, Inc. CSIDS Simple Signature Filtering Sub-signatureSignature Address role IP address and netmask Select the Sensor Select the Filtering tab Select the Simple Filtering tab

© 2001, Cisco Systems, Inc. CSIDS Advanced Signature Filtering Source Address Signature Subsignature Destination Address Select the Sensor Select the Filtering tab Select the Advanced Filtering tab

© 2001, Cisco Systems, Inc. CSIDS Advanced Signature Configuration

© 2001, Cisco Systems, Inc. CSIDS Signature Tuning Parameter names Parameter values Select the Sensor Select the Sensing tab Select the Signature Tuning Parameters tab

© 2001, Cisco Systems, Inc. CSIDS Signature Port Mapping Select the Sensor Select the Sensing tab Select the Port Mapping tab Click OK

© 2001, Cisco Systems, Inc. CSIDS ACL Signatures Configuration

© 2001, Cisco Systems, Inc. CSIDS Creating ACL Signatures Click OK Click Add Select Signature Template Select the ACL Signature s Tab

© 2001, Cisco Systems, Inc. CSIDS Defining Syslog Sources Select the Sensor Select the Monitoring Tab Click Add Click OK

© 2001, Cisco Systems, Inc. CSIDS Summary All signature severities and actions are modified in the signature template in CSPM. Signatures can be enabled or disabled. Connection and string signatures are configured in the signature template in CSPM. Many signature templates can be created. A given signature template is applied to one or many Sensors. The minimum alarm severity level can be configured on a Sensor to limit the alarms sent to the Director. Signature filtering reduces false positives and other undesired alarms. Signature parameter tuning is used to customize signature triggers in the user environment. Signature port mapping is used to customize port to signature settings in the user environment. ACL signatures generate alarms when ACL violations are detected in a Cisco IOS router.

© 2001, Cisco Systems, Inc. CSIDS Lab Signatures Configuration

© 2001, Cisco Systems, Inc. CSIDS Pod P Your Pod Pod Q Peer Pod CSPM Lab Visual Objective rP e0/0 e0/ P.0 /24.P.1.4 rQ e0/0 e0/1.Q Q.0 / / P.3CSPM10.0.Q.3 Host ID = 3, Org ID = P Host Name = director P, Org Name = pod P Host ID = 3, Org ID = Q Host Name = director Q, Org Name = pod Q.6 sensorP idsmP sensorQ idsmQ