Скачать презентацию
Идет загрузка презентации. Пожалуйста, подождите
Презентация была опубликована 10 лет назад пользователемВалентина Девятаева
1 © 2004, Cisco Systems, Inc. All rights reserved. CSIDS Lesson 9 Signature Configuration
2 © 2004, Cisco Systems, Inc. All rights reserved. CSIDS Objectives
3 © 2004, Cisco Systems, Inc. All rights reserved. CSIDS Objectives Upon completion of this lesson, you will be able to perform the following tasks: Configure a signatures enable status, severity level, and action. Tune a signature to perform optimally based on a networks characteristics. Create a custom signature given an attack scenario.
4 © 2004, Cisco Systems, Inc. All rights reserved. CSIDS Signature Configuration
5 © 2004, Cisco Systems, Inc. All rights reserved. CSIDS Signature Configuration Tasks Basic signature configuration includes the following: Enabling or disabling the signature Assigning the severity level Assigning the signature action
6 © 2004, Cisco Systems, Inc. All rights reserved. CSIDS Accessing the Signature Configuration Page Choose Configuration > Sensing Engine > Virtual Sensor Configuration > Signature Configuration Mode.
7 © 2004, Cisco Systems, Inc. All rights reserved. CSIDS All Signatures Group Choose Configuration > Sensing Engine > Virtual Sensor Configuration > Signature Configuration Mode, and select All Signatures. NSDB Information on signature 1001
8 © 2004, Cisco Systems, Inc. All rights reserved. CSIDS Basic Signature Configuration AlarmSeverity EventAction Enabled
9 © 2004, Cisco Systems, Inc. All rights reserved. CSIDS Engines Group Choose Configuration > Sensing Engine > Virtual Sensor Configuration > Signature Configuration Mode, and select Engines.
10 © 2004, Cisco Systems, Inc. All rights reserved. CSIDS Attack Group Choose Configuration > Sensing Engine > Virtual Sensor Configuration > Signature Configuration Mode, and select Attack.
11 © 2004, Cisco Systems, Inc. All rights reserved. CSIDS L2/L3/L4 Protocol Group Choose Configuration > Sensing Engine > Virtual Sensor Configuration > Signature Configuration Mode, and select L2/L3/L4 Protocol.
12 © 2004, Cisco Systems, Inc. All rights reserved. CSIDS OS Group Choose Configuration > Sensing Engine > Virtual Sensor Configuration > Signature Configuration Mode, and select OS.
13 © 2004, Cisco Systems, Inc. All rights reserved. CSIDS Service Group Choose Configuration > Sensing Engine > Virtual Sensor Configuration > Signature Configuration Mode, and select Service.
14 © 2004, Cisco Systems, Inc. All rights reserved. CSIDS Signature Tuning
15 © 2004, Cisco Systems, Inc. All rights reserved. CSIDS Tuning Signatures Complete the following tasks to tune a signature: Choose the signature to tune. Modify the signature parameter values. Save and apply the new signature parameter settings to the Sensor.
16 © 2004, Cisco Systems, Inc. All rights reserved. CSIDS Tuning ScenarioFTP Login A company FTP server stores software that is being beta tested by customers. The company wants to detect unauthorized login attempts. By examining the FTP service signatures, the network security administrator discovers signature 6250, the Auth Failure FTP signature. After examining the parameters for signature 6250, the administrator decides to tune the signature to do the following: –Trigger a high-severity alarm after two failed login attempts. –Send an alarm event every time the attack is detected. –Terminate the session.
17 © 2004, Cisco Systems, Inc. All rights reserved. CSIDS Tuning ScenarioFTP Login (Cont.) The administrator decides to modify the values of the following signature parameters to satisfy the current needs: –AlarmSeverityTo trigger a high-severity alarm –AlarmThrottleTo send an alarm event every time the attack is detected –EventActionTo terminate the session when the signature fires –MinHitsTo trigger the alarm after two failed login attempts The default values of the remaining parameters are accepted.
18 © 2004, Cisco Systems, Inc. All rights reserved. CSIDS Login Scenario Configuration Choose Configuration > Sensing Engine > Virtual Sensor Configuration > Signature Configuration Mode, and select Service. FTP
19 © 2004, Cisco Systems, Inc. All rights reserved. CSIDS Login Scenario Configuration (Cont.) AlarmSeverity EventAction AlarmThrottle MinHits
20 © 2004, Cisco Systems, Inc. All rights reserved. CSIDS Login Scenario Configuration (Cont.) Auth Failure FTP Signature
21 © 2004, Cisco Systems, Inc. All rights reserved. CSIDS Custom Signatures
22 © 2004, Cisco Systems, Inc. All rights reserved. CSIDS Creating Custom Signatures The Signature Wizard in IDM: Guides you through the process of creating custom signatures Enables you to create custom signatures without detailed knowledge of all the signature engines and their parameters Consists of six tasks: –Choosing the signature type –Identifying the signature –Setting the engine-specific parameters –Setting the alert response –Setting the alert behavior –Completing the custom signature
23 © 2004, Cisco Systems, Inc. All rights reserved. CSIDS Start the Signature Wizard Choose Configuration > Sensing Engine > Virtual Sensor Configuration > Signature Wizard.
24 © 2004, Cisco Systems, Inc. All rights reserved. CSIDS Select the Signature Type
25 © 2004, Cisco Systems, Inc. All rights reserved. CSIDS Configure the Signature Identification Parameters
26 © 2004, Cisco Systems, Inc. All rights reserved. CSIDS Configure Web Server Service Ports for Web Server Signatures
27 © 2004, Cisco Systems, Inc. All rights reserved. CSIDS Configure the Engine-Specific ParametersWeb Server Signatures
28 © 2004, Cisco Systems, Inc. All rights reserved. CSIDS Engine-Specific ParametersWeb Server Signatures (Cont.)
29 © 2004, Cisco Systems, Inc. All rights reserved. CSIDS Configure the Engine-Specific ParametersTCP Packet Signatures
30 © 2004, Cisco Systems, Inc. All rights reserved. CSIDS Configure the Engine-Specific ParametersUDP Packet Signatures
31 © 2004, Cisco Systems, Inc. All rights reserved. CSIDS Configure the Engine-Specific ParametersIP Packet Signatures
32 © 2004, Cisco Systems, Inc. All rights reserved. CSIDS Configure the Engine-Specific ParametersStream Signatures
33 © 2004, Cisco Systems, Inc. All rights reserved. CSIDS Configure the Alert Response Actions
34 © 2004, Cisco Systems, Inc. All rights reserved. CSIDS Fine-Tune the Alert Behavior
35 © 2004, Cisco Systems, Inc. All rights reserved. CSIDS Set the Alert Frequency
36 © 2004, Cisco Systems, Inc. All rights reserved. CSIDS Configure the Alert Dynamic Response
37 © 2004, Cisco Systems, Inc. All rights reserved. CSIDS Configure the Alert Summary Key
38 © 2004, Cisco Systems, Inc. All rights reserved. CSIDS Create the New Signature
39 © 2004, Cisco Systems, Inc. All rights reserved. CSIDS Acknowledge Configuration Completion
40 © 2004, Cisco Systems, Inc. All rights reserved. CSIDS Wizard Complete
41 © 2004, Cisco Systems, Inc. All rights reserved. CSIDS Commit Changes Activity: (save changes icon)
42 © 2004, Cisco Systems, Inc. All rights reserved. CSIDS Custom Signature Scenarios
43 © 2004, Cisco Systems, Inc. All rights reserved. CSIDS IP Address and Packet Capture Scenario A network security administrator wants to create a custom signature that meets the following requirements: The signature should trigger on and capture all SYN packets from the /24 network, but not SYN-ACK packets. The number of alarms sent to the eventStore should be limited.
44 © 2004, Cisco Systems, Inc. All rights reserved. CSIDS IP Address and Packet Capture Scenario (Cont.) The administrator determines that a custom TCP packet signature can meet this need because of the following: The SrcIpAddr and SrcIpMask parameters can be used to specify the IP address of interest. The TcpFlags and Mask parameters can be used to specify the flags of interest. The AlarmThrottle, ChokeThreshold, and ThrottleInterval parameters can be used to limit the number of alarms. The CapturePacket parameter can be set to true to instruct the Sensor to capture any packet that triggers an alarm.
45 © 2004, Cisco Systems, Inc. All rights reserved. CSIDS Select the Signature Type
46 © 2004, Cisco Systems, Inc. All rights reserved. CSIDS Configure the Signature Identification Parameters
47 © 2004, Cisco Systems, Inc. All rights reserved. CSIDS Configure the Engine-Specific Parameters
48 © 2004, Cisco Systems, Inc. All rights reserved. CSIDS Configure the Alert Response Actions
49 © 2004, Cisco Systems, Inc. All rights reserved. CSIDS Fine-Tune the Alert Behavior
50 © 2004, Cisco Systems, Inc. All rights reserved. CSIDS Set the Alert Frequency
51 © 2004, Cisco Systems, Inc. All rights reserved. CSIDS Configure the Alert Dynamic Response
52 © 2004, Cisco Systems, Inc. All rights reserved. CSIDS FTP Login Scenario A network security administrator wants to create a custom signature to detect login failures to an FTP server. The administrator knows the following about FTP and TCP: The FTP server sends the 530 user access denied error when an FTP login failure occurs. FTP uses TCP port 21. The FTP server uses the TCP PSH operation to force prompts and user input. The TCP ACK flag indicates an acknowledgment.
53 © 2004, Cisco Systems, Inc. All rights reserved. CSIDS FTP Login Scenario (Cont.) The network security administrator, using knowledge of TCP and FTP, determines that the signature can trigger based on the contents of a single packet. The SinglePacketRegex parameter can be set to have the signature to look for the 530 error message in a packet. The TCPFlags and Mask parameters can be set to have the signature to look for packets with the PSH and ACK flags set.
54 © 2004, Cisco Systems, Inc. All rights reserved. CSIDS FTP Login ScenarioSelect the Signature Type
55 © 2004, Cisco Systems, Inc. All rights reserved. CSIDS FTP Login ScenarioConfigure the Signature Identification Parameters
56 © 2004, Cisco Systems, Inc. All rights reserved. CSIDS FTP Login ScenarioConfigure the Engine-Specific Parameters
57 © 2004, Cisco Systems, Inc. All rights reserved. CSIDS FTP Login ScenarioConfigure the Alert Response Actions
58 © 2004, Cisco Systems, Inc. All rights reserved. CSIDS FTP Login ScenarioSet the Alert Frequency
59 © 2004, Cisco Systems, Inc. All rights reserved. CSIDS String Pattern Scenario A network security administrator wants to create a signature that detects the word confidential in common electronic communication methods. The administrator knows the port numbers of the traffic to be inspected: FTP20 and 21 Telnet23 SMTP25 HTTP80 POP3110
60 © 2004, Cisco Systems, Inc. All rights reserved. CSIDS String Pattern Scenario (Cont.) The administrator decides to create a TCP stream signature because all the protocols to be examined are TCP-based and because of the following: The Regular Expression parameter can be used to specify the string pattern 'confidential'. The Service Ports parameter can be used to specify the range of ports. The Direction parameter can be used to instruct the Sensor to inspect traffic destined for the service ports specified.
61 © 2004, Cisco Systems, Inc. All rights reserved. CSIDS String Pattern ScenarioSelect the Signature Type
62 © 2004, Cisco Systems, Inc. All rights reserved. CSIDS String Pattern ScenarioConfigure the Signature Identification Parameters
63 © 2004, Cisco Systems, Inc. All rights reserved. CSIDS String Pattern ScenarioConfigure the Engine-Specific Parameters
64 © 2004, Cisco Systems, Inc. All rights reserved. CSIDS File Access Scenario A network security administrator wants to create a signature that that fires when the file msbadfile.asp is accessed via an HTTP request. The administrator decides to create a custom web server signature because the UriRegex parameter can be used to examine the URI section of an HTTP request to see whether it matches the regular expression specified, which is msbadfile.asp in this scenario.
65 © 2004, Cisco Systems, Inc. All rights reserved. CSIDS File Access ScenarioSelect the Signature Type
66 © 2004, Cisco Systems, Inc. All rights reserved. CSIDS File Access ScenarioConfigure the Signature Identification Parameters
67 © 2004, Cisco Systems, Inc. All rights reserved. CSIDS File Access ScenarioConfigure the Engine-Specific Parameters
68 © 2004, Cisco Systems, Inc. All rights reserved. CSIDS File Access ScenarioConfigure the Engine-Specific Parameters (Cont.)
69 © 2004, Cisco Systems, Inc. All rights reserved. CSIDS Port-Specific Scenario A network security administrator wants to create a custom signature to detect packets destined for port that have only the TCP flags FIN and URG set. The administrator determines that a custom TCP packet signature can meet this need because of the following: –The DstPort parameter can be used to specify the destination port, which is port in this scenario. –The Mask and TcpFlags parameters can be used to specify the TCP flags of interest.
70 © 2004, Cisco Systems, Inc. All rights reserved. CSIDS Summary
71 © 2004, Cisco Systems, Inc. All rights reserved. CSIDS Summary All signatures have the following basic configurable parameters: –EnableEnables or disables the signature –AlarmSeverityAssigns the severity level: information, low, medium, or high –EventActionAssigns the action to take if the signature is triggered: log, reset, block host, or block connection Cisco IDS signatures can be tuned to adjust to company network security policy or network traffic pattern. Custom signatures can be created to meet a unique security requirement.
72 © 2004, Cisco Systems, Inc. All rights reserved. CSIDS Summary (Cont.) Custom signatures can be created via the IDM Signature Wizard. Consider the following before creating a signature with the Signature Wizard: –The network protocol –The target address –The target port –The type of attack –Whether payload inspection is required –Whether the signature can be triggered on the contents of a single packet
73 © 2004, Cisco Systems, Inc. All rights reserved. CSIDS Lab Exercise
74 © 2004, Cisco Systems, Inc. All rights reserved. CSIDS sensorP.4 sensorQ Q P.0 Lab Visual Objective Student PC.2 Student PC Router.1.2 Router P Q P Q.0 RTS Web FTP RBB
Еще похожие презентации в нашем архиве:
© 2024 MyShared Inc.
All rights reserved.