© 2001, Cisco Systems, Inc. CSIDS 2.09-1 Chapter 9 Signature and Intrusion Detection Configuration.

Презентация:



Advertisements
Похожие презентации
© 2001, Cisco Systems, Inc. CSIDS Chapter 8 Sensor Configuration.
Advertisements

© 2001, Cisco Systems, Inc. CSIDS Chapter 10 IP Blocking Configuration.
© 2001, Cisco Systems, Inc. CSIDS Cisco Secure Intrusion Detection System 2.0.
© 2001, Cisco Systems, Inc. CSIDS Chapter 4 Cisco Secure Policy Manager Installation.
© 2001, Cisco Systems, Inc. CSIDS Chapter 5 Cisco Secure Intrusion Detection System Sensor Installation.
© 2001, Cisco Systems, Inc. CSIDS Chapter 6 Alarm Management.
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Lesson 7 Using the Intrusion Detection System Device Manager to Configure the Sensor.
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Cisco IOS Threat Defense Features Configuring Cisco IOS IPS.
© 2006 Cisco Systems, Inc. All rights reserved. SND v Securing Networks with Cisco IOS IPS Configuring Cisco IOS IPS.
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Chapter 8 Object Grouping.
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Lesson 10 Sensor Tuning.
© 2006 Cisco Systems, Inc. All rights reserved. HIPS v Administering Events and Generating Reports Managing Events.
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Lesson 7 Configure the Cisco VPN Firewall Feature for IPSec Software Client.
© 2000, Cisco Systems, Inc. CSPFF Chapter 5 Cisco Secure PIX Firewall Configuration.
© 2006 Cisco Systems, Inc. All rights reserved. HIPS v Configuring Groups and Policies Configuring Policies.
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Lesson 8 Object Grouping.
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Lesson 17 Capturing Network Traffic for Intrusion Detection Systems.
© 2006 Cisco Systems, Inc. All rights reserved. HIPS v Using CSA Analysis Generating Application Deployment Reports.
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Lesson 6 Sensor Management and Monitoring.
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Lesson 11 Configure the Cisco Virtual Private Network 3002 Hardware Client for Unit and.
Транксрипт:

© 2001, Cisco Systems, Inc. CSIDS Chapter 9 Signature and Intrusion Detection Configuration

© 2001, Cisco Systems, Inc. CSIDS Objectives Upon completion of this chapter, you will be able to perform the following tasks: View Signature settings and configure their severities and actions. Enable or disable signatures. Configure connection and string signatures. Create signature templates and change which one is used by a Sensor. Configure the minimum alarm severity level a Sensor sends to the Director.

© 2001, Cisco Systems, Inc. CSIDS Objectives (cont.) Configure signature filtering to reduce false positives and tune signature triggering in the user environment. Configure signature tuning parameters to customize triggers for the user environment. Configure signature port mapping to customize it for the user environment. Create ACL signatures that generate alarms when ACL violations are detected in a Cisco IOS router.

© 2001, Cisco Systems, Inc. CSIDS Basic Signature Configuration

© 2001, Cisco Systems, Inc. CSIDS Viewing the Signature Settings Select Signature Template

© 2001, Cisco Systems, Inc. CSIDS Signature Names and Severities Severity Signature Name Select Signature Template

© 2001, Cisco Systems, Inc. CSIDS Enabling and Disabling Signatures Enable Checkbox Select Signature Template

© 2001, Cisco Systems, Inc. CSIDS Setting Signature Actions Double-click Action Select Signature Template

© 2001, Cisco Systems, Inc. CSIDS Connection Signature Type and Port Configuration TCP or UDP Port number Select Signature Template

© 2001, Cisco Systems, Inc. CSIDS String Signatures Configuration Number of Occurrences String pattern TCP PortTraffic Direction Select Signature Template

© 2001, Cisco Systems, Inc. CSIDS Signature Templates

© 2001, Cisco Systems, Inc. CSIDS What is a Signature Template? Sensor Signatures Templates

© 2001, Cisco Systems, Inc. CSIDS Creating a New Signature Template Select and Right Click Sensor Signatures Select New>Sensor Signature

© 2001, Cisco Systems, Inc. CSIDS Assigning the Signature Template Used by the Sensor Choose the Signature Template Select the Sensor Select the Sensing tab

© 2001, Cisco Systems, Inc. CSIDS Applying the Signature Template to the Sensor Select the Sensor Select the Comman d tab Check for errors Click Approve Now

© 2001, Cisco Systems, Inc. CSIDS Signature Filtering

© 2001, Cisco Systems, Inc. CSIDS Setting the Minimum Level to Send to the Director Minimum Event Level Select the Sensor Select the Filtering tab

© 2001, Cisco Systems, Inc. CSIDS Simple Signature Filtering Sub-signatureSignature Address role IP address and netmask Select the Sensor Select the Filtering tab Select the Simple Filtering tab

© 2001, Cisco Systems, Inc. CSIDS Advanced Signature Filtering Source Address Signature Subsignature Destination Address Select the Sensor Select the Filtering tab Select the Advanced Filtering tab

© 2001, Cisco Systems, Inc. CSIDS Advanced Signature Configuration

© 2001, Cisco Systems, Inc. CSIDS Signature Tuning Parameter names Parameter values Select the Sensor Select the Sensing tab Select the Signature Tuning Parameters tab

© 2001, Cisco Systems, Inc. CSIDS Signature Port Mapping Select the Sensor Select the Sensing tab Select the Port Mapping tab Click OK

© 2001, Cisco Systems, Inc. CSIDS ACL Signatures Configuration

© 2001, Cisco Systems, Inc. CSIDS Creating ACL Signatures Click OK Click Add Select Signature Template Select the ACL Signature s Tab

© 2001, Cisco Systems, Inc. CSIDS Defining Syslog Sources Select the Sensor Select the Monitoring Tab Click Add Click OK

© 2001, Cisco Systems, Inc. CSIDS Summary All signature severities and actions are modified in the signature template in CSPM. Signatures can be enabled or disabled. Connection and string signatures are configured in the signature template in CSPM. Many signature templates can be created. A given signature template is applied to one or many Sensors. The minimum alarm severity level can be configured on a Sensor to limit the alarms sent to the Director. Signature filtering reduces false positives and other undesired alarms. Signature parameter tuning is used to customize signature triggers in the user environment. Signature port mapping is used to customize port to signature settings in the user environment. ACL signatures generate alarms when ACL violations are detected in a Cisco IOS router.

© 2001, Cisco Systems, Inc. CSIDS Lab Signatures Configuration

© 2001, Cisco Systems, Inc. CSIDS Pod P Your Pod Pod Q Peer Pod CSPM Lab Visual Objective rP e0/0 e0/ P.0 /24.P.1.4 rQ e0/0 e0/1.Q Q.0 / / P.3CSPM10.0.Q.3 Host ID = 3, Org ID = P Host Name = director P, Org Name = pod P Host ID = 3, Org ID = Q Host Name = director Q, Org Name = pod Q.6 sensorP idsmP sensorQ idsmQ