Académique Documents
Professionnel Documents
Culture Documents
Student Guide
Text Part Number: 67-0002-01
The products and specifications, configurations, and other technical information regarding the products in this
manual are subject to change without notice. All statements, technical information, and recommendations in this
manual are believed to be accurate but are presented without warranty of any kind, express or implied. You must
take full responsibility for their application of any products specified in this manual.
LICENSE
PLEASE READ THESE TERMS AND CONDITIONS CAREFULLY BEFORE USING THE MANUAL,
DOCUMENTATION, AND/OR SOFTWARE (MATERIALS). BY USING THE MATERIALS YOU AGREE
TO BE BOUND BY THE TERMS AND CONDITIONS OF THIS LICENSE. IF YOU DO NOT AGREE WITH
THE TERMS OF THIS LICENSE, PROMPTLY RETURN THE UNUSED MATERIALS (WITH PROOF OF
PAYMENT) TO THE PLACE OF PURCHASE FOR A FULL REFUND.
Cisco Systems, Inc. (Cisco) and its suppliers grant to you (You) a nonexclusive and nontransferable license
to use the Cisco Materials solely for Your own personal use. If the Materials include Cisco software (Software),
Cisco grants to You a nonexclusive and nontransferable license to use the Software in object code form solely on
a single central processing unit owned or leased by You or otherwise embedded in equipment provided by Cisco.
You may make one (1) archival copy of the Software provided. You affix to such copy all copyright,
confidentiality, and proprietary notices that appear on the original. EXCEPT AS EXPRESSLY AUTHORIZED
ABOVE, YOU SHALL NOT: COPY, IN WHOLE OR IN PART, MATERIALS; MODIFY THE SOFTWARE;
REVERSE COMPILE OR REVERSE ASSEMBLE ALL OR ANY PORTION OF THE SOFTWARE; OR
RENT, LEASE, DISTRIBUTE, SELL, OR CREATE DERIVATIVE WORKS OF THE MATERIALS.
You agree that aspects of the licensed Materials, including the specific design and structure of individual
programs, constitute trade secrets and/or copyrighted material of Cisco. You agree not to disclose, provide, or
otherwise make available such trade secrets or copyrighted material in any form to any third party without the
prior written consent of Cisco. You agree to implement reasonable security measures to protect such trade secrets
and copyrighted Material. Title to the Materials shall remain solely with Cisco.
This License is effective until terminated. You may terminate this License at any time by destroying all copies of
the Materials. This License will terminate immediately without notice from Cisco if You fail to comply with any
provision of this License. Upon termination, You must destroy all copies of the Materials.
Software, including technical data, is subject to U.S. export control laws, including the U.S. Export
Administration Act and its associated regulations, and may be subject to export or import regulations in other
countries. You agree to comply strictly with all such regulations and acknowledge that it has the responsibility to
obtain licenses to export, re-export, or import Software.
This License shall be governed by and construed in accordance with the laws of the State of California, United
States of America, as if performed wholly within the state and without giving effect to the principles of conflict
of law. If any portion hereof is found to be void or unenforceable, the remaining provisions of this License shall
remain in full force and effect. This License constitutes the entire License between the parties with respect to the
use of the Materials
Restricted Rights - Ciscos software is provided to non-DOD agencies with RESTRICTED RIGHTS and its
supporting documentation is provided with LIMITED RIGHTS. Use, duplication, or disclosure by the U.S.
Government is subject to the restrictions as set forth in subparagraph C of the Commercial Computer Software
- Restricted Rights clause at FAR 52.227-19. In the event the sale is to a DOD agency, the U.S. Governments
rights in software, supporting documentation, and technical data are governed by the restrictions in the Technical
Data Commercial Items clause at DFARS 252.227-7015 and DFARS 227.7202.
DISCLAIMER OF WARRANTY. ALL MATERIALS ARE PROVIDED AS IS WITH ALL FAULTS. CISCO
AND ITS SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING,
WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE
AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE
PRACTICE.
IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL,
CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS
OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL,
EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH
DAMAGES. In no event shall Ciscos or its suppliers liability to You, whether in contract, tort (including
negligence), or otherwise, exceed the price paid by You. The foregoing limitations shall apply even if the abovestated warranty fails of its essential purpose.
The following information is for FCC compliance of Class A devices: This equipment has been tested and found
to comply with the limits for a Class A digital device, pursuant to part 15 of the FCC rules. These limits are
designed to provide reasonable protection against harmful interference when the equipment is operated in a
commercial environment. This equipment generates, uses, and can radiate radio-frequency energy and, if not
installed and used in accordance with the instruction manual, may cause harmful interference to radio
communications. Operation of this equipment in a residential area is likely to cause harmful interference, in
which case users will be required to correct the interference at their own expense.
The following information is for FCC compliance of Class B devices: The equipment described in this manual
generates and may radiate radio-frequency energy. If it is not installed in accordance with Ciscos installation
instructions, it may cause interference with radio and television reception. This equipment has been tested and
found to comply with the limits for a Class B digital device in accordance with the specifications in part 15 of the
FCC rules. These specifications are designed to provide reasonable protection against such interference in a
residential installation. However, there is no guarantee that interference will not occur in a particular installation.
Modifying the equipment without Ciscos written authorization may result in the equipment no longer complying
with FCC requirements for Class A or Class B digital devices. In that event, your right to use the equipment may
be limited by FCC regulations, and you may be required to correct any interference to radio or television
communications at your own expense.
You can determine whether your equipment is causing interference by turning it off. If the interference stops, it
was probably caused by the Cisco equipment or one of its peripheral devices. If the equipment causes
interference to radio or television reception, try to correct the interference by using one or more of the following
measures:
Turn the television or radio antenna until the interference stops.
Move the equipment to one side or the other of the television or radio.
Move the equipment farther away from the television or radio.
Plug the equipment into an outlet that is on a different circuit from the television or radio. (That is, make
certain the equipment and the television or radio are on circuits controlled by different circuit breakers or fuses.)
Modifications to this product not authorized by Cisco Systems, Inc. could void the FCC approval and negate
your authority to operate the product.
The Cisco implementation of TCP header compression is an adaptation of a program developed by the University
of California, Berkeley (UCB) as part of UCBs public domain version of the UNIX operating system. All rights
reserved. Copyright 1981, Regents of the University of California.
AccessPath, Any to Any, AtmDirector, the CCIE logo, CD-PAC, Centri, the CiscoCapital logo, CiscoLink, the
Cisco NetWorks logo, the Cisco Powered Network logo, the Cisco Press logo, ClickStart, ControlStream,
DAGAZ, Fast Step, FireRunner, IGX, IOS, JumpStart, Kernel Proxy, LoopRunner, MGX, Natural Network
Viewer, Cisco Secure IDS, NetSonar, Packet, PIX, Point and Click Internetworking, Policy Builder,
RouteStream, Secure Script, SMARTnet, SpeedRunner, Stratm, StreamView, TheCell, TrafficDirector,
TransPath, VirtualStream, VlanDirector, Workgroup Director, and Workgroup Stack are trademarks; Changing
the Way We Work, Live, Play, and Learn and Empowering the Internet Generation are service marks; and BPX,
Catalyst, Cisco, CiscoIOS, the CiscoIOS logo, CiscoSystems, the CiscoSystems logo, Enterprise/Solver,
EtherChannel, FastHub, ForeSight, FragmentFree, IP/TV, IPX, LightStream, MICA, Phase/IP, StrataSphere,
StrataView Plus, and SwitchProbe are registered trademarks of CiscoSystems,Inc. in the U.S. and certain other
countries. All other trademarks mentioned in this document are the property of their respective owners.
Cisco Secure Intrusion Detection System: Student Guide
Copyright 2001, Cisco Systems, Inc.
All rights reserved. Printed in USA.
Course Introduction
Overview
This chapter includes the following topics:
Course objectives
Course agenda
Participant responsibilities
General administration
Graphic symbols
Participant introductions
Lab topology
Course Objectives
This section introduces the course and the course objectives.
Course Objectives
Upon completion of this course, you will be
able to perform the following tasks:
Install and configure CSPM and the CIDS Sensor in
multiple network configurations.
Use CSPM to centrally manage and configure
multiple Sensors.
Configure the CIDS Sensor to detect, respond to,
and report intrusion activity.
Use CSPM to translate intrusion data into intuitive
and effective graphical displays.
1-2
www.cisco.com
CSIDS 2.11-3
www.cisco.com
CSIDS 2.11-4
Course Agenda
Chapter 1Course Introduction
Chapter 2Introduction to Network Security
Chapter 3Intrusion Detection and the Cisco
IDS Environment
Chapter 4Cisco Secure Policy Manager
Installation
Chapter 5Cisco IDS Sensor Installation
Chapter 6Alarm Management
Chapter 7Cisco IDS Signatures
2001, Cisco Systems, Inc.
www.cisco.com
CSIDS 2.11-5
Course Introduction
1-3
www.cisco.com
CSIDS 2.11-6
Participant Responsibilities
Student Responsibilities
Complete prerequisites
Participate in lab exercises
Ask questions
Provide feedback
1-4
www.cisco.com
CSIDS 2.11-7
General Administration
Class-related
Facilities-related
Sign-in sheet
Participant materials
Site emergency
procedures
Restrooms
Telephones/faxes
www.cisco.com
CSIDS 2.11-8
Graphic Symbols
Router
PIX
Firewall
CSPM
CIDS Director
Internet
Ethernet link
CIDS Sensor
Server
www.cisco.com
Student
workstation/server
CSIDS 2.11-9
Course Introduction
1-5
Participant Introductions
Your name
Your company
Pre-req skills
Brief history
Objective
1-6
www.cisco.com
CSIDS 2.11-10
Lab Topology
This section explains the lab topology that is used in this course.
Pod Q
Peer Pod
172.30.1.0 /24
e0/1 .10P
sensorP
e0/0 .1
.4
idsmP
sensorQ
e0/0 .1
.4
rQ
rP
.6
10.0.P.0 /24
CSPM
.6
idsmQ
10.0.Q.0 /24
10.0.P.3
CSPM
Host ID = 3, Org ID = P
Host Name = cspmP, Org Name = podP
e0/1 .10Q
10.0.Q.3
Host ID = 3, Org ID = Q
Host Name = cspmQ, Org Name = podQ
www.cisco.com
CSIDS 2.11-12
Each pair of students will be assigned a pod. The P in a command indicates your
pod number. The Q in a command indicates the pod number of your peer.
Course Introduction
1-7
Overview
This chapter covers information on network security, what network security is,
and why you need network security. In addition, this chapter discusses the need
for continuous network security and how the Cisco Intrusion Detection System
(CIDS) helps achieve this.
This chapter includes the following topics:
Objectives
Summary
Objectives
This section lists the chapters objectives.
Objectives
Upon completion of this chapter, you will
be able to perform the following tasks:
Describe the need for network security.
Describe the four types of security threats.
Describe attack methods and techniques used
by hackers.
Describe the purpose of the Cisco Security
Wheel and how it illustrates security as a
continuous process.
2001, Cisco Systems, Inc.
www.cisco.com
CSIDS 2.12-2
Objectives (cont.)
Name methods and devices for securing
networks.
Identify the phase of the Security Wheel in
which CIDS is designed to function.
Describe the purpose for testing security
policies once they are applied to the network.
Describe the Cisco AVVID architecture.
Describe the SAFE framework.
2001, Cisco Systems, Inc.
www.cisco.com
CSIDS 2.12-3
www.cisco.com
CSIDS 2.12-5
Network security is necessary because the Internet has made networked computers
accessible from and vulnerable to any other computer in the world. As companies
become more Internet-reliant, new threats arise from persons who no longer
require physical access to a companys computer assets.
www.cisco.com
CSIDS 2.12-6
Unstructured threats
Structured threats
External threats
Internal threats
Reconnaissance
Access
Denial of service
Reconnaissance
Unauthorized
discovery and
mapping of systems,
services, or
vulnerabilities
www.cisco.com
CSIDS 2.12-8
Access
Unauthorized data
manipulation, system
access, or privilege
escalation
www.cisco.com
CSIDS 2.12-9
Denial of Service
Disable or corrupt
networks, systems, or
services
www.cisco.com
CSIDS 2.12-10
Reconnaissance Methods
www.cisco.com
CSIDS 2.12-11
Access Methods
Exploit easily guessed passwords
Default
Brute force
Exploit mis-administered services
IP services
Trust relationships
File sharing
www.cisco.com
CSIDS 2.12-12
Access methods are varied and run the entire gamut between simple commandline hacks to sophisticated tools with nice user interfaces. Usually, the first line of
defense when it comes to access attacks is strong authentication. In many cases
user passwords are too easily guessed by attempting to enter default passwords or
brute force attacks. These attacks involve attempting to logon to a host with a
common user name and then trying different password combinations that are
commonly used. This technique is especially effective if the attacker has some
prior knowledge about the user being targeted.
Exploiting misadministered services is simply taking advantage of services that
are poorly installed and administered by novice or unknowing administrators. One
of the easiest services to exploit is file sharing. Too often users share their files by
creating a shared folder or directory with full access to everyone, and sometimes a
user does not realize that others can access the folder. This can be prevented with
password-protected shares, or sharing only with intended users. Other common
misadministered services are anonymous FTP and TFTP servers, SNMP,
Windows registry access, and trust relationships.
www.cisco.com
CSIDS 2.12-13
Application security holes have been around since the first piece of software was
written. These holes are usually a result of unanticipated behavior of software
code or unexpected inputs. An example of this is a program that breaks out into a
root shell when receiving an out-of-band input. Protocol weaknesses are also types
of application holes. An example of this is IP fragmentation and TCP session
hijack. The attacker is taking advantage of protocol design deficiencies that the
original designers did not anticipate. Finally Trojan horses are used to gain
unauthorized access by tricking a legitimate user to run trojanized programs that
install or open back doors for attackers to secretly break in. Then the attackers,
circumventing in many cases any authentication procedures, come in through the
back door.
www.cisco.com
CSIDS 2.12-14
Network Security as a
Continuous Process
Network security is a
continuous process
built around a security
policy.
Secure
Improve
Step 1: Secure
Security
Policy
Monitor
Step 2: Monitor
Step 3: Test
Test
Step 4: Improve
www.cisco.com
CSIDS 2.12-16
Identify the critical resources that need to be protected (such as research and
development, finance, and human resources)
After the security policy is developed, it becomes the hub upon which the next
four steps of the Security Wheel is based:
Step 1
Step 2
Monitor the network for violations and attacks against the corporate security
policy. Violations can occur within the secured perimeter of the network from a
disgruntled employee or from a hacker outside the network. Monitoring the
network with a real-time intrusion detection system such as CIDS can ensure that
the security devices in Step 1 have been configured properly.
Step 3
Test the effectiveness of the security safeguards in place. You can use Cisco
Secure Scanner to identify the security posture of the network with respect to the
security procedures that form the hub of the Security Wheel.
Step 4
Improve corporate security. Collect and analyze information from the monitoring
and testing phases to make security improvements.
All four stepssecure, monitor, test, and improveshould be repeated on a
continuous basis and should be incorporated into updated versions of the corporate
security policy.
Secure
Authentication
firewalls
Improve
Security
Policy
Monitor
VPNs
patching
Stop or prevent
unauthorized access
and activities.
Test
www.cisco.com
CSIDS 2.12-17
Secure the network by applying the security policy and implementing the
following security solutions:
Monitor Security
Secure
Improve
real-time intrusion
detection
Validate the security
implementation in step
one
Security
Policy
Monitor
Test
www.cisco.com
CSIDS 2.12-18
Test Security
Secure
Validate effectiveness of
security policy
implementation through Improve
system auditing and
vulnerability scanning
Security
Policy
Monitor
Test
www.cisco.com
CSIDS 2.12-19
In the testing phase of the Security Wheel, you proactively test the security of your
network. Specifically, make sure that the security solutions you implemented in
Step 1 and the system auditing and intrusion detection methods you implemented
in Step 2, are functioning properly.
Use the Cisco Secure Scanner vulnerability scanning tool to periodically test the
network security measures. This testing not only promotes applying security
measures to your network, but most importantly it promotes the continuous
updating of security measures.
Improve Security
Secure
Security
Policy
Monitor
Test
www.cisco.com
CSIDS 2.12-20
The improvement phase of the Security Wheel involves analyzing the data
collected during the monitoring and testing phases, and developing and
implementing improvement mechanisms that feed into your security policy and
the securing phase in Step 1. If you want to keep your network as secure as
possible, you must keep repeating the cycle of the Security Wheel, because new
network vulnerabilities and risks are created every day.
With the information collected from the monitoring and testing phases, you can
use CIDS to implement improvements to the security. You can also adjust the
security policy as you uncover new security vulnerabilities and risks.
Customer
Care
Internet
Commerce
E-Learning
Workforce
Optimization
Internet
Business
Integrators
Messaging
Internet
Middleware
Layer
Collaboration
Contact Center
Multimedia
Video on Demand
Personal Productivity
Policy Management
Security
Content Distribution
SLA Management
Address Management
Management
Caching
Real Time
Services
DNS
Services
Load
Balancing
Multicast
Security
QoS
Intelligent
Network
Services
Network
Platforms
Clients
2001, Cisco Systems, Inc.
www.cisco.com
CSIDS 2.12-22
ClientsThe wide variety of devices that can be used to access the Internet
business solutions through the network. These might include phones, PCs,
PDAs, and so on. One key difference from traditional proprietary
architectures is that the Cisco AVVID standards-based solution enables a
wide variety of devices to be connected, even some not yet in broad use.
Unlike traditional telephony and video solutions, proprietary access devices
are not necessary. Instead, functionality is added through the intelligent
network services provided in the infrastructure.
and delivered through Cisco AVVID. The ability for companies to move their
traditional business models to Internet business models and to deploy Internet
business solutions is key to their survival. Cisco AVVID is the architecture upon
which e-businesses build Internet business solutions that can be easily deployed
and managed. Ultimately, the more Internet business solutions that are delivered,
the more efficiently and effectively companies will increase productivity and
added value.
www.cisco.com
CSIDS 2.12-23
The Internet is creating tremendous business opportunities for Cisco and Cisco
customers. Internet business solutions such as e-commerce, supply chain
management, e-learning, and customer care are dramatically increasing
productivity and efficiency.
Cisco AVVID is the one enterprise architecture that provides the intelligent
network infrastructure for todays Internet business solutions. As the industrys
only enterprise-wide, standards-based network architecture, Cisco AVVID
provides the roadmap for combining customers business and technology
strategies into one cohesive model.
www.cisco.com
CSIDS 2.12-24
www.cisco.com
CSIDS 2.12-25
SAFE Benefits
Provides a proven, detailed blueprint to
securely compete in the Internet economy
Provides the foundation for migrating to
secure, cost-effective, converged networks
Enables organizations to stay within their
budgets by deploying a modular, scalable
security framework in stages
Delivers protection at every access point to
the network through best-in-class security
products and services
2001, Cisco Systems, Inc.
www.cisco.com
CSIDS 2.12-26
There are several major benefits in implementing the SAFE blueprint for secure
e-business:
Enterprise edge
Service
provider
edge
E-commerce
ISP B
Corporate
Internet
ISP A
VPN and
remote access
PSTN
WAN
Frame
or
ATM
Building
Building
distribution
Edge
distribution
Management
Core
Server
www.cisco.com
CSIDS 2.12-27
The SAFE Blueprint provides a robust security blueprint that builds on Cisco
AVVID. SAFE layers are incorporated throughout the Cisco AVVID
infrastructure:
Infrastructure layerIntelligent, scalable security services in Cisco platforms, such as routers, switches, firewalls, intrusion detection systems, and
other devices
Solutions
Secure intranet for
workforce optimization
Ecosystem
Integration partners
Security Associate solutions
Cisco programs and services
Directory
Directory
Operations
Operations
Applications
Applications
Service control
control
Service
Infrastructure
Infrastructure
Appliances or
or clients
clients
Appliances
2001, Cisco Systems, Inc.
www.cisco.com
Cisco AVVID
system
architecture
CSIDS 2.12-28
Cisco has opened its Cisco AVVID architecture and SAFE blueprint to key thirdparty vendors to create a security solutions ecosystem to spur development of
best-in-class multiservice applications and products. The Cisco AVVID
architecture and SAFE blueprint provide interoperability for third-party hardware
and software using standards-based media interfaces, APIs, and protocols. This
ecosystem is offered through the Security and Virtual Private Network (VPN)
Associate Program, an interoperability solutions program that provides Cisco
customers with tested and certified, complementary products for securing their
businesses. The ecosystem enables businesses to design and roll out secure
networks that best fit their business model and enable maximum agility.
APPLICATION SECURITY
PERIMETER
SECURITY
IDENTITY
Strong
Authentication, PKI
Interoperability
and
Content Filtering;
Personal Firewall
CoCo-existence
with
Event logging,
Reporting, and Analysis
www.cisco.com
CSIDS 2.12-29
The Security and VPN Solutions Set within the Cisco AVVID Partner Program is
an interoperability solutions program developed to deliver comprehensive security
and VPN solutions for Cisco networks to Cisco customers.
This program is a key component of the SAFE strategy in that it provides a rich
ecosystem of products, partners, and services that empowers companies to
securely, reliably, and cost-effectively take advantage of the Internet Economy.
The program provides the assurance that security solutions making up Partner
products have been tested and verified to be interoperable with Cisco security
products, and add distinct value to Cisco networks. The goal is to enable Cisco
customers to securely take advantage of the expanding e-business marketplace.
The security and VPN solutions created through this interoperability program are
focused on critical business applications such as e-commerce, secure remote
access, intranets, extranets, and supply-chain integration and management. As a
result, the solutions categories currently targeted in the program include those that
customers continue to request and deploy in their networks:
n Identity solutions-Include authentication, authorization, and Public Key
Infrastructure (PKI) solutions such as smart cards, hard and soft tokens,
authentication servers, and Certificate Authority (CA) servers
n Application security solutions-Include products such as server and host
protection applications
n Perimeter security solutions-Include products such as URL filtering applications,
e-mail, and virus scanning applications
n Security management and monitoring solutions-Include products that support
Syslog reporting, event analysis, reporting, and secure remote administration
n Secure connectivity solutions-Include products such as VPN client software and
wireless VPN products
Security Services
Compatible
with
Cisco Security
Solution
OUTSOURCE MONITORING
and MANAGEMENT
2001, Cisco Systems, Inc.
INCIDENT RESPONSE
www.cisco.com
CSIDS 2.12-30
The security services offered through the AVVID Partner Program are focused on
specific areas of security services available in the industry. As a result, the
services categories currently targeted include those that customers continue to
request and deploy in their organizations:
COMPETITIVE
COUNTER-INTELLIGENCE
Security Services
Compatible
with
Cisco Security
Solution
VULNERABILITY ASSESSMENT
2001, Cisco Systems, Inc.
CSIDS 2.12-31
CCO Links
www.cisco.com/go/avvid
www.cisco.com/go/safe
www.cisco.com/go/avvidpartners
www.cisco.com/warp/public/779/largeent/
partner/esap/secvpn.html
www.cisco.com
CSIDS 2.12-32
Summary
This section summarizes what you learned in this chapter.
Summary
Network security is necessary because the
proliferation of the Internet has made
information systems easily accessible and
vulnerable to attacks.
The four basic threats to network security are:
unstructured, structured, external, and internal.
The three basic attack types are:
reconnaissance, access, and denial of service.
Some access methods used by hackers are:
application holes, passwords, and poorly
administered services.
2001, Cisco Systems, Inc.
www.cisco.com
CSIDS 2.12-34
Summary (cont.)
Network security is a continuous process built
around a security policy.
Cisco IDS is part of the monitor phase of the
security wheel.
Cisco AVVID is a standards-based enterprise
architecture that accelerates the integration of
business and technology strategies.
Cisco SAFE, which is based on Cisco AVVID, is
a flexible, dynamic, security blueprint for
networks.
2001, Cisco Systems, Inc.
www.cisco.com
CSIDS 2.12-35
Overview
This chapter explains what the Cisco Intrusion Detection System (CIDS) is and
what its major components are.
This chapter includes the following topics:
Objectives
CIDS overview
CIDS PostOffice
Summary
Objectives
This section lists the chapters objectives.
Objectives
www.cisco.com
CSIDS 2.13-2
Objectives (cont.)
Name all CIDS Sensor platform models and
describe their features.
Name all CIDS Director platforms and describe
their features.
List the functions and features of the
PostOffice protocol.
Name and define the two parts of the
PostOffice protocol addressing scheme.
www.cisco.com
CSIDS 2.13-3
Intrusion Detection and the Cisco Intrusion Detection System Environment 3-3
Intrusion Detection
www.cisco.com
CSIDS 2.13-5
Intrusion detection is the ability to detect attacks against your network. There are
three types of network attacks:
Profile-Based Intrusion
Detection
Also known as Anomaly Detection
Activity deviates from profile of normal
activity
Requires creation of statistical user profiles
Prone to high number of false positives
Difficult to define normal activity
www.cisco.com
CSIDS 2.13-6
Intrusion Detection and the Cisco Intrusion Detection System Environment 3-5
Signature-Based Intrusion
Detection
Also known as Misuse Detection
Matches pattern of malicious activity
Requires creation of misuse signatures
Less prone to false positives
Based on the signatures ability to match
malicious activity
www.cisco.com
CSIDS 2.13-7
Host-Based Intrusion
Detection
Corporate
network
Agent
Agent
Firewall
Agent
Agent
Agent
Agent
Agent
WWW server
Untrusted
network
www.cisco.com
Agent
DNS server
CSIDS 2.13-8
Host-based intrusion detection is the auditing of local and host log files. An
advantage of host-based intrusion detection is that it can monitor operating system
processes and protect critical system resources including files that may only exist
on that specific host. A simple form of host-based intrusion detection is enabling
system logging on the host. However, it can become manpower intensive to
recover and analyze these logs. Host-based intrusion detection software requires
agent software be installed on each host to monitor activity performed on and
against the host. The agent software performs the intrusion detection analysis and
protection of the host. Less manpower is required when using software than the
simple form, but it can still be overwhelming to manage in a large enterprise
network.
Although physical access to any computer systems practically guarantees access to
the system information, physical protection of all critical servers and network
devices is paramount to ensure information security.
Intrusion Detection and the Cisco Intrusion Detection System Environment 3-7
Network-Based Intrusion
Detection
Corporate
network
Sensor
Sensor
Firewall
Untrusted
network
CSPM
www.cisco.com
WWW
server
DNS
server
CSIDS 2.13-9
CIDS Overview
This section describes the CIDS functions and features: intrusion detection, alarm
display, alarm logging, intrusion response, and remote Sensor configuration.
CIDS
CSPM
Sensor
Command
and Control
Monitoring
Untrusted
network
Targets
Operator
Hacker
www.cisco.com
CSIDS 2.13-11
CIDS involves the real-time monitoring of network packets. Sensors have two
interfaces: monitoring and command and control. The monitoring port captures the
network packets for intrusion detection analysis. The command and control port
sends alarms and commands to the Director platform. The Director platform is the
management software used to configure, log, and display alarms generated by
Sensors.
The following steps describe the basic CIDS intrusion detection process:
Step 1
Step 2
Packets are reassembled, if required, and compared against a rule set indicating
typical intrusion activity.
Step 3
The Sensor logs and notifies the Director platform if an attack is detected through
the command and control interface.
Step 4
The Director platform alarms, logs, and takes action if an attack is detected.
When CIDS analyzes network data, it looks for patterns of attacks. Patterns can be
as simple as an attempt to access a specific port on a specific host, or as complex
as sequences of operations directed at multiple hosts over an arbitrary period of
time.
Intrusion Detection and the Cisco Intrusion Detection System Environment 3-9
CIDS Capabilities
www.cisco.com
CSIDS 2.13-12
Terminates sessions
Creates an IP log
Alarm Logging
Alarms can be
logged on the
Sensor and on
CSPM.
Log File
www.cisco.com
Database
CSIDS 2.13-13
Alarms are generated by the Sensor and are sent to one or more remote
Director platforms where they are displayed on a graphical user interface. The
alarms are color-coded based on the defined severity. This provides you with
a quick visual representation of the alarms triggered.
Alarm information can also be saved in text log files on both the Sensor and
the Director platform. Logging allows you to easily archive the data, write
custom scripts to extract alarm data specific to your site, and monitor attacks
via a command-line tool such as the UNIX command tail.
Intrusion Detection and the Cisco Intrusion Detection System Environment 3-11
Intrusion Response
TCP Reset
Automatic kill of
offending
session
Kill the
session
Blocking
Auto or manual block
of offending IP
address
Deny
Block
attacker
www.cisco.com
CSIDS 2.13-14
TCP ResetThe Sensor can reset individual TCP connections upon detection
of an attack and eliminate the threat.
Note
IP Logging
Session log
Session log
Automatic capture
of suspicious host
or network traffic
www.cisco.com
CSIDS 2.13-15
Intrusion Detection and the Cisco Intrusion Detection System Environment 3-13
www.cisco.com
CSIDS 2.13-16
CIDS allows for remote Sensor configuration through the Director platforms. For
instance, using Cisco Secure Policy Manager (CSPM) you can manage the
configuration of all Sensors. CSPM also enables you to create different signature
templates to be saved and applied as needed. This enables you to maintain
multiple versions of signature settings for each Sensor or group of Sensors. For
example, you could have one configuration for normal working hours and another
for after-hours. Either can be enabled or disabled as needed from CSPM. You can
also experiment with different settings and revert to a previous version if there are
problems.
www.cisco.com
CSIDS 2.13-18
Two main components make up CIDS: the Sensor and the Director platform. The
Sensor is the most critical component because it detects, responds to, and reports
unauthorized activity to a Director platform. It uses a rules-based engine to distill
large volumes of IP network traffic into meaningful security events. It detects
unauthorized activity by sniffing or capturing raw traffic from the network and
then analyzing it for intrusion detection signatures in real-time. The Sensor, if
configured to do so, re-assembles packets before the signature analysis is
performed, thus avoiding a potential intrusion detection defeating technique.
When signatures are triggered, the Sensor logs the event and sends an alarm
notification to a Director platform. It can automatically terminate the TCP session
that triggered the signature, block the IP address by dynamically creating an
access control list (ACL) in a managed Cisco IOS router, or both. Sensors can also
log an IP session that triggers a signature. An operator may manually block host or
network IP addresses that generated alarms.
All Sensor platforms are hardware appliances that are tuned for performance, have
been security hardened, and are designed for ease of maintenance. The hardware,
including CPU and memory, for each appliance was selected for optimal
performance of intrusion detection analysis. The appliances host operating system
was also configured securely to protect against possible attacks.
Intrusion Detection and the Cisco Intrusion Detection System Environment 3-15
IDS-4230
IDS-4210
ID Performance: 45 Mbps
Memory: 512 MB
Memory: 256 MB
www.cisco.com
CSIDS 2.13-19
Cisco offers a complete line of dedicated intrusion detection appliances. The 4200
Series Sensors come in three versions: the IDS-4230, and IDS-4210. The
following table shows the differences between the Sensors:
IDS-4230
IDS-4210
Intrusion detection
performance
100 Mbps
45 Mbps
Processor
Memory
512 MB
256 MB
Monitoring
network interface
cards
10/100 Ethernet
Single attached
FDDI
Dual attached
FDDI
Chassis
4U
10/100 Ethernet
1U
www.cisco.com
CSIDS 2.13-20
The IDS Module (IDSM) for the Catalyst 6000 Family of switches is designed
specifically to address switched environments by integrating the IDS functionality
directly into the switch and taking traffic right off the switch back-plane, thus
bringing both switching and security functionality into the same chassis.
Similar to how the CIDS Sensors operate, IDSM detects unauthorized activity
traversing the network, such as attacks by hackers, and sends alarms to a Director
platform with details of the detected event. You specify the network traffic that
must be inspected by the IDS module using the Catalyst operating system Switch
Port Analyzer (SPAN) functionality or virtual LAN (VLAN) access control list
(ACL) capture feature. VLAN ACLs allow for very granular traffic monitoring by
providing you the ability to filter interesting traffic based on the IP address and
network service.
In addition, IDSM can be managed and monitored by the same Director platform
as the Sensors, allowing customers to deploy both appliance Sensors and IDSM to
monitor critical subnets throughout their enterprise network.
The IDSM can analyze 100 Mbps of traffic for intrusion detection. It does not
impact switch performance, because it is a passive monitoring module that
inspects copies of packets and is not in the switch-forwarding path.
Intrusion Detection and the Cisco Intrusion Detection System Environment 3-17
Software
application
Windows NT 4.0
platform
Remote Sensor
configuration and
control
Alarm notification
and management
www.cisco.com
CSIDS 2.13-22
The Director platform is the management software used to configure, log, and
display alarms generated by Sensors. The Director platforms are Cisco Secure
Policy Manager (CSPM) and CIDS Director for UNIX.
CSPM is a Windows NT 4.0-based application that provides scalable,
comprehensive security policy management for Cisco Secure PIX Firewalls, Cisco
IOS routers with the IOS Firewall feature or the Cisco Secure Integrated Virtual
Private Network (VPN) Software, and IDS Sensors. This course covers only the
use of CSPM as a Director platform. As such, CSPM provides a centralized GUI
for the management of intrusion detection across a distributed network.
CSPM enables you to remotely control all Sensor configurations. You use the Add
Sensor wizard to define Sensors in the Network Topology Tree (NTT) and you
can use the panels on each Sensor node to configure device-specific settings. In
addition, you can define Sensor signature templates and apply those templates to
one or more sensors defined in the NTT.
The Event Viewer in CSPM provides a mechanism to view alarms generated by
CIDS components in real time. The Event Viewer presents the alarms in a
configurable grid to enable multiple views and instances.
Software application
HP OpenView on Solaris
or HPUX platform
Remote Sensor
configuration and
control
Alarm notification and
management
www.cisco.com
CSIDS 2.13-23
Intrusion Detection and the Cisco Intrusion Detection System Environment 3-19
Feature Comparison
CSPM
Severities
Low-Medium-High 1 through 5
Signatures Templates
Yes
No
Configuration Versioning
No
Yes
Local Logging
Database
Text File
Alarm Forwarding
Yes
Yes
Yes
Yes
www.cisco.com
CSIDS 2.13-24
CSPM and the Director for UNIX differ in many ways other than just the
operating system that they run on. Severities in CSPM are assigned Low, Medium,
or High levels, whereas in the Director for UNIX a number between 1 through 5 is
assigned, where 1 is the lowest severity and 5 is the highest.
CSPM enables you to create signature templates that can be shared between
Sensors, so that if you change a template it is automatically applied to all Sensors
referencing it. The Director for UNIX enables you to save multiple complete
configuration versions for the Sensors that can be applied as needed.
The logged alarms in CSPM are saved in a database, and as text files in the
Director for UNIX. Alarm forwarding, the ability of the Director to send alarms to
another Director, is available in the Director for UNIX but not on CSPM.
CSPM and the UNIX Director both have alarm forwarding and SNMP trap
capability. In CSPM, the SNMP traps are possible via custom script execution.
You must create a custom script that generates a SNMP trap to be sent to a
Network Management station.
Note
Refer to the Event Notification and Alarm Reporting chapter for more details on
configuring CSPM for script execution.
CIDS PostOffice
This section describes the functions and features of the PostOffice protocol.
PostOffice Protocol
Command and control
communications
UDP 45000
Internet
Network
monitoring
Message Types
IP log
Command
Error
Redirect
Command log Heartbeat
Alarm
www.cisco.com
CSIDS 2.13-26
CIDS services and hosts communicate with one another using the PostOffice
protocol. The services are the IDS software daemons that exist on the Sensors and
Director platforms.
PostOffice uses the UDP transport on port 45000. The following are the types of
messages that are sent using the PostOffice protocol:
Command messages
Error messages
Alarm messages
IP log messages:
Redirect messages
Heartbeat messages
Note
Intrusion Detection and the Cisco Intrusion Detection System Environment 3-21
PostOffice Features
Alarm received
ReliabilityAcknowledges
every message sent
Alarm sent
www.cisco.com
CSIDS 2.13-27
Host ID = 10
Host Name = director
Host ID
Organization ID
Org ID = 200
Org Name = acme-noc
Alpha
Host Name
Organization Name
Combination of host ID
and Org ID must be
unique
Host, Organization,
and Application ID are
used together to route
PostOffice traffic
2001, Cisco Systems, Inc.
Host ID = 10
Host Name = director
Host ID = 30
Host ID = 20
Host Name = sensor2 Host Name = sensor3
Org ID = 100
Org Name = cisco
Org ID = 100
Org Name = cisco
www.cisco.com
Org ID = 100
Org Name = cisco
CSIDS 2.13-28
You must assign each CIDS device a unique numeric identifier. This unique
numeric identifier is a combination of a host identification and an organization
identification. With every host identification and organization identification
combination, there is an associated alphanumeric identifier consisting of a host
name and an organization name. The following are descriptions of the individual
identifiers:
Host IDA numeric identifier greater than zero for each CIDS device.
Host NameAn alphanumeric identifier for each CIDS device. The name
chosen here is typically one that contains the word sensor or director so
you can easily identify the device type.
Intrusion Detection and the Cisco Intrusion Detection System Environment 3-23
Summary
This section summarizes what you learned in this chapter.
Summary
Intrusion detection is the ability to detect
attacks against a network, including the
following: reconnaissance, access, and denial
of service.
CIDS uses signature and network-based
intrusion detection.
The Sensor and Director platforms are the
main components of the CIDS.
www.cisco.com
CSIDS 2.13-30
Summary (cont.)
The CIDS Sensor is a performance-tuned hardware
appliance that detects intrusion attempts.
The following are CIDS Sensor hardware
appliances:
CIDS-4230 and 4210
Catalyst 6000 IDS Module
CIDS Sensors notify the Director platform when
signatures are triggered, and logs alarm activity.
CIDS Sensors can automatically respond to
attacks by resetting the connection, blocking the
offending IP address, or logging the session.
2001, Cisco Systems, Inc.
www.cisco.com
CSIDS 2.13-31
Intrusion Detection and the Cisco Intrusion Detection System Environment 3-25
Summary (cont.)
CIDS has two Director platforms: CSPM and
Director for UNIX.
The following are the Director platforms features:
Displays and logs alarms received by one or
many Sensors.
Allows the user to manage and respond to
alarms from a GUI.
Allows the user to configure and control one or
many Sensors.
Ciscos proprietary communications protocol used
to send messages between Sensors and the
Director platform is the PostOffice protocol.
2001, Cisco Systems, Inc.
www.cisco.com
CSIDS 2.13-32
Summary (cont.)
The following are the PostOffice protocol features
and benefits:
A reliable protocol that requires acknowledgement of all
messages sent, and resends messages as needed
A redundant protocol that can be configured to send
messages up to 255 destinations
A fault-tolerant protocol that can be configured to send
messages using 255 alternate IP addresses when a
primary path is down
Must have a unique host and organization identifier for
each CIDS device
Can be protected with IPSec between Sensors and the
Director platform
2001, Cisco Systems, Inc.
www.cisco.com
CSIDS 2.13-33
Intrusion Detection and the Cisco Intrusion Detection System Environment 3-27
Cisco Secure
Policy Manager
Installation
Overview
This chapter explains the requirements for installing the Cisco Secure Policy
Manager (CSPM). It also explains in detail how to install CSPM and the
PostOffice protocol package delivered with it.
This chapter includes the following topics:
Objectives
CSPM requirements
CSPM installation
Starting CSPM
Summary
Objectives
This section lists the chapters objectives.
Objectives
Upon completion of this chapter, you will
be able to perform the following tasks:
List the software and hardware requirements
for installing CSPM.
Describe the licensing options for CSPM.
Describe the CSPM installation options.
Install CSPM and PostOffice.
Start CSPM.
Start the CSPM Getting Started Videos.
2001, Cisco Systems, Inc.
4-2
www.cisco.com
CSIDS 2.14-2
CSPM Requirements
This section describes the Director software, hardware, and configuration
requirements.
Software Requirements
Operating System
Windows NT 4.0
Service Pack 6a
NTFS disk partition
TCP/IP protocol stack
DHCP disabled (recommended)
Internet Explorer 5.x
CVPN Client (optional)
2001, Cisco Systems, Inc.
www.cisco.com
CSIDS 2.14-4
Operating System:
Windows NT 4.0
Service Pack 6a
4-3
Recommended Hardware
600 MHz Pentium
processor
CD-ROM drive
Sound card with external
speakers (optional for
videos)
256 MB of RAM
8 GB free hard drive
space
Mouse
Properly configured
network adapter cards
www.cisco.com
CSIDS 2.14-5
4-4
Client Installations
96 MB of RAM memory
Mouse
Mouse
Licensing Options
Customer Order
Part Number
Description
SEC-POL-MGR-LITE
Three devices
SEC-POL-MGR-2.0
Unlimited devices
www.cisco.com
CSIDS 2.14-6
CSPM uses a licensing scheme that allows you to align your purchasing goals with
the size of your operation. In turn, the license you purchase determines the number
of supported devices you can manage. Currently, CSPM supports management of
Cisco PIX Firewalls, Cisco IOS Routers, and Cisco Intrusion Detection System
(CIDS) Sensors.
The following table lists the available permanent product licenses. Each
permanent license affords the same features and functionality.
Customer Order Part
Number
Description
SEC-POL-MGR-LITE
SEC-POL-MGR-2.0
4-5
Installation Options
Standalone CSPM
Client-server CSPM
Policy server
Policy administrator
Distributed CSPM (not supported)
www.cisco.com
CSIDS 2.14-7
4-6
Policy ServerThe Policy server feature set includes a central database that
stores all system configuration data and summary audit records, as well as the
subsystem responsible for generating on-demand or scheduled system reports.
It also includes the Policy Server feature set that is responsible for compiling
the global policy down into device specific rules. In addition, it adjusts the
addresses for intermediate network address translation. When distributing the
system, you must always install the Policy Server feature set first, because the
database key is necessary to install all other feature sets. You must install this
feature set on a computer running Windows NT version 4.0. The Policy
Administrator feature set is also included when you install the Policy Server.
CSPM Installation
This section describes how to install CSPM.
Start Installation
Continue
Continue ifif the
the
VPN
VPN Client
Client is
is
not
not wanted
wanted
Select
Select
Install
Install Product
Product
www.cisco.com
CSIDS 2.14-9
Log in as user administrator on the host in which you are installing CSPM.
Step 2
Insert the CSPM CD-ROM into the drive on the target host, to initiate the
Autostart program. If you have not installed CVPN Client on this host, the CVPN
Client window opens; otherwise, the Cisco Secure Policy Manager Installation
window opens.
Note
If you have not installed CVPN Client on this host and want to do so, you should
now exit the CSPM installation and insert the CVPN Client CD-ROM. Otherwise,
continue with the installation procedures for Cisco Secure Policy Manager.
Step 3
Select Install Product in the Options group box, and then click Next. The License
Agreement window opens.
Step 4
Review all conditions of the license agreement using the scroll bar on the right
side of the window. To accept the license agreement and continue with the
installation process, select I accept the agreement.
Step 5
To proceed to the next window, click Next. The License Disk window opens.
4-7
License
License
License file
file
location
location
License
License
password
password
4-8
www.cisco.com
CSIDS 2.14-10
Step 6
To specify the location of the CSPM license disk, enter the directory path in the
Location field, or click Browse to find the correct path.
Step 7
Step 8
Click Next to proceed to the next window. The Installation Options window
opens.
Installation Option
Select
Select
Standalone
Standalone
CSPM
CSPM
Step 9
www.cisco.com
CSIDS 2.14-11
Click Standalone CSPM to select the type of system to install. A brief text
description of the standalone system appears in the Installation Option field.
Step 10 To specify where to install CSPM, enter the directory path to the installation
folder in the Installation Folder field, or click Browse to find the correct path.
Step 11 Click Next to proceed to the next window.
Step 12 If the folder that you specified in the directory path does not exist, the setup
If you click No, which does not create a folder, you return to the Installation Options
window.
4-9
Account Information
Enter
Enter the
the
password
password for
for the
the
administrator
administrator
account
account
www.cisco.com
CSIDS 2.14-12
Step 13 To submit the corresponding password for the Windows NT username detected by
4-10
Settings
Leave
Leave the
the
default
default settings
settings
www.cisco.com
CSIDS 2.14-13
Step 16 From the Local IP Address drop-down menu, select one of the IP addresses
configured on the target host for all inbound and outbound CSPM
communications. Only one IP address is shown in the drop-down menu unless
multiple network interface cards (NICs) are installed in the host or multiple IP
addresses are configured on a NIC.
Step 17 You must ensure that the Policy Database listens on the proper port for
This step has no effect on IDS communications or operations. Keep the default
settings only when installing for IDS use.
stored
Step 20 Click Next to proceed to the next window. The database key is written to the
location that you specified and the Verify Install Settings window opens.
Note
4-11
Verify
Verify the
the
settings
settings and
and
click
click Copy
Copy Files
Files
to
to proceed.
proceed.
www.cisco.com
CSIDS 2.14-14
Step 21 To copy all files to your disk, verify the settings that you chose, and then click
Copy Files. The TechSmith Screen Capture Codec Installation window opens.
Note
4-12
If you find an incorrect setting, click Back until you arrive at the proper window.
Make the necessary changes, and then click Next until you return to the Verify
Install Settings window.
Install
Install to
to see
see
the
the included
included
training
training videos
videos
www.cisco.com
CSIDS 2.14-15
Step 22 To install the compression software (TechSmith Screen Capture Codec) required
for viewing the videos, click Install in the TechSmith Screen Capture Codec
Installation window.
If you have not installed Cisco Secure PostOffice, the installation program begins
to unpack the required files and initiates a separate installation for Cisco Secure
PostOffice. If Cisco Secure PostOffice is already installed on this host, skip to
Step 30.
Note
TechSmith's Camtasia was used to create the Getting Started Videos. Camtasia
uses a proprietary AVI compression codec called TechSmith Compression Codec
(TSCC). Before you can view the videos, you must have TSCC installed on your
computer.
4-13
PostOffice Installation
Verify
Verify installation
installation
folder
folder and
and click
click
Next
Next to
to proceed
proceed
2001, Cisco Systems, Inc.
www.cisco.com
CSIDS 2.14-16
Step 23 Click Next in the Welcome window to continue with the Cisco Secure PostOffice
appropriate fields and click Next. The Choose Destination Location window
opens.
Step 26 To install PostOffice in the destination folder, click Next. The PostOffice
installation program copies the appropriate files to the selected destination folder
and the Configure Communication Properties window opens.
4-14
PostOffice Settings
Enter
Enter the
the
host
host identification
identification
Enter
Enter the
the
organization
organization
identification
identification
Verify
Verify the
the
IP
IP address
address
Enter
Enter the
the
hostname
hostname
Enter
Enter the
the
organization
organization name
name
www.cisco.com
CSIDS 2.14-17
Step 27 Submit the PostOffice parameters for CSPM. The properties you define in this
window are used to define the PostOffice identification for this host.
PostOffice Setting
Parameters
Description
Host ID
(165535)
Organization ID
(165535)
IP Address
<IP address>
Host Name
<hostname>
Organization Name
<organization
name>
Step 28 Click Next to start copying the PostOffice installation files. After the files are
4-15
Click
Click Finish
Finish to
to finalize
finalize the
the
CSPM
CSPM installation.
installation.
www.cisco.com
CSIDS 2.14-18
Step 29 PostOffice is now installed on the host. Click Finish to finalize the PostOffice
installation. The installation program for CSPM continues and the setup program
copies all files to the specified installation folder and creates the necessary
Registry keys. Then the Setup is complete window opens.
Step 30 CSPM is now installed on the host. Click Finish to finalize the CSPM installation
Note
4-16
Starting CSPM
This section covers how to start CSPM after it is already installed. It also covers
how to configure and view the Getting Started Videos.
Enter
Enter the
the
username
username
Enter
Enter the
the
password
password
www.cisco.com
CSIDS 2.14-20
The Local or Remote Server options within the Policy Database Server group box
are dependent on the type of CSPM installation that was chosen. The Local option
is associated with a standalone installation. The Remote server option is
associated with a client-server installation.
4-17
Select
Select the
the folder
folder
that
that contains
contains the
the
video
video files
files
Choose
Choose the
the
video
video you
you
want
want to
to watch
watch
www.cisco.com
CSIDS 2.14-21
In addition to reading through the online help and printed documentation, you can
learn important concepts about CSPM by viewing the Getting Started Videos.
These videos consist of a series of lessons that introduce you to the high-level
tasks you must perform in CSPM.
The Getting Started Videos are included with on CSPM CD-ROM. If you
downloaded the software, you will have to run the videoex.exe program, located
in the directory where you downloaded CSPM.
Note
TechSmith's Camtasia was used to create the Getting Started Videos. Camtasia
uses a proprietary AVI compression codec called TechSmith Compression Codec
(TSCC). Before you can view the videos, you must have installed TSCC on your
computer. If you downloaded the software, TSCC is installed when you run the
videoex.exe file.
To install the Getting Started Videos, right after you log on to CSPM the Locate
Installation CD-ROM Image popup window opens. From this window select the
folder where the video files are located. By default it looks in the CD-ROM drive
for the installation CD-ROM.
To view a Getting Started lesson select that lesson from the drop-down list and
click View. Your default AVI player (commonly, Windows Media Player) will
open and play the video.
4-18
Summary
This section summarizes what you learned in this chapter.
Summary
www.cisco.com
CSIDS 2.14-23
4-19
Objectives
In this lab exercise you will complete the following tasks:
Start CSPM.
Visual Objective
The following figure displays the lab topology you will use to complete this lab
exercise.
Pod Q
Peer Pod
172.30.1.0 /24
e0/1 .10P
sensorP
e0/0 .1
.4
idsmP
e0/1 .10Q
sensorQ
e0/0 .1
.4
rQ
rP
.6
10.0.P.0 /24
idsmQ
10.0.Q.0 /24
CSPM
10.0.P.3
CSPM
Host ID = 3, Org ID = P
Host Name = cspmP, Org Name = podP
.6
10.0.Q.3
Host ID = 3, Org ID = Q
Host Name = cspmQ, Org Name = podQ
www.cisco.com
CSIDS 2.14-25
A pair of students has been assigned to a pod. Each pod has a complete set of
equipment to complete the lab exercise.
Note
4-20
The P in an IP address, name, or command indicates your pod number. Make sure
to replace it with your pod number. The Q in an IP address, name, or command
indicates the pod number of a peer pod assigned by the instructor. Make sure to
replace it with your peers pod number.
CIDS Parameters
Lab Settings
administrator
attack
administrator
attack
Installation format
Step 2
Start the installation of CSPM on your laptop from the CSPM CD-ROM or from
the files on your hard drive, as indicated by the instructor.
When installing from the CD-ROM, Windows NT will automatically start the
autorun.exe program in the CSPM CD-ROM.
When installing from files on your hard drive, complete the following:
Choose Start>Run.
Step 3
Step 4
Step 5
Step 6
Review all conditions of the license agreement using the scroll bar on the right
side of the window. To accept the license agreement and continue with the
installation process, select I accept the agreement.
Step 7
To proceed to the next window, click Next. The License Disk window opens.
Step 8
Click Browse.
Step 9
4-21
opens.
Step 14 Click Standalone CSPM to select the type of system to install. A brief text
Systems\Cisco Secure Policy Manager for you. Click Yes to create the folder and
proceed with the setup program. The Account Information window opens.
Step 17 Enter and confirm attack as the Administrator password in the Password and
Policy Database Key group boxes in the Settings window. Click Next to proceed
to the next window. The Verify Install Settings window opens.
Step 21 Click Copy Files to proceed to the PostOffice installation. The TechSmith Screen
If you find an incorrect setting, click Back until you arrive at the proper window.
Make the necessary changes, and then click Next until you return to the Verify
Install Settings window.
Step 22 Click Install in the TechSmith Screen Capture Codec Installation window.
Step 23 Click OK in the TSCC Installation Complete window to acknowledge the
message and continue with the PostOffice installation. The PostOffice installation
Welcome window opens.
Step 24 Click Next in the Welcome window. The Software License Agreement window
opens.
Step 25 Click Yes to accept the License Agreement. The User Information window opens.
Step 26 Click Next to accept the information displayed in the Name and Company fields.
installation program copies the appropriate files to the selected destination folder
and the Configure Communication Properties window opens.
Step 28 Submit the PostOffice parameters for this host in accordance with the following
table. The properties you define in this window are used to define the PostOffice
identification for this host.
4-22
Value
Host ID
Organization ID
IP Address
Host Name
Organization Name
Step 29 Click Next to start copying the PostOffice installation files. After the files are
click Finish. The installation program for CSPM continues and the setup program
copies all files to the specified installation folder and creates the necessary
Registry keys. Then, the Setup is complete window opens.
Step 31 CSPM is now installed on the host. To complete the CSPM installation, click
Finish.
Step 2
Enter the username Administrator and the password attack into the appropriate
fields.
Step 3
Step 4
Click Cancel on the Locate Installation CD-ROM Image window. The CSPM
main window opens.
Step 5
You have just completed this lab exercise. Please inform the instructor that you are
finished.
4-23
Cisco Intrusion
Detection System
Sensor Installation
Overview
This chapter discusses Sensor deployment considerations, explains the parameters
that must be set to configure the Cisco Intrusion Detection System (CIDS) Sensor,
and how to add the Sensor to the CIDS Director after the Sensor is installed.
This chapter includes the following topics:
Objectives
Deploying CIDS
Summary
Lab exercise
Objectives
This section lists the chapters objectives.
Objectives
Upon completion of this chapter, you will
be able to perform the following tasks:
Describe the most common Sensor
deployment options.
Define the terms device management and
firewall sandwich.
Describe the functional differences between
the Command and Control interface and the
Monitoring interface on the Sensor.
2001, Cisco Systems, Inc.
www.cisco.com
CSIDS 2.15-2
Objectives (cont.)
www.cisco.com
CSIDS 2.15-3
Deploying CIDS
This section describes the considerations you should make before deploying
Sensors across your network.
Basic Installation
Untrusted
network
Out-of-band
Out-of-band
network
network
Command and
control network
Monitoring
interface
Protected
network
...
www.cisco.com
CSIDS 2.15-5
Installation with
Device Management
Untrusted
network
Dedicated
Dedicated
router
router interface
interface
Command and
control network
Monitoring
interface
Protected
network
...
www.cisco.com
CSIDS 2.15-6
Firewall
Protected
network
Command and
control network
...
www.cisco.com
CSIDS 2.15-7
Configure the firewall to allow for traffic that travels via Telnet from the
Sensors Command and Control interface to the router.
With this configuration, the firewall implements traffic filtering, and the Sensor
captures packets between the router and firewall. The Sensor can then update the
routers ACL to deny unauthorized activity.
Note
Remote
network
Protected
network
IPSec
tunnel
Director
Sensor
www.cisco.com
CSIDS 2.15-8
When a Sensor is deployed at a remote site from the Director, the traffic across the
untrusted network must be protected with encryption. This can be achieved with
an IPSec encryption from Cisco router to Cisco router (site-to-site VPN).
To implement a remote IDS sensor configuration with device management, you
must do the following tasks:
Note
Telnet from the Sensors Command and Control interface to the router
UDP port 45000 traffic traveling through the firewalls and the routers
between the Director and the Sensor
Sensor Placement
Considerations
Protected
network
Untrusted
network
Payroll
Web
server
Dial-up
access
DNS
server
Partner
network
www.cisco.com
CSIDS 2.15-9
Installing CIDS on your network requires some planning and forethought. Prior to
CIDS deployment you should examine the following aspects of your network:
Number of nodes
Entry and exit points into the networkISP, dialup, partners, etc.
Amount of IP traffic
With this information, now consider the information you want to protect.
Determine which segments should be monitored and which Sensor to deploy
based on bandwidth requirements
Placing the Sensors on the perimeter enables you to see who is attempting to gain
access to the protected network and which vulnerability exploits are being used.
Placing the Sensors within the protected network enables the Sensors to monitor
activities across selected internal network segments. The Sensors in the protected
network only examine traffic that has successfully entered through the firewall or
is generated internally.
5-8 Cisco Secure Intrusion Detection System 2.1
Power
Power
switch
switch
Hard
Hard drive
drive
LED
LED
Reset
Reset
switch
switch
Floppy
Floppy disk
disk
drive
drive
www.cisco.com
CD-ROM
CD-ROM
drive
drive
CSIDS 2.15-11
The 4230 Sensor is a 4 RU, rack-mountable device. The lockable front access
panel protects the Sensor from unauthorized tampering. A floppy drive and CDROM drive are provided.
Power
Power
supply
supply
switch
switch
Video
Video
monitor
monitor
Keyboard
Keyboard
Command
Command
and
and control
control
interface
interface
Console
Console
port
port
Monitoring
Monitoring
interface
interface
www.cisco.com
CSIDS 2.15-12
The model of the Sensor is based on the type of network that uses it. The location
of the monitoring (sniffing) connection depends on the model of Sensorwhether
it is an Ethernet, a Fast Ethernet, Token Ring, and so on. Following is a list of the
types of network connections and the corresponding, monitoring interface, and
device names.
Network Connections
Device Name
Ethernet
/dev/spwr0
Fast Ethernet
/dev/spwr0
Token Ring
/dev/mtok0
Single FDDI
/dev/ptpci
Dual FDDI
/dev/ptpci
Regardless of model, some connections are common to all Sensors such as the
keyboard, monitor, and Command and Control network interface connection. For
initial configuration there are connections for a keyboard and monitor. Be sure to
read and understand all safety requirements listed in the CIDS User Guide.
www.cisco.com
CSIDS 2.15-13
Command
Command
and
and control
control
interface
interface
Console
Console
access
access
Video
Video
monitor
monitor
Monitoring
Monitoring
interface
interface
www.cisco.com
CSIDS 2.15-14
The back of the 4210 Sensor has two Ethernet interfaces. The top interface is the
Command and Control interface, and the bottom interface is the Monitoring
interface. Following is a list of the types of network connections and the
corresponding, monitoring interface, and device names.
Network Connection
Device Name
Ethernet
/dev/iprb0
In addition to the interfaces, the 4210 Sensors give you access to the keyboard
port, the console access port, and the video monitor port.
Be sure to read and understand all safety requirements listed in the CIDS User
Guide.
Management Access
www.cisco.com
CSIDS 2.15-15
There are three ways you may access a Sensor to manage it:
Accessing the console port using an RS-232 cable provided with the Sensor
and a terminal emulation program such as Hyperterm.
Login Accounts
netrangr
root
CIDS-level access
www.cisco.com
CSIDS 2.15-16
The following are the two management accounts and their characteristics used to
log in to the Sensor:
Username: root
Username: netrangr
sysconfig-sensor
www.cisco.com
CSIDS 2.15-18
During the initial configuration, you enter the minimal set of parameters for the
identification of the Sensor and the Director that will manage it. You must be
logged on to the Sensor as user root to run sysconfig-sensor, CIDS menu-driven
configuration script. At the command prompt on the Sensor, enter sysconfigsensor and press Enter. The IDS Sensor Initial Configuration Utility menu
appears.
Note
The sysconfig-sensor script should be used when Sensor network and PostOffice
configuration modifications are needed.
IP Configuration
Option 1IP Address
Option 2IP Netmask
Option 3IP Hostname
UNIX hostname (independent of PostOffice)
Option 4Default route
Enter a default route if access to or from the
Sensor from or to another network is
required
www.cisco.com
CSIDS 2.15-19
Parameters
Description
Option 1IP
Address
<IP Address>
Option 2IP
Netmask
<Netmask>
Option 3IP
Hostname
<Hostname>
Option 4Default
Route
<Default Route>
www.cisco.com
CSIDS 2.15-20
In the classroom, Option 5Network Access Control, may have been set to include
entire networks such as the 10. and 192. networks, or the word ALL may be listed
allowing any host. This is not recommended in real world installations and is used
only for this learning environment.
Configuring Communication
Parameters
Option
Option 6
www.cisco.com
CSIDS 2.15-21
Parameters
Description
Sensor Host ID
1-65535
Sensor Organization ID
1-65535
<Host
Name>
Sensor Organization
Name
<Org Name>
Sensor IP Address
<IP
Address>
1-65535
IDS Manager
Organization ID
1-65535
<Hostname>
IDS Manager
Organization Name
<Org Name>
<IP
Address>
Note
The information you use to identify the Sensor is needed when you add the Sensor
to the Director platform.
www.cisco.com
CSIDS 2.15-22
Exercise extreme caution not to confuse the Sensor information for the Director
information, and vice versa. The information you enter is included in each packet
that travels between the Sensor and Director and must be error-free. If you make
an error while entering the information, enter n and press Enter when prompted.
Then select the parameter number again and enter the correct information.
After you have entered all of the information for the CIDS Communications
Infrastructure Configuration, you are prompted to create these files. If the
information is correct, enter y and press Enter.
The Sensor creates the configuration files, which are displayed on the window.
When all files have been successfully created, you are prompted to continue. Press
Enter.
The next window is a CIDS notes page. Read the information presented and then
press Enter to continue.
www.cisco.com
CSIDS 2.15-23
Option 7, the System Date, Time, and Timezone menu, enables you user to enter
the date, time, and timezone for the Sensor appliance. You can also synchronize
the date and time with a time service enabled host.
The following table contains the values you need to enter and a description of each
when configuring the system date, time, and time zone.
CIDS Settings
Parameters
Description
Option 1
Synchronize the
date and time with
another host
<Hostname>
Option 2Enter
the date and time
manually
<Year>,
<Month>, <Day>,
<Hour>,
<Minutes>
Option 3Change
timezone
<Timezone>
Option xExit to
main menu
Changing Passwords
Option
Option 8
www.cisco.com
CSIDS 2.15-24
Option 8, Passwords, enables you to change the password for any account on the
Sensor (for example, netrangr or root). You must enter the account name to
change the password. After you do this, you need to reenter the password for
verification purposes. When the password is changed, the old password is
discarded.
Exiting sysconfig-sensor
Option xExiting sysconfig-sensor
Options 1 through 5 require the Sensor to
rebootSystem prompts you to reboot when
parameters change: enter y at the prompt
Options 6 through 8 do not require the
Sensor to reboot
Director communications are ready
Proceed to add the Sensor to the Director
and enable intrusion detection
2001, Cisco Systems, Inc.
www.cisco.com
CSIDS 2.15-25
Option x, Exit, enables you to exit from the sysconfig-sensor. If options 1 through
5 (the IP settings) are modified, you are prompted to reboot the system. Enter y at
the prompt to reboot the Sensor. For options 6 and 8 the system is not required to
reboot, so you are returned to the prompt. For option 7 you are not required to
reboot except if the Timezone setting is change. CIDS communications are now
ready for the Director to establish a connection and enable intrusion detection.
Select
Select
Add
Add Sensor
Sensor
www.cisco.com
CSIDS 2.15-27
To add a Sensor in the Network Topology Tree (NTT), use the Add Sensor
wizard. The Add Sensor Wizard helps you create a Sensor object and gives you
the option of extracting and saving a Sensors configuration information in a
signature template.
To add a Sensor in CSPM, perform the following steps:
Step 1
Choose Wizards>Add Sensor to start the Add Sensor wizard. The Add Sensor
wizard opens, displaying the Sensor Identification window.
Note
Enter
Enter
the
the Host
Host ID
ID
Enter
Enter the
the
Org
Org Name
Name
Enter
Enter the
the
Org
Org ID
ID
Enter
Enter the
the
IP
IP Address
Address
Leave
Leave Cisco
Cisco
PostOffice
PostOffice in
in
the
the field
field
Verify
Verify the
the
Sensors
Sensors
address
address
Enter
Enter
comments
comments
For
For prepreconfigured
configured
Sensors
Sensors
www.cisco.com
Step 2
Submit the identification parameters for the Sensor in accordance with the
following table.
CIDS Settings
Parameters
Description
Sensor Name
<Host Name>
Organization
Name
<Org Name>
IP address
<IP Address>
Host ID
1-65535
Organization ID
1-65535
Associated
Network Service
Step 3
CSIDS 2.15-28
PostOffice
Heartbeat Interval
1-65535
Comments
<Comments>
Enter
Enter
IP
IP address
address
Enter
Enter
Network
Network
Mask
Mask
Step 4
CSIDS 2.15-29
Note
Step 5
www.cisco.com
The IP address is for the default gateway of the sensors network. This information
is required to build a network tree within CSPM. It does not effect the sensors
configuration.
Choose
Choose the
the
version
version
Choose
Choose the
the
template
template
www.cisco.com
CSIDS 2.15-30
Step 6
Choose the Distribution host from the Host drop-down menu to specify the CSPM
host that will manage the Sensor.
Step 7
Choose a value from the Sensor Version drop-down menu to specify the version
on this Sensor.
Step 8
Choose the signature template currently applied to this Sensor from the Signature
Template drop-down menu.
Step 9
Click
Click Finish
Finish
www.cisco.com
CSIDS 2.15-31
Step 10 Click Finish to accept your changes and continue. The appropriate objects are
added to the NTT and any saved templates are added to the Tools and Services
tree.
Note
www.cisco.com
CSIDS 2.15-32
If you already have an existing CSPM installation, steps 10 and 11 can be omitted.
Step 11 To add the CSPM host itself to the topology, right-click the network object under
Note
The network where the CSPM host resides must exist in the Network Topology
Tree (NTT). If it does not, the network must be created in the NTT prior to the
aforementioned step.
Step 12 CSPM automatically detects itself and asks you if wish to create the detected
Choose
Choose
your
your host
host
as
as PDP
PDP
Click
Click OK
OK
www.cisco.com
CSIDS 2.15-33
Step 13 You must configure the Policy Distribution Point (PDP) for the Sensor object. To
do this, select the Sensor object from the NTT , then select the Control tab.
Step 14 Within the Control tab, select the CSPM host itself from the Policy Distribution
Note
The PDP host is assigned during the Add Sensor Wizard process. These steps are
not necessary if the Sensor was added using the Add Sensor Wizard.
Saves
Saves the
the
configuration
configuration
in
in CSPM
CSPM
Saves
Saves and
and updates
updates
the
the Sensor
Sensor
configuration
configuration files
files
www.cisco.com
Check
Check for
for
errors
errors
CSIDS 2.15-34
The Save and Update buttons on the toolbar are responsible for generating the
configuration files that can be pushed to the Sensor. After you successfully do this,
you can view the generated command set, using the Command tab on Sensor.
When you are managing devices other than Sensors, the Save and Update
operation generates commands for each device identified in the NTT. In addition,
it includes all the routing and mapping rules that are either derived by CSPM or
manually entered by you as part of these rule sets.
Select
Select the
the
Sensor
Sensor
Check
Check for
for
errors
errors
Click
Click Approve
Approve
Now
Now
www.cisco.com
CSIDS 2.15-35
After you generate and view the commands using the Save and Update buttons,
and the Command tab on the Sensor, you can push them to the Sensor by
manually approving them, which is the default publishing method. You can
configure CSPM to automatically publish the command sets to all the Policy
Enforcement Points (PEPs) that you are administering each time you click Save
and Update on the File menu. The following steps are performed to apply a
signature template to a Sensor in CSPM:
Step 16 Select the Sensor from the NTT.
Step 17 Select the Command tab in the Sensor view panel.
Step 18 Click the Approve Now button in the Command Approval section. Wait for the
Note
CSPM has two approval methods: manual and automatic. The default approval
method is manual. To change to automatic, Choose Tools>Options.
The configuration files generated by CSPM are stored in the following directory
structure:
Install Directory\Cisco Secure PostOffice\tmp\sensorca\hostname
Install Directory
hostname
Select
Select the
the
Sensor
Sensor
Check
Check for
for
errors
errors
www.cisco.com
CSIDS 2.15-36
You can check for errors by looking at the Status group box under the Commands
tab. After an update, you can select Distribution Status under Command
Review/Edit to see any errors that might have been generated.
Consistency Check
Select
Select
Consistency
Consistency
Check
Check
Check
Check for
for
errors
errors
www.cisco.com
CSIDS 2.15-37
The Consistency Check tool locates system inconsistencies within your CSPM
configurations. These system inconsistencies include invalid port numbers, invalid
IP addresses, and naming conflicts.
The following steps are performed to check system inconsistencies in CSPM:
Step 1
Step 2
Summary
This section summarizes the concepts you learned to complete this chapter.
Summary
The Sensor can be deployed in a standalone
installation, a firewall sandwich, and a remote
installation.
The Sensors Command and Control interface
is used for communication with the Director.
The Sensors Monitoring interface captures
packets for intrusion analysis.
You can gain access to a Sensor for
management by connecting a keyboard and a
monitor, attaching a console cable, or via the
network.
2001, Cisco Systems, Inc.
www.cisco.com
CSIDS 2.15-39
Summary (cont.)
The Sensor is bootstrapped using the
sysconfig-sensor utility.
The Add Sensor wizard is used to add a
Sensor object in CSPM.
The Command Approval function of CSPM
enables you to push the configuration files
from CSPM to the Sensor.
The Command Status and Command/Message
windows displays any errors when adding a
Sensor in CSPM.
2001, Cisco Systems, Inc.
www.cisco.com
CSIDS 2.15-40
Objectives
In this lab exercise you will complete the following tasks:
Bootstrap a Sensor.
Visual Objective
The following figure displays the lab topology you will use to complete this lab
exercise.
Pod Q
Peer Pod
172.30.1.0 /24
e0/1 .10P
idsmP
sensorP
e0/0 .1
.4
.6
10.0.P.0 /24
CSPM
sensorQ
e0/0 .1
.4
.6
idsmQ
10.0.Q.0 /24
10.0.P.3
CSPM
Host ID = 3, Org ID = P
Host Name = cspmP, Org Name = podP
e0/1 .10Q
rQ
rP
10.0.Q.3
Host ID = 3, Org ID = Q
Host Name = cspmQ, Org Name = podQ
www.cisco.com
CSIDS 2.15-42
A pair of students has been assigned to a pod. Each pod has a complete set of
equipment to perform the lab.
Note
The P in an IP address, name, or command indicates your pod number. Make sure
to replace it with your pod number. The Q in an IP address, name, or command
indicates the pod number of a peer pod assigned by the instructor. Make sure to
replace it with your peers pod number.
From the Windows NT command prompt, telnet to the Sensor and log on as user
root, password attack:
C:\> telnet 10.0.P.4
Trying...
Connected to sensor.
Escape character is '^}'.
login: root
Password: attack
#
Step 2
Run the sysconfig-sensor utility on the Sensor: The IDS Sensor Initial
Configuration Utility menu appears.
# sysconfig-sensor
Step 3
Step 4
Step 5
Lab Settings
IP Address
IP Netmask
255.255.255.0
IP HostName
Default route
ALL
Select option 6 and follow the prompts to enter the CIDS Communications
Infrastructure parameters:
CIDS Parameters
Lab Settings
Sensor Host ID
Sensor Organization ID
Sensor IP Address
Note
If you made any mistakes, enter n, and then enter y if you want to re-enter your
values.
Step 6
After the configuration files are created, press Enter when prompted to continue.
Step 7
Step 8
Step 9
Step 10 If prompted to, enter y to reboot. If you are not prompted to reboot, manually
reboot the Sensor by entering init 6 or reboot at the root prompt. Wait a few
seconds for the Sensor to reboot.
Note
The Telnet session will be disconnected when the Sensor starts rebooting.
Choose Wizards>Add Sensor from the main menu to start the Add Sensor
wizard. The Add Sensor wizard opens, displaying the Sensor Identification
window.
Step 2
Submit the CIDS identification parameters for the Sensor in accordance with the
following table:
Sensor Settings
Value
Host Name
Organization Name
IP Address
Host ID
Organization ID
Comments
Leave blank
Step 3
Step 4
Enter the IP address and netmask for the default gateway in accordance with the
following table.
Step 5
Value
IP Address
Netmasks
255.255.255.0
Step 6
Choose the Sensor Version from the drop-down menu as assigned by the
instructor.
CIDS Parameter
Value
sensor version
Step 7
Click Next to accept your changes and continue. The New Network Topology
Object window opens.
Step 8
Step 9
Click OK to continue.
Step 10 To add the CSPM host to the topology, right-click Net - 10.0.P.0 under Network
for the name of Packet Capture Device for the Sensor being used.
CIDS Parameter
Value
window opens.
Step 17 Select the Dont show this message again checkbox.
Step 18 Click the Update button on the CSPM toolbar.
Step 19 Click OK to continue.
Step 20 Select sensorP from the Network Topology Tree (NTT). (where P = pod number)
Step 21 Select the Command tab in the Sensor view panel.
Step 22 Click the Approve Now button in the Command Approval section.
Step 23 Monitor the progress in the Status group box. Wait for the configuration files to be
Note
You have just completed this lab exercise. Please inform the instructor that you are
finished.
Alarm Management
Overview
This chapter includes the following topics:
Objectives
Managing alarms
Preference settings
Summary
Lab exercise
Objectives
This section lists the chapters objectives.
Objectives
Upon completion of this chapter, you will
be able to perform the following tasks:
Respond to and manage the alarms displayed
on the Event Viewer in CSPM.
Customize the Event Viewer display options
and preferences.
Determine the Sensors communication status,
service versions, service status, and statistics.
2001, Cisco Systems, Inc.
www.cisco.com
CSIDS 2.16-2
Managing Alarms
This section discusses how by using the CSPM Event Viewer you can view,
interpret, and dispose of alarms.
Choose
Choose
Event
Event Type
Type
Choose
Choose
Start
Start Time
Time
Choose
Choose
Stop
Stop Time
Time
www.cisco.com
CSIDS 2.16-4
Intrusion alarms generated by Sensors are sent to the CSPM host, which displays
these events in the Event Viewer window. To open the Event Viewer, choose
Tools>View Sensor Events>Database from the top menu in the CSPM window.
The View Database Events window appears. Choose the Event Type and the Start
and Stop times. The following describes the View Database Event selection
parameters:
An option to view archived IDS events is also available. To open the Event
Viewer to view IDS archived events, choose Tools>View Sensor Events>Log
Files from the main menu in the CSPM window. The instance of the Event Viewer
that is viewing Sensor events from log files will not display new alarms received
by CSPM. CSPM stores new alarms in the database.
Many Event Viewer windows may be opened this way. Once an Event Viewer
window is opened, its display characteristics can be modified independently of all
other Event Viewer windows opened. This way you can customize each window
to display events based on different criteria as required by you environment.
Alarm Fields
Count
Count
Name
Name
Destination
Destination
Port
Port
Source
Source
Address
Address
Source
Source
Port
Port
Destination
Destination
Address
Address
Details
Details
www.cisco.com
CSIDS 2.16-5
Field
Description
Count
Name
Source Address
Destination Address
Destination Port
Source Port
Details
Source
Source
Location
Location
Local
Local Time
Time
Destination
Destination
Location
Location
Local
Local Date
Date
Signature
Signature
ID
ID
Application
Application
Name
Name
SubSig
SubSig ID
ID
Sensor
Sensor
Name
Name
Severity
Severity
2001, Cisco Systems, Inc.
Org
Org Name
Name
Level
Level
www.cisco.com
CSIDS 2.16-6
Field
Description
Source Location
Destination Location
Sub-Signature ID
The numeric identifier assigned to the subsignature that triggered the alarm. Some
signatures have a sub-signature ID but others do
not.
Severity
Level
Organization Name
Sensor Name
Application Name
Local Date
Local Time
Resolving Hostnames
Right-click
Right-click and
and
choose
choose
Resolve
Resolve Hostnames
Hostnames
www.cisco.com
CSIDS 2.16-7
From the Event Viewer you can quickly and easily identify the name of the host
that triggered the alarm, and the host that was the target of the attack. To do this,
right-click the alarm you wish to examine, then choose Resolve Hostnames from
the drop-down menu. A window is displayed showing the source and destination
IP addresses and their respectively resolved hostnames. If either hostname cannot
be resolved, the message Cannot be resolved is displayed for the unresolvable
host.
Note
For IP addresses to be resolved, the CSPM host must have a local host table entry,
have been configured to access a DNS server, or both.
Select the alarm to examine and choose Tools>Resolve Hostnames from the
top menu bar.
Select the alarm to examine and click the Resolve Hostname (H) button on
the top toolbar.
Right-click
Right-click and
and
choose
choose
Context
Context Buffer
Buffer
www.cisco.com
CSIDS 2.16-8
For TCP-based signatures, the Sensor captures up to 256 characters of the TCP
stream, which can be examined from the Event Viewer. This is called the context
buffer and it contains keystrokes, data, or both in the connection stream around the
string of characters that triggered the signature. This feature can be used to
determine if the triggered alarm was from a deliberate attack or if it is an
accidental set of keystrokes.
To view the captured context buffer, right-click the alarm you wish to examine,
then choose Context Buffer from the drop-down menu. A window is displayed
showing the context buffer data. When the context buffer is not available, the
Context Buffer option in the drop-down menu will be grayed-out.
Other ways to open the Context Buffer window are as follows:
Select the alarm to examine and choose View>Context Buffer from the top
menu bar.
Select the alarm to examine and click the Show Context Buffer button on the
top toolbar.
Right-click
Right-click and
and choose
choose
Network
Network Security
Security Database
Database
www.cisco.com
CSIDS 2.16-9
Select the alarm to examine and then choose Tools>NSDB from the top menu
bar.
Select the alarm to examine and click the Network Security Database button
on the top toolbar.
www.cisco.com
CSIDS 2.16-10
A typical NSDB Exploit Signature page contains the following information about
the signature that triggered the alarm:
Related Vulnerability
Information
www.cisco.com
CSIDS 2.16-11
User Notes
www.cisco.com
CSIDS 2.16-12
The User Notes page is an empty template in which the user can fill in information
unique to their installation and implementation. You can use any text or HTML
editor to enter information. The user notes are located in the CSPM report
directory (e.g., C:\Program Files\Cisco Systems\Cisco Secure Policy
Manager\Report\nsdb\html).
Choose
Choose
Suspend
Suspend New
New Events
Events or
or
Resume
Resume New
New Events
Events
www.cisco.com
CSIDS 2.16-13
You may suspend the Event Viewer from displaying new alarms. To suspend the
Event Viewer, choose Edit>Suspend New Events on the top menu bar. To resume
alarms, choose Edit>Resume New Events on the top menu bar.
Other ways to suspend or resume the Event Viewer are as follows:
To suspend an alarm, click the Pause Live Feed button on the top toolbar.
To resume an alarm, click the Resume Live Feed button on the top toolbar.
The Suspend feature is best used to analyze current alarms being displayed.
Suspending alarms prevents new alarms from being displayed and shuffling the
current alarms. The Suspend feature is also beneficial when deleting alarms.
Deleting Alarms
Right-click
Right-click and
and choose
choose
Delete
Delete Rows>From
Rows>From This
This Grid,
Grid,
Delete
Delete Rows>From
Rows>From All
All Grids,
Grids, or
or
Delete
Delete Rows>From
Rows>From Database
Database
www.cisco.com
CSIDS 2.16-14
When an alarm has been acknowledged, dealt with, or both, you may want to
remove it from the Event Viewer grid or from database all together. To do this,
right-click the alarm you wish to delete, then choose Delete Row(s)>From This
Grid, Delete Row(s)>From All Grids, or Delete Row(s)>From Database from
the drop-down menu. The differences between the three options are as follows:
From This GridDeletes alarms from the grid where this action is being
performed. It will not delete alarms from other grids or the CSPM database.
From All Grids Deletes alarms from all grids including other grids that
may be opened. It will not delete alarms from the CSPM database.
From Database Deletes alarms from all the grids and the CSPM database.
If you use this option the alarm is completely gone and you may not display it
on the Event Viewer again, even if you open another Event Viewer.
Note
None of the delete options affect alarms that are logged in the Sensor log files.
WARNING If the Count cell of the top row of the Event Viewer is selected when using
any of the delete options, all rows will be deleted from the Event Viewer.
Select the alarm to delete and choose Edit>Delete Row(s)>From This Grid,
Edit>Delete Row(s)>From All Grids, or Edit>Delete Row(s)>From
Database from the top menu bar.
Select the alarm to delete and click the Deletes the selected rows from the
current grid only button on the top toolbar.
Click
Click the
the
Expand
Expand This
This Branch
Branch One
One
Column
Column to
to the
the Right
Right
button
button
www.cisco.com
CSIDS 2.16-16
By default, the Event Viewer consolidates or collapses alarms based on the first
two field columns. To view the details of collapsed alarms, you must expand the
columns until the fields that you are interested in are shown. To do this, select the
row that you want to expand and then click the Expand This Branch One
Column to the Right button on the top toolbar.
Other ways to expand alarms one column to the right are as follows:
Select the row to expand and choose Edit>Expand>One Column on the top
menu.
Note
This is not a persistent change. This means that closing the Event Viewer and reopening it will bring back the default expansion boundary.
Click
Click the
the
Expand
Expand This
This Branch
Branch all
all
the
the way
way to
to the
the Right
Right
button
button
www.cisco.com
CSIDS 2.16-17
In one click you can expand the row all the way to the right. To do this, select the
row that you want to expand and then click the Expand This Branch all the way
to the Right button on the top toolbar.
Another way to expand alarms all the way to the right is to select the row to
expand and choose Edit>Expand>All Columns from the top menu.
Note
This is not a persistent change. This means that closing the Event Viewer and reopening it will bring back the default expansion boundary.
Click
Click the
the
Collapse
Collapse This
This Branch
Branch One
One
Column
Column to
to the
the Left
Left button
button
www.cisco.com
CSIDS 2.16-18
To consolidate alarm details, you must collapse the columns until the fields that
you are interested in are consolidated. To do this, select the row that you want to
consolidate and then click the Collapse This Branch One Column to the Left
button on the top toolbar.
Another way to collapse alarms one column to the left is to select the row to
expand, and then choose Edit>Collapse>One Column from the top menu.
Note
This is not a persistent change. Changes only affect the current Event Viewer.
New Event Viewers launched will have the default expansion boundary.
Click
Click the
the
Collapse
Collapse This
This Branch
Branch to
to
the
the Currently
Currently Selected
Selected
Column
Column button
button
www.cisco.com
CSIDS 2.16-19
In one click you can collapse the row all the way to the column currently selected.
To do this, select the column you want to collapse to in the row that you want to
collapse, and then click the Collapse This Branch to the Currently Selected
Column button on the top toolbar.
Another way to collapse alarms all the way to the column currently selected is to
select the column you want to collapse to in the row you want to collapse and
choose Edit>Collapse>All Columns on the top menu.
Note
This is not a persistent change. Changes only affect the current Event Viewer.
New Event Viewers launched will have the default expansion boundary.
Right-click
Right-click and
and choose
choose
Set
Set Event
Event Expansion
Expansion Boundary
Boundary
www.cisco.com
CSIDS 2.16-20
By default, the Event Viewer expands the first two columns of the grid. You can
change the expansion boundary for new alarms that come in. To do this, rightclick the column that you want to expand to, and choose Set Event Expansion
Boundary. From this point forward any new alarms that come in will be expanded
up to the column that has been set to be the new expansion boundary.
Other ways to set the new expansion boundary are as follows:
Select the column that you want to expand to, and choose Edit>Set Event
Expansion Boundary from the top menu.
Select the column that you want to expand to, and click the Set Event
Expansion Boundary button on the top toolbar.
Note
This is not a persistent change. Changes only affect the current Event Viewer.
New Event Viewers launched will have the default expansion boundary.
Moving Columns
Click
Click and
and drag
drag the
the header
header of
of
the
the column
column to
to be
be moved
moved
www.cisco.com
CSIDS 2.16-21
Columns can be moved to any position in the Event Viewer grid. To do this, clickand-drag the column header of the column to be moved, and move it to the new
position.
Note
This is not a persistent change. Changes only affect the current Event Viewer.
New Event Viewers launched will have the default column order.
Choose
Choose
Delete
Delete Column
Column
www.cisco.com
CSIDS 2.16-22
You can delete columns from the Event Viewer. To do this, right-click the column
to be deleted, and then choose Delete Column from the drop-down menu.
Another way to delete columns from the Event Viewer is to check anywhere on
the column that you want to delete, then choose Edit>Delete Column on the top
menu.
Note
Deleting columns this way does not permanently remove the columns. Closing the
Event Viewer and re-opening it brings any deleted columns back.
WARNING Removing columns will affect CIDS features. The columns must exist in the
Event Viewer to enable the feature affected.
The following table describes the Event Viewer columns that affect CIDS
features.
Column
Feature Affected
Source Address
Sensor Name
Org Name
App Name
Selecting Columns to Be
Displayed
Choose
Choose or
or
Select
Select or
or deselect
deselect
Click
Click Up
Up
or
or Down
Down
Click
Click
Recommended
Recommended
Choose
Choose
Edit>Insert/Modify
Edit>Insert/Modify Column(s)
Column(s)
Click
Click OK
OK
2001, Cisco Systems, Inc.
www.cisco.com
CSIDS 2.16-23
You can customize what field columns are displayed in the Event Viewer. To do
this, choose Edit>Insert/Modify Column(s) on the top menu. This opens the
Insert/Modify Columns window.
The Insert/Modify Columns window shows all the available fields. To select or
deselect a field to be displayed, click the selection box in the Show column for
that field.
WARNING Removing columns will affect CIDS features. The columns must exist in the
Event Viewer to enable the feature affected.
The following table describes the Event Viewer columns that affect CIDS
features.
Column
Feature Affected
Source Address
Sensor Name
Org Name
App Name
This is a persistent change. Changes will affect newly launched Event Viewers.
Preference Settings
This section describes the different preference settings that can be customized in
the Event Viewer.
Choose
Choose
Edit>Preferences
Edit>Preferences
www.cisco.com
CSIDS 2.16-25
In the Preferences window, you can customize a number of parameters for your
environment. To do this, choose Edit>Preferences from the top menu. This opens
the Preferences window.
Actions
Command Timeout
How long CSPM waits
for a response from a
Sensor
Time to Block
How long a Sensor
blocks a host when a
manual block is issued
Subnet Mask
The subnet mask used
when manually blocking
a network
2001, Cisco Systems, Inc.
Note
www.cisco.com
CSIDS 2.16-26
The settings in the Preferences window apply to all Event Viewers that are opened
from CSPM. If you have more than one instance open when you make a change in
the preference window, you must close and open those event viewer instances in
which you did not specifically make the changes.
The Actions group box in the Preferences window allows you to set the following
values:
Time to Block (minutes)Specifies how long the Sensor blocks traffic from
the specified source when you issue a Block command from the Event
Viewer. The block duration value that can be specified for the Sensor in the
Network Topology Tree (NTT) applies only to blocks that are generated
automatically by that Sensor. The Time to Block value in the Preferences
dialog box applies only to manually generated blocks from the Event Viewer.
The default value is 1440 minutes (one day). The allowable range is 1 to
525,600 minutes (one year).
Subnet MaskUsed to mask the source address value that you wish to block
to determine the range of the blocking rule that is published to the blocking
devices by the Sensor. This subnet mask applies only to the Block>Network
and Remove Block>Network options from the Event Viewer. The default
value is 255.255.255.0.
Cells
www.cisco.com
CSIDS 2.16-27
The Cells preferences option enables you to determine if cell values will be
displayed or collapsed.
Cells (cont.)
Blank
Blank left
left
selected
selected
Blank
Blank right
right
deselected
deselected
Blank
Blank left
left
deselected
deselected
Blank
Blank right
right
selected
selected
www.cisco.com
CSIDS 2.16-28
The Blank Left and Blank Right check boxes in the Cells section of the Preference
window enable you to specify that cells be blank or filled:
Blank Left This check box determines whether values that are suggested by
a cell above are filled in. For example, consider the following alarms
triggered by the same source IP address of 172.30.1.88: WWW perl
interpreter attack, WWW IIS view source attack, and WWW IIS newdsn
attack. If the Blank Left box is selected, the grid appears as follows:
172.30.1.88
<blank>
<blank>
If the Blank Left box is not selected, the grid appears as follows:
172.30.1.88
172.30.1.88
172.30.188
Blank RightWhen cells are collapsed their background color is gray and if
the collapse values are different a + sign is displayed. When Blank Right is
not selected (the default) and if a cell is collapsed but the value in the cell is
the same in all the collapse cells, then the actual value is displayed. By
selecting Blank Right, a + sign will be placed in a collapsed cell regardless
if the value is the same in all the collapsed cells or not.
Status Events
www.cisco.com
CSIDS 2.16-29
The Show Status Events in Grid and Display Popup Window options in the Status
Events group box of the Preference window enable you to specify where status
events are displayed in the Event Viewer. The following are the two options for
displaying status events:
Show
Show the
the status
status
of
of events
events in
in the
the
grid
grid selected
selected
Display
Display the
the
popup
popup window
window
Selected
Selected
www.cisco.com
CSIDS 2.16-30
The previous figure shows examples of what windows open when you select ether
Show Status Events in Grid or Display Popup Window from the Status Events
group box.
Event Severity
Indicator Events can
either be represented by
an icon or a color.
www.cisco.com
CSIDS 2.16-31
The Event Severity Indicator group box enables you to choose how events are
represented. There are two Severity Indicator options that you must select from:
High = Red
Medium = Yellow
Low = Green
Low = No icon
Color
Color
Selected
Selected
Icon
Icon
Selected
Selected
2001, Cisco Systems, Inc.
www.cisco.com
CSIDS 2.16-32
The previous figure shows examples of the two different ways events can be
graphically represented.
Boundaries
Default Expansion
BoundaryDefault
number of expanded
columns.
Maximum Events Per
GridHow many alarms
can be displayed in a
single Event Viewer.
Event Batching
TimeoutHow often the
Event Viewer is updated
during an alarm flood.
2001, Cisco Systems, Inc.
www.cisco.com
CSIDS 2.16-33
The Boundaries group box in the Preferences window enables you to set the
following values:
Note
Setting this field to its maximum value may cause the capacity of the CSPM
database to be exceeded.
Severity Mapping
Low
Fixed to 1
Default range is 12
Medium
Must be greater than or
equal to Low
Default setting is 3
High
Must be greater than or
equal to Medium
Default setting is 4
2001, Cisco Systems, Inc.
www.cisco.com
CSIDS 2.16-34
The values under the Severity Mapping group box of the Preferences window,
map a range of an alarm's severity level (a number that usually ranges from 1 to 5)
to a severity (Low, Medium, or High).
By default, events at levels 1 and 2 are Low, level 3 is Medium, and levels 4 and
higher are High. By changing the starting level value for any option, you can
change the associated range of severities. This changes the associated color and
icon to the events that fall within that range within the Event Viewer grids.
There are a few constraints on the numbers you can specify. The Medium level
must be greater than or equal to the Low level, and the High level must be greater
than or equal to the Medium level. The start value for the Low level range is fixed
at 1. Also, all values must be between 1 and 255. If they are not, you will be
notified, and the values will be adjusted for you.
Choose
Choose
View>Connection
View>Connection
Status
Status Pane
Pane
www.cisco.com
CSIDS 2.16-36
You can choose to display the Connection Status Pane in the Event Viewer. The
Connection Status Pane displays icons for all the Sensors reporting to CSPM and
provides options to get status information from the Sensors. To view the
Connection Status Pane, choose View>Connection Status Pane from the top
menu. This displays the Connection Status Pane on the left side of the Event
Viewer.
Connection Status
Right-click
Right-click and
and
choose
choose
Connection
Connection Status
Status
www.cisco.com
CSIDS 2.16-37
From the Connection Status Pane you can get information on the status of the
connection between CSPM and the Sensors reporting to it. To do this, right-click
the Sensor you want connection status information about on the Connection Status
Pane and choose Connection Status. This opens the Connection Status window,
which indicates the status of the connection for the selected Sensor.
In the Connection Status window, you will see one of these two possible
connection status messages:
Connection is Established:
45000 1 [Established]
Select the Sensor you want connection status information about from the
Connection Status Pane and choose View>Connection Status from the top
menu.
Select a row in the Event Viewer and choose View>Connection Status from
the top menu. You will get connection status information for the Sensor that
reported the alarm you selected in the Event Viewer. If the row has
consolidated alarms from multiple Sensors, the connection status of all
Sensors is reported.
Service Status
Right-click
Right-click and
and
choose
choose
Service
Service Status
Status
www.cisco.com
CSIDS 2.16-38
From the Connection Status Pane you can get information on the status of the
services running on the Sensors reporting to your CSPM host. To do this, rightclick the Sensor you want service status information about on the Connection
Status Pane and choose Service Status. This opens the Daemon Status window,
which indicates the status of the services running on the selected Sensor.
In the Daemon Status window, you will see the status of the services running in
the following format:
The status of the enabled applications on host "sensor0" is as follows:
fileXferd
Running
loggerd
Running
sapd
Running
configd
Running
packetd
Running
END
Select the Sensor you want service status information about on the
Connection Status Pane, and choose View>Services>Status from the top
menu.
Service Versions
Right-click
Right-click and
and
choose
choose
Service
Service Versions
Versions
www.cisco.com
CSIDS 2.16-39
From the Connection Status Pane you can get the version information of the
services running on the Sensors reporting to your CSPM host. To do this, rightclick the Sensor you want service version information about on the Connection
Status Pane and choose Service Versions. This opens the Daemon Versions
window, which indicates the versions of the services running on the selected
Sensor.
In the Daemon Versions window, you will see the version of the services running
in the following format:
The version of postofficed on host "sensor0" is:
postofficed v2.2.1 (release) 99/07/19-22:30
The version of fileXferd on host "sensor0" is:
fileXfer v2.2.1 (release) 99/07/19-22:36
The version of sapd on host "sensor0" is:
sapd v2.2.1 (release) 99/07/19-22:31
The version of configd on host "sensor0" is:
configd v2.2.1 (release) 99/07/19-22:29
The version of packetd on host "sensor0" is:
packetd v2.2.1.5 (release) 00/08/15-12:22
Select the Sensor you want service version information about from the
Connection Status Pane and choose View>Services>Version on the top
menu.
Statistics
Choose
Choose
View>Statistics
View>Statistics
www.cisco.com
CSIDS 2.16-40
The Sensor keeps track of statistics regarding the processing of network packets,
such as the number of packets viewed since the Sensor's services were last started.
To view the statistics for a Sensor, select the Sensor you want statistics
information about on the Connection Status Pane and choose View>Statistics
from the top menu. This opens the Sensor Statistics window.
In the Sensor Statistics window, you will see the statistics for the selected Sensor
in the following format:
IP statistics for host "sensor0":
Statistics from: 12/07/2000 20:39:11
Number of seconds: 73395
IP Packets: 33696
Filtered Packets: 0
ICMP Packets: 19476
TCP Packets: 349
UDP Packets: 13871
Other Packets: 0
Bad IP Packets: 0
Bad ICMP Packets: 0
Bad TCP Packets: 0
Bad UDP Packets: 0
Objects: 128
Number Of Src Objects: 16
Number Of Dst Objects: 7
Number Of Dual Objects: 16
Number Of Quad Objects: 0
Number Of TCP Streams: 0
Stats: 0 84 84 0.00 38485 1
Packet socket statistics for host "sensor0":
Copyright 2001, Cisco Systems, Inc.
Another way to open the Sensor Statistics window, is to select a row in the Event
Viewer and choose View>Statistics from the top menu. You will get statistic
information for the Sensor that generated the selected alarm. If the Sensor Name
column is not being displayed in the Event Viewer, View>Statistics will be grayed
out, indicating the option is not available.
Reset Statistics
Choose
Choose
Actions>Reset
Actions>Reset Statistics
Statistics
www.cisco.com
CSIDS 2.16-41
You can reset the counts back to zero for the statistics being kept for a Sensor. To
reset the statistic counts for a Sensor, select the Sensor you want to reset statistics
for on the Connection Status Pane and choose Actions>Reset Statistics from the
top menu. This resets the statistics for the selected Sensors and opens the
Resetting Statistics status window.
In the Resetting Statistics window, you will see the reset statistics status for the
selected Sensor in the following format:
The status of resetting IP statistics for host "sensor0" is:
Success
The status of resetting packet statistics for host "sensor0" is:
Success
The status of resetting syslog statistics for host "sensor0" is:
Success
Another way to reset the Sensor statistics is to select a row in the Event Viewer
and choose Actions>Reset Statistics on the top menu. You will reset the statistics
for the Sensor that generated the selected alarm. If the Sensor Name column is not
being displayed in the Event Viewer, Actions>Reset Statistics will be grayed out,
indicating the option is not available.
Summary
This section summarizes what you learned in this chapter.
Summary
Use the Event Viewer in CSPM to respond to
and manage the alarms.
The Event Viewer provides many display
options and preferences to customize how
alarms are displayed.
Deleting columns from the Event Viewer can
disable functionality.
The Sensor status reporting functions are
used to view the status of communications
between Sensors and CSPM.
2001, Cisco Systems, Inc.
www.cisco.com
CSIDS 2.16-43
Objectives
In this lab exercise you will complete the following tasks:
Visual Objective
The following figure displays the lab topology you will use to complete this
exercise.
Pod Q
Peer Pod
172.30.1.0 /24
e0/1 .P
idsmP
sensorP
e0/1 .10Q
sensorQ
e0/0 .1
.4
rQ
rP
e0/0 .1
.4
.6
10.0.P.0 /24
CSPM
.6
idsmQ
10.0.Q.0 /24
10.0.P.3
CSPM
Host ID = 3, Org ID = P
Host Name = cspmP, Org Name = podP
10.0.Q.3
Host ID = 3, Org ID = Q
Host Name = cspmQ, Org Name = podQ
www.cisco.com
CSIDS 2.16-45
Choose Tools>View Sensor Events>Database from the CSPM main menu. The
View Database Events window appears.
Step 2
Click OK to accept the default values. The Event Viewer window opens.
Step 3
From your own CSPM host, open your web browser and attack your peers web
server by entering the following in the URL field:
http://10.0.Q.3/../..
After your peer attacked your web server, fill out this table and answer the
following questions about the alarm that was generated:
Name
Source Address
Destination Address
Details
Source Port
Destination Port
Source Location
Destination Location
Signature ID
Sub-Signature ID
Severity
Level
Organization Name
Sensor Name
Application Name
Local Date
Local Time
Step 1
Step 2
Enable the columns listed in the following table. Columns not listed should be
disabled:
Column Name
Enable
Name
Yes
Source Address
Yes
Dest Address
Yes
Details
Yes
Source Loc
Yes
Dest Loc
Yes
Sensor Name
Yes
Org Name
Yes
App Name
Yes
Local Date
Yes
Local Time
Yes
Step 3
Step 4
Choose Tools>View Sensor Events>Database from the CSPM main menu to restart the Event Viewer. The View Database Events window appears.
Step 5
Click OK to accept the default values. The Event Viewer window opens.
Note
Your Event Viewer should only display the columns listed in the table.
Step 7
Step 8
Step 9
Step 10 Choose Tools>View Sensor Events>Database from the CSPM main menu to re-
start the Event Viewer. The View Database Events window appears.
Step 11 Click OK to accept the default values. The Event Viewer window opens.
Note
Step 2
Step 3
Choose Edit>Delete Row(s)>From Database from the CSPM main menu. The
Event Viewer Delete Row window opens.
Step 4
Step 5
You have just completed this lab exercise. Please inform the instructor that you are
finished.
Cisco Intrusion
Detection System
Signatures
Overview
This chapter explains what a signature is and the many different signature series
that Cisco Intrusion Detection System (CIDS) uses.
This chapter includes the following topics:
Objectives
Understanding signatures
Summary
Objectives
This section lists the chapters objectives.
Objectives
Upon completion of this chapter, you will be
able to perform the following tasks:
Describe what is a signature.
Name and identify signature implementations,
structures, and classes.
Describe what are signature severities.
Name the attack probability and immediate threat
level for the default severities.
Name and identify all CIDS signature series and their
major categories.
2001, Cisco Systems, Inc.
7-2
www.cisco.com
CSIDS 2.17-2
Understanding Signatures
This section describes what a signature is; how they are implemented and
structured; their different classes, types, series, and categories; and their severities.
Signature Definition
www.cisco.com
CSIDS 2.17-4
7-3
Signature Implementations
and Structures
Signature implementation
ContextTrigger data contained in packet header
ContentTrigger data contained in packet
payload
Signature structure
AtomicTrigger contained in a single packet
CompositeTrigger contained in a series of
multiple packets
www.cisco.com
CSIDS 2.17-5
Signature Implementation
Content
Context
Content
Content
7-4
Signature Structure
Atomic
Composite
Atomic
Composite
Signature Classes
ReconnaissanceTriggers on an activity
known to be, or that could lead to,
unauthorized discovery of systems, services,
or vulnerabilities.
AccessTriggers on an activity known to be,
or that could lead to, unauthorized data
retrieval, system access, or privileged
escalation.
www.cisco.com
CSIDS 2.17-6
Ping sweep
Port scan
DNS queries
Access class signatures are signatures that are triggered by a network activity that
is known to be, or that could lead to, unauthorized data retrieval, system access, or
privileged escalation. Examples of Access activities are as follows:
7-5
www.cisco.com
CSIDS 2.17-7
Denial of service (DoS) class signatures are signatures that are triggered by
network activity that is known to be, or that could lead to, the disablement or
disruption of a network, system, or service. Examples of DoS activities are as
follows:
Ping of Death
Trinoo attacks
Information class signatures are signatures that are triggered by normal network
activity that in itself is not considered to be malicious, but can be used to
determine the validity of an attack or for forensics purposes. Examples of
information activities are as follows:
7-6
UDP connections
Signature Types
GeneralSignatures that detect IP, ICMP,
TCP, and UDP intrusion attempts.
ConnectionSignatures that detect TCP
connection requests and traffic to UDP ports.
StringSignatures that detect matches to
defined string patterns.
ACLSignatures that violate defined ACL
policies.
2001, Cisco Systems, Inc.
www.cisco.com
CSIDS 2.17-8
ACLDetect violations that occur against defined Cisco IOS Access Control
Lists (ACLs). CIDS signature series is 10000.
7-7
www.cisco.com
CSIDS 2.17-9
7-8
IP Options
IP Fragmentation
Bad IP Packets
Ping Sweeps
ICMP Attacks
Mail Attacks
FTP Attacks
NetBIOS Attacks
TCP Applications
UDP Attacks
UDP Applications
DNS Attacks
Authentication Failures
Loki Attacks
TCP Applications
Web Attacks
7-9
Signature Severities
Description
Severity 1
Low
Severity 3
Medium
Severity 5
High
Attack
Probability
Immediate
Threat
Very Low
No
Medium
Low
Very High
High
www.cisco.com
CSIDS 2.17-10
Severity levels are assigned to each CIDS signature. The severity of the signature
represents the probability that the signature is an attack and the immediate threat
to the network. The default severity levels are assigned by Cisco network security
engineers. The signature severity level settings are configurable to allow for
tuning to your network environment. There are three severity levels:
Note
7-10
Unknown IP protocol
Net Sweep-echo
Application
IP Options
IP Fragmentation
TCP
UDP
IP
Bad IP packets
Data Link
Physical
www.cisco.com
CSIDS 2.17-12
7-11
IP Options
Ver Len
H
E
A
D
E
R
IP Header
20 bytes
IP Options
Identification
Adds up to 40
additional bytes
TTL
Proto
Length
Flg Frag Offset
Checksum
Source IP
Destination IP
Options .. .. ..
Options
Serv
P
A
Y
www.cisco.com
Data . . .
CSIDS 2.17-13
The IP datagram header is normally 20 bytes long. The IP protocol allows for up
to 40 additional bytes of optional fields. Only 8 options are considered valid in IP
version 4.
7-12
IP Options (cont.)
0
1 2
CP Class
3 4 5 6 7
0 1 2 3 4 5 6 7
0 1 2 3 4 5 6 7
1 2
3 4 5 6 7
Option #
Parameters...
0 0
0 0 0 0 0
Copy:
Copy:
0Do
0Do not
not include
include options
options in
in packet
packet fragments
fragments
1Include
1Include options
options in
in packet
packet fragments
fragments
Class:
Class:
0Network
0Network Control
Control
2Debugging
2Debugging
Option:
Option: one
one of
of eight
eight valid
valid options
options
Length:
Length: number
number of
of bytes
bytes in
in option
option (if
(if used
used by
by option)
option)
Parameters:
Parameters: parameters
parameters passed
passed by
by the
the option
option
Last
Last option
option is
is always
always option
option 00
2001, Cisco Systems, Inc.
www.cisco.com
CSIDS 2.17-14
Option 2Security: this option is specific to the U.S. government. May carry
the following s-security clearance, c-compartment, h-handling codes, and tccuser group.
Option 7Record Route: applications may request the route a packet takes
be recorded.
Option 9Strict Source Route: this is a list of router addresses that must be
followed by the packet.
7-13
IP Option Signatures
1000Bad option list
Invalid option
Option #
0
1
1001Record packet
route
Option=7
1002Timestamp
Option=4
Option Name
End of Options
No Operation
2
3
Security
Loose Source Rte
4
7
Timestamp
Record Route
8
9
Stream ID
Strict Source Rte
1003Provide s, c, h, tcc
Option=2
2001, Cisco Systems, Inc.
www.cisco.com
CSIDS 2.17-15
7-14
IP Option Signatures
(cont.)
1004Loose source route
Option=3
Option #
0
1
1005SATNET id
Option=8
www.cisco.com
Option Name
End of Options
No Operation
2
3
Security
Loose Source Rte
4
7
Timestamp
Record Route
8
9
Stream ID
Strict Source Rte
CSIDS 2.17-16
7-15
IP Fragmentation Signatures
1100IP Fragment Attack
Offset value too small
Indicates unusually small
packet
May bypass some packet
filter devices
Ver Len
Serv
Identification
TTL
1103IP Fragments
Overlap
Proto
Length
Flg Frag
Frag Offset
Offset
Checksum
Source IP
Destination IP
Options . . .
Data . . .
www.cisco.com
CSIDS 2.17-17
7-16
1101Unknown IP
Protocol
Identification
TTL
Proto=invalid or undefined
Length
Flg Frag Offset
Proto
Proto
Checksum
Source IP
Source
IP
1102=Impossible IP
Packet
Destination IP
Destination
IP
Options
Serv
Data
www.cisco.com
CSIDS 2.17-18
7-17
Application
TCP
UDP
IP
Data Link
Physical
7-18
www.cisco.com
CSIDS 2.17-20
H
E
A
D
E
R
Type
Code
Identifier
Checksum
Sequence #
Data . . .
Type:
Type:
0Echo
0Echo Reply
Reply
8Echo
8Echo Request
Request
13Timestamp
13Timestamp Request
Request
14Timestamp
14Timestamp Reply
Reply
15Information
15Information Request
Request
16Information
16Information Reply
Reply
17Address
17Address Mask
Mask Request
Request
18Address
18Address Mask
Mask Reply
Reply
Code:
Code: codes
codes associated
associated with
with each
each ICMP
ICMP type
Checksum:
Checksum: checksum
checksum value
value of header
header fields
fields (exc. checksum)
2001, Cisco Systems, Inc.
www.cisco.com
CSIDS 2.17-21
Code (bits 8-15): Specifies codes associated with each ICMP type.
Checksum (bits 16-31): Specifies the checksum value of the header fields,
excluding the checksum field.
7-19
Length
I Ver Len Serv
P
Identification Flg Frag Offset
H
Proto
Checksum
ICMP
E TTL
A
Source IP
D
E
R
Destination IP
Type=0
2004Echo Request
Type=8
2007Timestamp
Request
Type
I Type
C
M
P
Type=13
Code
Checksum
2008Timestamp Reply
Type=14
2001, Cisco Systems, Inc.
www.cisco.com
CSIDS 2.17-22
7-20
2010Information Reply
Type=16
2011Address Mask
Request
Type=17
Length
I Ver Len Serv
P
Identification Flg Frag Offset
H
Proto
Checksum
ICMP
E TTL
A
Source IP
D
E
R
Destination IP
Type
I Type
C
M
P
Code
Checksum
Type=18
2001, Cisco Systems, Inc.
www.cisco.com
CSIDS 2.17-23
7-21
H
E
A
D
E
R
Type
Code
Checksum
Unused
IP Header
+
8 bytes of Original Datagram Data
Type:
Type:
3Destination
3Destination Unreachable
Unreachable
4Source
4Source Quench
Quench
5Redirect
5Redirect
11Time
11Time Exceeded
Exceeded
12Parameter
12Parameter Problem
Problem
Code:
Code: codes
codes associated
associated with
with each
each ICMP
ICMP type
type
Checksum:
Checksum: checksum
checksum value
value of
of header
header fields
fields (exc.
(exc. checksum)
checksum)
www.cisco.com
CSIDS 2.17-24
7-22
Type 5Redirect
Code (bits 8-15): Specifies codes associated with each ICMP type.
Checksum (bits 16-31): Specifies the checksum value of the header fields,
excluding the checksum field.
Type=3
2002Source Quench
Type=4
2003Redirect
Type=5
Type
I Type
C
M
P
2005Time Exceeded
Type=11
Code
Checksum
2006Parameter Problem
Type=12
2001, Cisco Systems, Inc.
www.cisco.com
CSIDS 2.17-25
7-23
7-24
Length
I Ver Len Serv
P
Identification Flg Frag Offset
H
Proto
Checksum
ICMP
E TTL
A
Source IP
D
E
R
Destination IP
Type=8
One host to multiple hosts
Type
I Type
C
M
P
Code
Checksum
Type=17
One host to multiple hosts
2001, Cisco Systems, Inc.
www.cisco.com
CSIDS 2.17-26
7-25
2152ICMP Flood
Many ICMP packets
Length
Length
I Ver Len Serv
P
Identification Flg Frag Offset
H
Proto
Checksum
ICMP
E TTL
A
Source IP
D
E
R
Destination IP
I
C
M
P
Type
Code
Checksum
To single host
2001, Cisco Systems, Inc.
www.cisco.com
CSIDS 2.17-27
7-26
Length
I Ver Len Serv
P
Identification Flg Frag
Frag Offset
Offset
H
Proto
Checksum
Proto
E TTL
A
Source IP
D
E
R
Destination IP
Type
I Type
C
M
P
www.cisco.com
Code
Checksum
CSIDS 2.17-28
7-27
Application
TCP
IP
Data Link
7-28
UDP
www.cisco.com
Physical
CSIDS 2.17-30
www.cisco.com
CSIDS 2.17-31
7-29
7-30
Common scans
Ver Len
I
P
Serv
Identification
TTL
TCP
Length
Flg Frag Offset
Checksum
Source IP
Destination IP
Source Port
Dest Port
Source Sequence Number
T
C Acknowledge Sequence Num
P Len Res Flags
Window
Stealth scans
Checksum
Urgent Pointer
www.cisco.com
CSIDS 2.17-32
TCP Port Scans are detected when a single host is searching for multiple running
services on another single hostthe victim. They are common scans that use
normal TCP-SYN (connection request) to determine that a service is running.
They are stealth scans use FIN; SYN-FIN; null; or PUSH flags, and fragmented
packets, or both to determine that a service is running. The following is a TCP
Flags refresher:
FINWhen set, this flag implies that the sender has finished sending data.
URGThe urgent pointer is valid when this flag is set. This pointer is a
positive offset that must be added to the sequence number field of the
segment to yield the sequence number of the last byte of urgent data.
PSHIndicates that the receiver should pass this data to the application as
soon as possible.
7-31
3001Port Sweep
SYNs to ports < 1024
Triggers when type of sweep
cant be determine
www.cisco.com
CSIDS 2.17-33
7-32
7-33
3045Queso sweep
FIN, SYN/FIN, and a PUSH
7-34
www.cisco.com
CSIDS 2.17-34
FIN flags set have been sent to a number of different destination ports on a
specific host. This is indicative that a reconnaissance sweep of your network
may be in progress. The use of both the SYN and FIN flag is abnormal, as is
the use of fragmentation, and could indicate an attempt to conceal the sweep.
This may be the prelude to a more serious attack.
7-35
Ver Len
I
P
Serv
Identification
TTL
TCP
Length
Flg Frag Offset
Checksum
Source IP
Destination IP
Source Port
Dest Port
Source Sequence Number
T
C Acknowledge Sequence Num
P Len Res Flags
Window
Checksum
Stealth scans
Urgent Pointer
www.cisco.com
CSIDS 2.17-35
TCP Host Sweeps are types of scans that are detected when a single host is
searching for a single running service on multiple hoststhe victims. Common
scans use normal TCP-SYN (connection request) to determine that a service is
running. Stealth scans use FIN, SYN-FIN, null, or PUSH flags and fragmented
packets to determine that a service is running. The following are different TCP
Flags:
7-36
FINWhen set, this flag implies that the sender has finished sending data.
URGThe urgent pointer is valid when this flag is set. This pointer is a
positive offset that must be added to the sequence number field of the
segment to yield the sequence number of the last byte of urgent data.
PSHIndicates that the receiver should pass this data to the application as
soon as possible.
www.cisco.com
CSIDS 2.17-36
7-37
7-38
Mail
Ver Len
I
P
TCP port 25
TTL
TCP
Length
Flg Frag Offset
Checksum
Source IP
Destination IP
Attacks include
Source Port
Reconnaissance
Access
DOS
Serv
Identification
Dest Port=25
Urgent Pointer
Data . . .
www.cisco.com
CSIDS 2.17-37
7-39
3106sendmail SPAM
3103sendmail reconnaissance
www.cisco.com
CSIDS 2.17-38
7-40
7-41
TCP port 21
Attacks include
Serv
Identification
TTL
TCP
Length
Flg Frag Offset
Checksum
Source IP
Destination IP
Source Port
Reconnaissance
Access
Dest Port=21
Urgent Pointer
Data . . .
7-42
www.cisco.com
CSIDS 2.17-39
www.cisco.com
CSIDS 2.17-40
7-43
Web
Ver Len
TCP port 80
I
P
Informational
DoS
TTL
TCP
Length
Flg Frag Offset
Checksum
Source IP
Destination IP
Attacks include
Access
Serv
Identification
Source Port
Dest Port=80
T
C Acknowledge Sequence Num
P Len Res Flags
Window
Checksum
Urgent Pointer
Data . . .
7-44
www.cisco.com
CSIDS 2.17-41
3212NPH-TEST-CGI Bug
3213TEST-CGI Bug
3208campas attack
2001, Cisco Systems, Inc.
www.cisco.com
CSIDS 2.17-42
7-45
7-46
7-47
3226Webdist Bug
3227Htmlscript Bug
3228Performer Bug
3229WebSite win-c-sample
buffer overflow
7-48
3230WebSite uploader
3231Novell convert bug
3232finger attempt
3233Count Overflow
www.cisco.com
CSIDS 2.17-43
7-49
NetBIOS
Ver Len
I
P
TTL
TCP
Length
Flg Frag Offset
Checksum
Source IP
Destination IP
Attacks include
Source Port
Reconnaissance
Access
DOS
Serv
Identification
Dest Port=139
T
C Acknowledge Sequence Num
P Len Res Flags
Window
Checksum
Urgent Pointer
Data . . .
7-50
www.cisco.com
CSIDS 2.17-44
www.cisco.com
CSIDS 2.17-45
7-51
some hacking tools available (Red Button and NAT) that use null account
names.
7-52
3250TCP Hijacking
Access-attempt to take over a TCP session
www.cisco.com
CSIDS 2.17-46
7-53
3450Finger Bomb
port 79
3500rlogin -froot
port 513
3525Imap Authenticate
Overflow
port 143
3526Imap Login
Overflow
port 143
3550Pop Overflow
port 110
www.cisco.com
CSIDS 2.17-47
7-54
3400Sun Kill Telnet DOS (severity 3, DoS): Fires when someone attempts
to cause the telnetd server to lock up. This will catch the program known as
sunkill.
3601IOS Command
History Exploit
port 119
port 25
3576Inn Control
Message
port 119
port 1999
www.cisco.com
CSIDS 2.17-48
7-55
Application
TCP
UDP
IP
Data Link
Physical
7-56
www.cisco.com
CSIDS 2.17-50
www.cisco.com
CSIDS 2.17-51
4000/7UDP trafficdecho
4000/9UDP trafficdiscard
4000/13UDP trafficdaytime
4000/19UDP trafficchargen
4000/37UDP traffictime
4000/53UDP trafficdns
4000/69UDP traffictftp
4000/70UDP trafficgopher
4000/80UDP trafficwww
4000/88UDP traffickerberos-v5
4000/111UDP trafficsunrpc
4000/123UDP trafficntp
4000/177UDP trafficxdmcp
4000/179UDP trafficbgp
4000/220UDP trafficimap3
4000/372UDP trafficUlistserv
4000/512UDP trafficbiff
4000/513UDP trafficwho
4000/514UDP trafficsyslog
7-57
7-58
4000/515UDP trafficprinter
4000/517UDP traffictalk
4000/518UDP trafficntalk
4000/520UDP trafficroute
4000/2049UDP trafficnfs
I
P
U
D
P
www.cisco.com
Serv
Identification
TTL
UDP
Length
Flg Frag Offset
Checksum
Source IP
Destination IP
Source Port
Dest Port
Length
Checksum
Data . . .
CSIDS 2.17-52
The following is a UDP Port Scans Signature: 4001UDP port scan (severity 5,
reconnaissance): This signature is triggered when a series of UDP connections to a
number of different destination ports on a specific host have been initiated. This
indicates that a reconnaissance sweep of your network may be in progress. This
may be the prelude to a more serious attack.
7-59
Ver Len
4050UDP Bomb
UDP length < IP length
TTL
Length
Serv
Identification
UDP
Source IP
Destination IP
Source Port
Dest Port
U
Checksum
Length
4051Snork
Src=135, 7, or 19; Dest=135
D
P
Data . . .
4052Chargen DoS
Src=7 & Dest=19
www.cisco.com
CSIDS 2.17-53
7-60
Ver Len
port 31337
I
P
TTL
UDP
Length
Flg Frag Offset
Checksum
Source IP
port 69
4150Ascend Kill
Serv
Identification
Destination IP
U
D
P
Source Port
Dest Port
Length
Checksum
Data . . .
www.cisco.com
CSIDS 2.17-54
7-61
TCP port 80
I
P
Informational
DoS
TTL
TCP
Length
Flg Frag Offset
Checksum
Source IP
Destination IP
Attacks include
Access
Serv
Identification
Source Port
Dest Port=80
T
C Acknowledge Sequence Num
P Len Res Flags
Window
Checksum
Urgent Pointer
Data . . .
7-62
www.cisco.com
CSIDS 2.17-56
HTTP Signatures
5034WWW IIS newdsn Attack
www.cisco.com
CSIDS 2.17-57
7-63
7-64
5090WWW FrontPage
htimage.exe Access
5091WWW Cart32 Remote Admin
Access
5097WWW FrontPage MS-DOS
Device Attack
www.cisco.com
CSIDS 2.17-58
7-65
7-66
6000 SeriesCross-Protocol
Signatures
SATAN Attacks
DNS Attacks
RPC Attacks
Ident Attacks
Application
TCP
IP
Authorization Failures
Loki Attack
DoS
UDP
Data Link
Physical
www.cisco.com
CSIDS 2.17-60
The 6000 series, Cross-protocol signatures detect attacks that are independent of
IP protocols. For instance, RPC related services could operate on both TCP and
UDP.
7-67
The Network
Vulnerability
Scanner is used
for scanning
services and
vulnerabilities.
www.cisco.com
CSIDS 2.17-61
7-68
UDP Port 53
attacks include
Reconnaissance
Denial of
Service
Access
www.cisco.com
CSIDS 2.17-62
7-69
not just those specific to a particular zone. This is indicative that your
network may be under reconnaissance.
7-70
RPC Services
Applications do not use
well-known ports.
Use portmapper
Registers applications
TCP/UDP port 111
Client
Attacks include
2488
GET PORT #
Reconnaissance
Access
2488
NFS REQUEST
111
Server
111
2049
DoS
www.cisco.com
CSIDS 2.17-63
7-71
6102RPC dump
rpcinfo -p <host>
Remotely registering a
service that is not running
6101RPC port
unregistration
6103Proxied RPC
request
Bypasses RPC
authentication
Remotely unregistering a
running service
www.cisco.com
CSIDS 2.17-64
7-72
6111RUSERSD
Request service on
many ports on same
host
6112NFS
6113MOUNTD
6114YPPASSWD
Stealth
reconnaissance
6115SELECTION SVC
6116REXD
6117STATUS
6118TTDB
www.cisco.com
CSIDS 2.17-65
7-73
Portmapper Requests
Requests for services
known to be exploited
In most cases should not
be used
If needed, filter signatures
6151ypbind
6152yppasswd
6153ypupdated
6154ypxfrd
6155mountd
6175rexd
7-74
www.cisco.com
CSIDS 2.17-66
7-75
6190statd
6191ttdb
Unknown by some
administrators
6192mountd
6193cmsd
6194sadmind
6195amd
7-76
www.cisco.com
CSIDS 2.17-67
Ident is a protocol to
prevent hostname,
address, and username
spoofing
6201Ident newline
IDENT reply with newline
plus more data
www.cisco.com
CSIDS 2.17-68
7-77
Authorization Failure
Signatures
6250FTP
Three failed
attempts to log in
6251Telnet
6252Rlogin
6253POP3
6255SMB
www.cisco.com
CSIDS 2.17-69
7-78
Original Loki
Phrack Issue 51
6302Modified Loki
ICMP tunneling
Modified Loki version
www.cisco.com
CSIDS 2.17-70
7-79
DDoS Signatures
6501TFN client request
6502TFN Server reply
6503Stacheldraht client request
6504Stacheldraht Server reply
6505Trinoo client request
6506Trinoo server reply
6507TFN2K DDoS Control traffic
6508mstream DDoS Control traffic
2001, Cisco Systems, Inc.
www.cisco.com
CSIDS 2.17-71
A distributed denial of service (DDoS) attack is a form of a DoS attack where the
attack launched against a victim host or network is launched from multiple
attacking hosts. The attacking hosts are controlled from a master host. The
following are DDoS Attack signatures:
7-80
signature looks for ICMP echo reply packets containing potential commands
sent from a Stacheldraht CLIENT --TO--> SERVER. The ICMP reply will
not have an associated ICMP echo request packet. Other associated
signatures: Stacheldraht Server Reply, detects server sending packets to
client. Loki ICMP tunneling, which can also detect Stacheldraht traffic. Large
ICMP Traffic , detects a reported bug in the Stacheldraht code that sends out
large >1000 byte packets.
7-81
Application
Custom string
matches
TCP applications
TCP
UDP
IP
Data Link
Physical
7-82
www.cisco.com
CSIDS 2.17-73
Definable options
Port
Direction
Number of occurrences
String
2001, Cisco Systems, Inc.
www.cisco.com
CSIDS 2.17-74
Protect specific network applications that CIDS does not have current
signatures to detect possible attacks.
Number of occurrences
String
7-83
ID
Port
[/]etc[/]shadow 2302 23
www.cisco.com
Direction
Occur
To
CSIDS 2.17-75
String signatures use a regular expression intrusion detection system engine. You
may enter a UNIX-like regular expression as the string to match. The example
string signature will match attempts to grab a UNIX shadow password file.
7-84
loadmodule Attack
TCP application
signatures are attacks
against various TCP
applications. They are
implemented here as
an example of regular
expression formats.
2301Telnet IFS=/
51301Rlogin IFS=/"
Planting .rhosts
2303Telnet + +
51303Rlogin + +
www.cisco.com
CSIDS 2.17-76
7-85
7-86
Syslog
Map E dit L cte Vie w P erf rm ace C o nf igr atn Fau lt S ecu rit y Mi sc
O pt ion s
H elp
Repackages Syslog
messages from
routers
www.cisco.com
CSIDS 2.17-78
7-87
Summary
This section summarizes what you learned in this chapter.
Summary
Each signature can generate a unique alarm
and response.
Context signatures are triggered by
information in the packet header.
Content signatures are triggered by
information in the packet payload.
Atomic signatures are triggered by
information in a single packet.
2001, Cisco Systems, Inc.
7-88
www.cisco.com
CSIDS 2.17-80
Summary (cont.)
Composite signatures are triggered by
information in multiple packets.
Reconnaissance signatures are triggered by
attempts to discover systems, services, or
vulnerabilities.
Access signatures are triggered by
unauthorized attempts to retrieve data,
access systems, or escalate privileges.
DoS signatures are triggered by attempts to
disable networks, systems, or services.
2001, Cisco Systems, Inc.
www.cisco.com
CSIDS 2.17-81
7-89
Summary (cont.)
Informational signatures collect information
to help determine the validity of an attack, or
for forensics.
Signature series generally group protocol
related signatures under a single category.
The default signature severities are:
Low (1) indicates informational activity
Medium (3) indicates marginal attack activity
High (5) indicates severe attack activity
2001, Cisco Systems, Inc.
7-90
www.cisco.com
CSIDS 2.17-82
Sensor Configuration
Overview
This chapter includes the following topics:
Objectives
Basic configuration
Summary
Lab exercise
Objectives
This section lists the chapters objectives.
Objectives
Upon completion of this chapter, you will be able to
perform the following tasks:
Configure the Sensors identification parameters, internal
network entries, and the packet capture device setting.
Enable the Sensor to generate log files and configure it to
automatically transfer the log files to an FTP server.
Enable and configure the IP fragment reassembly feature on
the Sensor.
Enable and configure the TCP Session reassembly feature
on the Sensor.
Configure advanced PostOffice settings.
Configure the Sensor to send alarms to additional
destinations.
2001, Cisco Systems, Inc.
8-2
www.cisco.com
CSIDS 2.18-2
Basic Configuration
This section discusses how to configure the following basic options for a Sensor:
identification settings, internal network definition, and the packet capture device.
Identification Settings
Select
Select the
the
Sensor
Sensor
Click
Click OK
OK
www.cisco.com
CSIDS 2.18-4
You can change the identification settings associated with a Sensor. These
settings were first defined when you created the Sensor object using the Add
Sensor Wizard. They include the basic identification settings for the PostOffice
communication service running on the Sensor, the Sensors IP address, and the
version of the IDS software that is running on the Sensor.
To change the identification settings for the Sensor, perform the following steps:
Step 1
Step 2
Step 3
Step 4
Step 5
Click OK in the Sensor view panel to accept your changes and close it.
Step 6
Click Update on the toolbar to save your changes and update the configuration
files.
Step 7
Select the Sensor you just modified from the Network Topology folder.
Step 8
Step 9
Click the Approve Now button in the Command Approval section. Wait for the
configuration files to be downloaded to the Sensor.
Sensor Configuration
8-3
Note
Before changing the communications parameters for the Sensor in CSPM, you
must first change them on the Sensor itself using sysconfig-sensor. Failure to do
this will prevent PostOffice communication between the Sensor and CSPM.
8-4
Field
Description
Host Name
Organization Name
Host ID
Organization ID
Sensor Version
IP Address
Comments
Internal Networks
Select
Select the
the
Internal
Internal
Networks
Networks
tab
tab
Select
Select the
the
Sensor
Sensor
Select
Select
Add
Add
Click
Click OK
OK
www.cisco.com
CSIDS 2.18-5
You can designate that specific network IP addresses be considered internal for
reporting and logging purposes by the Sensor. IP addresses that do not match the
internal network definitions are considered to be external IP address. When
alarms are generated by the Sensor, the location of the source and destination IP
addresses of the attack are logged as being either internal (IN) or external (OUT),
to help you easily identify the origin and destination of the attack.
Note
The internal network definition does not affect the intrusion detection capabilities of
the Sensor. If no internal network entries are added, the Sensor logs all alarms as
outside (OUT) to outside (OUT) attacks.
To add internal network definitions for the Sensor, perform the following steps:
Step 1
Step 2
Step 3
Step 4
Step 5
Enter the network IP address and Subnet Mask in their respective fields.
Step 6
Click OK in the Sensor view panel to accept your changes and close it.
Step 7
Click Update on the toolbar to save your changes and update the configuration
files.
Step 8
Select the Sensor you just modified from the Network Topology folder.
Step 9
Step 10 Click the Approve Now button in the Command Approval section. Wait for the
Sensor Configuration
8-5
Select
Select the
the
Sensing
Sensing
tab
tab
Click
Click OK
OK
www.cisco.com
CSIDS 2.18-6
The Packet Capture Device setting is the device name of the monitoring interface
of the Sensor. To change the device name do the following steps:
Step 1
Step 2
Step 3
Select the device name for your Sensor from the Packet Device Name drop-down
menu base on the following criteria:
Description
/dev/spwr0
/dev/mtok
/dev/mtok36
/dev/ptpci0
/dev/iprb0
Note
8-6
A packet capture device does not need to be configured for Catalyst 6000 IDS
Modules within CSPM.
Step 4
Click OK in the Sensor view panel to accept your changes and close it.
Step 5
Click Update on the toolbar to save your changes and update the configuration
files.
Step 6
Select the Sensor you just modified from the Network Topology folder again.
Step 7
Step 8
Click the Approve Now button in the Command Approval section. Wait for the
configuration files to be downloaded to the Sensor.
Sensor Configuration
8-7
Enable
Enable
Click
Click OK
OK
www.cisco.com
CSIDS 2.18-8
Sensors can be configured to generate a log file locally on the Sensor itself. By
default the Sensors are configured to send alarms of severity medium and higher
to CSPM. When logging to a local log file, the Sensors log alarms of all severities
generated by that Sensor.
The Sensor creates a new log file every time its services are restarted. This means
that every time a new configuration is pushed to the Sensor, a new configuration
file is created and the old log file is closed and transferred to a temporary
directory. A new log file is also created whenever the active one has been opened
for more than one hour or it has reached 1GB of data.
The followings are the properties of the log file:
Property
Setting
log.YYYYMMDDHHMM
where:
File Name
8-8
Property
Setting
/usr/nr/var
/usr/nr/var/new
Select the Sensor to be configured from the Network Topology Tree (NTT).
Step 2
Step 3
Check the Generate audit event log files option in the Logging tab.
Step 4
Click OK in the Sensor view panel to accept your changes and close it.
Step 5
Click Update on the toolbar to save your changes and update the configuration
files.
Step 6
Step 7
Step 8
Click the Approve Now button in the Command Approval section. Wait for the
configuration files to be downloaded to the Sensor.
Sensor Configuration
8-9
Select
Select the
the
Logging
Logging
tab
tab
Enter
Enter FTP
FTP
parameters
parameters
Enable
Enable
Click
Click OK
OK
www.cisco.com
CSIDS 2.18-9
You can configure the Sensor to automatically do an FTP transfer of the closed
local log files to a designated FTP server. The FTP transfer is triggered when the
file is closed and moved the /usr/nr/var/new directory on the Sensor.
To configure the Sensor to automatically transfer local log files to an FTP server
do the following:
Step 1
Step 2
Step 3
Check the Generate audit event log files option in the Logging tab.
Step 4
Check the Copy archived event log files option in the Logging tab.
Step 5
Note
8-10
The user must have write access to the default FTP directory on the FTP server.
Step 6
Click OK in the Sensor view panel to accept your changes and close it.
Step 7
Click Update on the toolbar to save your changes and update the configuration
files.
Step 8
Step 9
Step 10 Click the Approve Now button in the Command Approval section. Wait for the
Sensor Configuration
8-11
IP Fragment Reassembly
Select
Select the
the
Sensor
Sensor
Select
Select the
the
Sensing
Sensing
tab
tab
Enable
Enable
Click
Click OK
OK
Note
www.cisco.com
CSIDS 2.18-11
You can specify that the Sensor reassemble fragmented IP packets before they are
compared against intrusion signatures. In other words, you can specify the
boundaries that the Sensor uses to determine how complete a datagram can be in
terms of the reassembly of frames that are transmitted across the physical wire as
part of that datagram.
The ultimate goal for defining the reassembly settings is to ensure that the Sensor
does not allocate all its resources to datagrams that cannot be completely
reconstructed, either because some frame transmissions are missing or because an
attack has been launched that is based on generating random fragmented
datagrams.
Note
8-12
The reassembly settings work in conjunction with each other to ensure that the
Sensor has adequate system resources available to analyze network traffic.
Unless you understand your network traffic thoroughly, including the likelihood of
fragmented datagrams occurring over a specified period of time, we recommend
that you do not modify the default values provided for these settings.
Step 2
Step 3
Step 4
Description
Fragmented Datagram
Timeout
Use the following guidelines for determining Maximum Partial Datagrams (MPD)
and Maximum Fragments Per Datagram (MFPD) values:
For Catalyst 6000 IDS modules running the 2.5(X) IDSM software version:
MPD x MFPD 5,000
Step 5
Click OK in the Sensor view panel to accept your changes and close it.
Step 6
Click Update on the toolbar to save your changes and update the configuration
files.
Step 7
Step 8
Step 9
Click the Approve Now button in the Command Approval section. Wait for the
configuration files to be downloaded to the Sensor.
Sensor Configuration
8-13
Enable
Enable
Choose
Choose
Reassembly
Reassembly
Type
Type
2001, Cisco Systems, Inc.
Note
Click
Click OK
OK
www.cisco.com
CSIDS 2.18-12
TCP session reassembly is currently available in the 2.5(X) IDSM software version.
You can specify that the Sensor reassemble TCP data stream packets before they
are compared against intrusion signatures. Like the IP fragment reassembly
settings, these settings ensure that valuable system resources are not needlessly
reserved for sessions that are no longer active.
There are three options that can be chosen for TCP session reassembly:
Strict ReassemblyThe Sensor does not process TCP sessions for which it
cannot track every packet in the session's sequence. In other words, if a single
packet of a stream is dropped, the Sensor does not analyze any packets
belonging to that session.
In addition to the above options, you can also configure the Sensor to only track
those sessions for which the three-way handshake is completed. Furthermore, the
TCP open established timeout and TCP embryonic timeout values can be
configured.
8-14
Step 2
Step 3
Select the TCP Three Way Handshake box in the TCP Session Reassembly of
the Sensing tab if you want the Sensor to only track those sessions for which the
three-way handshake is completed.
Step 4
Select one of the following options from the TCP Strict Reassembly drop-down
menu: No Reassembly, Loose Reasembly, or Strict Reassembly.
Step 5
Description
Step 6
Click OK in the Sensor view panel to accept your changes and close it.
Step 7
Click Update on the toolbar to save your changes and update the configuration
files.
Step 8
Select the Sensor you just modified from the Network Topology folder again.
Step 9
Step 10 Click the Approve Now button in the Command Approval section. Wait for the
Sensor Configuration
8-15
PostOffice Settings
Select
Select the
the
Sensor
Sensor
Select
Select the
the
Advanced
Advanced
tab
tab
Select
Select the
the
PostOffice
PostOffice
Settings
Settings tab
tab
Click
Click OK
OK
www.cisco.com
CSIDS 2.18-13
You can configure various advanced PostOffice features to help you customize
communications in your environment. The Watchdog feature in PostOffice
queries the services running on the local host, Sensor or Director, to ensure that
they are running. If Watchdog detects a service is not running, it will issue a
Daemon Down alarm and it will try to restart the service. After it tries to restart
the service a configurable number of times, it then issues a Daemon Unstartable
alarm.
The PostOffice Heartbeat feature queries other PostOffice services on remote
hosts, Sensor or Director, which it must have communication with. If PostOffice
does not get a response from a remote PostOffice service it then issues a Route
Down alarm.
The following are the configurable parameters for the advanced PostOffice
features:
8-16
High. (Default)
Medium.
Low.
High. (Default)
Medium.
Low.
Sensor Configuration
8-17
Additional Destinations
Select
Select the
the
Sensor
Sensor
Select
Select the
the
Advanced
Advanced
tab
tab
Select
Select the
the
Additional
Additional
Destinations
Destinations
tab
tab
Select
Select
Add
Add
Click
Click OK
OK
www.cisco.com
CSIDS 2.18-14
The Sensor can be configured to send its alarms to other locations other than the
main Director it is reporting to. These additional destinations can be services in
other Directors or Sensors, as well as services within the Sensor itself.
To configure the Sensor to send alarms to additional destinations do the
following:
Step 1
Step 2
Step 3
Step 4
Click on Add in the Additional Destinations tab to open a line where you can
enter the following in their respective fields:
Field
Description
Name.Organization
8-18
Host ID
Organization ID
Field
Description
Service
IP Address
Heartbeat Timeout
Port
Sensor Configuration
8-19
Summary
This section summarizes what you learned in this chapter.
Summary
The Sensors identification parameters are modified from the
Properties>Identification tabs in CSPM.
The internal network entries indicate to the Sensor what IP addresses are
to considered internal for logging purposes. All other IP addresses will be
considered external for logging purposes.
The packet capture device identifies the device driver for the monitoring
NIC on the Sensor.
Sensors can generate log files and be configured to automatically transfer
the log files to an FTP server.
Sensors can perform IP fragment reassembly to prevent IDS evasion.
Sensors can perform TCP Session reassembly to tune signature triggering
for the users environment.
Advanced PostOffice settings can be tuned to meet the needs of the user
environment.
Sensors can be configured to send alarms to additional destinations.
2001, Cisco Systems, Inc.
8-20
www.cisco.com
CSIDS 2.18-15
Objectives
In this lab you will complete the following tasks:
Visual Objective
This figure displays the information you will need to complete this laboratory
exercise.
Pod Q
Peer Pod
172.30.1.0 /24
e0/1 .10P
sensorP
e0/0 .1
.4
idsmP
sensorQ
e0/0 .1
.4
rQ
rP
.6
10.0.P.0 /24
CSPM
.6
idsmQ
10.0.Q.0 /24
10.0.P.3
CSPM
Host ID = 3, Org ID = P
Host Name = cspmP, Org Name = podP
e0/1 .10Q
10.0.Q.3
Host ID = 3, Org ID = Q
Host Name = cspmQ, Org Name = podQ
www.cisco.com
CSIDS 2.18-17
A pair of students has been assigned to a pod. Each pod has a complete set of
equipment to do the lab.
Select sensorP (where P = pod number) from the Network Topology folder.
Sensor Configuration
8-21
Step 2
Step 3
Step 4
Click Add to add a line in the Internal Networks section to enter the IP addresses
to be defined as internal for logging purposes by the Sensor.
Step 5
Value
IP Address
Subnet Mask
255.255.255.0
Step 6
Click OK in the Sensor view panel to accept your changes and close it.
Step 7
8-22
Step 1
Select sensorP (where P = pod number) from the Network Topology folder.
Step 2
Step 3
Step 4
Click OK in the Sensor view panel to accept your changes and close it.
Step 5
Click Update on the toolbar to save your changes and update the configuration
files.
Step 6
Select sensorP (where P = pod number) from the Network Topology folder.
Step 7
Step 8
Click the Approve Now button in the Command Approval section. Wait for the
configuration files to be downloaded to the Sensor.
Step 9
After you get an Upload completed message in the Status section proceed to the
next task.
From your own CSPM host, telnet to your peers router, as assigned by the
instructor, and log on with password cisco. At the router prompt enter the
following:
r0> /etc/shadow
Step 2
The router will display an error message. This is expected behavior since the
router does not have an /etc/shadow command.
After your peer attacked your router, telnet to your Sensor as the netrangr user.
SunOS 5.8
login: netrangr
Password:
Last login: Tue Dec 5 11:51:59 from 10.0.0.3
Sun Microsystems Inc. SunOS 5.8
Generic August 2000
You have logged in from 10.0.0.3 using ansi
using DISPLAY=10.0.0.3:0
netrangr@sensor0:/usr/nr
>
Step 3
Note
The log file contains binary data and may cause your telnet session to become
unusable.
Sensor Configuration
8-23
8-24
Objective
This chapter includes the following topics:
Objectives
Signature templates
Signature filtering
Summary
Lab exercise
Objectives
This section lists the chapters objectives.
Objectives
Upon completion of this chapter, you will be
able to perform the following tasks:
View Signature settings and configure their
severities and actions.
Enable or disable signatures.
Configure connection and string signatures.
Create signature templates and change which one
is used by a Sensor.
Configure the minimum alarm severity level a
Sensor sends to the Director.
2001, Cisco Systems, Inc.
9-2
www.cisco.com
CSIDS 2.19-2
Objectives (cont.)
Configure signature filtering to reduce false
positives and tune signature triggering in the user
environment.
Configure signature tuning parameters to
customize triggers for the user environment.
Configure signature port mapping to customize it
for the user environment.
Create ACL signatures that generate alarms when
ACL violations are detected in a Cisco IOS router.
www.cisco.com
CSIDS 2.19-3
9-3
Select
Signature
Template
www.cisco.com
CSIDS 2.19-5
Signature settings can be viewed with CSPM. To view the signature settings
select the signature template under the Sensor Signatures from CSPMs Tools
and Services. The Default signature template includes the signatures detected by
all known CIDS versions. The Sensor Signatures screen has a General tab and a
Signatures tab.
The General tab displays the name and description of the template. The view
properties enable you to view the most current CIDS signatures or only those
signatures applicable to a specified CIDS version.
The Signatures tab displays the CIDS signatures based on the four types:
General
Connection
String
ACL
Note
9-4
Each signature type has its own settings and must be configured from within that
type. For instance to configure a connection signature, you must select the
Connection tab and make the appropriate setting modifications for that signature.
www.cisco.com
CSIDS 2.19-6
Severity
Enable
Action
Some CIDS signatures have more settings based on the signature type. For
instance, connection signatures have port and protocol type settings.
The default severity for each signature is predefined by Cisco Systems. The
severity can be assigned the following values from the Severity drop-down menu:
Severity Name
Severity Value
Low
Medium
High
The following steps are performed to set the signature severity level using CSPM:
Step 1
Step 2
Step 3
Step 4
Step 5
Step 6
9-5
Select
Signature
Template
www.cisco.com
CSIDS 2.19-7
9-6
Step 1
Step 2
Step 3
Step 4
Select the Enable checkbox to enable or deselect the Enable checkbox to disable
the signature.
Step 5
Step 6
www.cisco.com
CSIDS 2.19-8
Each signature has the ability to take an action when it is detected. CSPM enables
you to select the following signature actions:
Action
Description
None
No action is taken.
Block
TCP Reset
IP Log
The following steps are performed to set the signature actions with CSPM:
Step 1
Step 2
Step 3
Step 4
Step 5
Step 6
Step 7
Step 8
You can also change the settings by clicking on the Modify button. A combination
of the Block, TCP Reset, and IP Log actions can be selected.
9-7
Select
Signature
Template
TCP or UDP
Port number
www.cisco.com
CSIDS 2.19-9
The following steps are performed to modify connection signature settings with
CSPM:
Step 1
Step 2
Step 3
Step 4
Step 5
Choose the protocol type (TCP or UDP) of the port from the Type drop-down
menu.
Step 6
Select the port field and enter the numeric value of the port.
Step 7
Step 8
Step 4
9-8
Click the Add button. Enter a description in the Signature name textbox.
String Signatures
Configuration
Number of
Occurrences
Select
Signature
Template
String pattern
TCP Port
Traffic Direction
www.cisco.com
CSIDS 2.19-10
Value
String
Port
The number of the TCP service where you want to search for the
string.
Direction
Occurrences
This setting determines how many times the string has to appear
before an alarm is generated.
The following steps are performed to create a string sub-signature with CSPM:
Step 1
Step 2
Step 3
Step 4
Step 5
Step 6
Select the port field and enter the TCP port number. The default is 21.
Step 7
Choose the direction from the Direction drop-down menu. The default is To.
Step 8
Enter the number of occurrences the string has to appear. The default is 1.
9-9
Step 9
Choose the severity from the Severity drop-down menu. The default is High.
Step 10 Select the signature actions. The default is Block, TCP Reset, IP Log.
Step 11 Click OK in the Sensor view panel.
Step 12 Click Update on the toolbar.
9-10
Signature Templates
This section discusses signature templates in CSPM and how to create a signature
template to be assigned and applied to Sensors.
Sensor
Signatures
Templates
www.cisco.com
CSIDS 2.19-12
CSPM uses templates to enforce security policies on network devices. CSPM has
a default signature template that contains all known CIDS signatures and their
settings. Signature templates enable the network security administrator to easily
manage, assign, and apply signatures to Sensors. For instance, you could create a
signature template named Business Hours with signature settings that are
optimized for high peak network traffic that occurs during normal business hours.
You could also create a signature template named After Hours with signature
settings that are optimized for network traffic that occurs after 7:00 p.m. You
could easily assign and apply the Business Hours template to your sensors during
high peak hours. You could then easily assign and apply the After Hours template
to your sensors after 7:00 p.m.
9-11
Select and
Right Click
Sensor
Signatures
www.cisco.com
CSIDS 2.19-13
Step 2
Step 3
9-12
CSPM defaults to naming the new template Sensor Signature 1. Rename the
template to reflect its purpose. For example, if a template is created for all Sensors
at the San Antonio site, it could be named San Antonio Texas USA Sensors.
www.cisco.com
CSIDS 2.19-14
Each Sensor must be assigned a signature template. CSPM initially assigns the
Default signature template to all Sensors. The following steps are performed to
assign a signature template to a Sensor in CSPM:
Step 1
Step 2
Step 3
Step 4
Step 5
9-13
Select
Select the
the
Sensor
Sensor
Check
Check for
for
errors
errors
Click
Click Approve
Approve
Now
Now
www.cisco.com
CSIDS 2.19-15
CIDS configuration files generated by CSPM are not pushed to a Sensor until they
are applied. The configuration files generated include Sensor settings and
signature settings associated with the Sensors assigned signature template. The
following steps are performed to apply a signature template to a Sensor in CSPM:
Step 1
Step 2
Step 3
Click the Approve Now button in the Command Approval section. Wait for the
configuration files to be downloaded to the Sensor.
Note
You must apply (push) the configuration files each time a configuration change is
made to either the Sensor settings or signature settings.
CSPM has an automatic command approval feature that will push the
configuration files to the Sensor each time an update is executed. The automatic
command approval is beneficial in a large Sensor deployment to avoid having to
manually approve the configurations for each Sensor. The default setting is
Manual. To change the default setting to Automatic, choose Tools>Options.
Select Automatic in the Policy Update Options section, and click OK.
9-14
Signature Filtering
This section discusses the filtering features and settings configurable through
CSPM.
Select
Select the
the
Filtering
Filtering
tab
tab
Minimum Event
Level
www.cisco.com
CSIDS 2.19-17
CSPM enables you to configure the minimum event level that will be sent from a
Sensor to the Director. This feature can help reduce the number of alarms CSPM
has to log and display. The following steps are performed to set the minimum
event level the Sensor sends to the Director:
Step 1
Step 2
Step 3
Choose the severity level from the Minimum event level to be sent to the
management console drop-down menu.
Step 4
Step 5
9-15
Select
Select the
the
Filtering
Filtering
tab
tab
Select
Select the
the
Sensor
Sensor
Select
Select the
the
Simple
Simple
Filtering
Filtering
tab
tab
www.cisco.com
CSIDS 2.19-18
CSPM enables you to perform simple and advanced signature filtering. Simple
signature filtering excludes a single signature based on a source or destination IP
address or network. The following steps are performed to create a simple
signature filter:
9-16
Step 1
Step 2
Step 3
Step 4
Select Signature
Enter
IP address
and
netmask
Choose
Address
role
www.cisco.com
CSIDS 2.19-19
Step 5
Choose the signature to exclude from the Choose a signature to be excluded list
box.
Step 6
Step 7
Step 8
Step 9
Select the address role from the Address Role drop-down menu. The address role
can be the source, destination, or both.
Note
9-17
Select
Select the
the
Filtering
Filtering
tab
tab
Select
Select the
the
Advanced
Advanced
Filtering
Filtering
tab
tab
Select
Select the
the
Sensor
Sensor
www.cisco.com
CSIDS 2.19-20
From a IP network
Note
9-18
Step 1
Step 2
Step 3
Step 4
Signature
Source
Address
2001, Cisco Systems, Inc.
Destination
Address
www.cisco.com
CSIDS 2.19-21
Step 5
Choose one or more to exclude from the Choose one or more signatures to be
excluded list box.
Step 6
Step 7
From the Create Filter window, select an exclude option from the Source Address
group box.
Step 8
From the Create Filter window, select an exclude option from the Destination
Address group box.
Step 9
Note
9-19
Signature Tuning
Select
Select the
the
Sensing
Sensing
tab
tab
Select
Select the
the
Sensor
Sensor
Parameter
values
Select
Select the
the
Signature
Signature
Tuning
Tuning
Parameters
Parameters
tab
tab
Parameter
names
Note
www.cisco.com
CSIDS 2.19-23
The signature tuning feature enables you to assign values to the parameters for
common CIDS signatures. For instance, Net Sweep Echo has two configurable
parameters: Expiration and Threshold. The Expiration parameter is the duration in
which CIDS expects the next detection of the signature. The Threshold parameter
is the number of occurrences of the signature that must occur prior to the
expiration before triggering an alarm. You can configure these parameters
according to your network environment and security policy.
The following steps are performed to configure signature tuning:
9-20
Step 1
Step 2
Step 3
Step 4
Step 5
Step 6
Step 7
Step 8
Select
Select the
the
Sensor
Sensor
Select
Select the
the
Sensing
Sensing
tab
tab
Click
Click OK
OK
Note
www.cisco.com
CSIDS 2.19-24
Signature port mapping is currently available in the 2.5(X) IDSM software version.
The signature port mapping feature enables you to assign different port numbers
to signatures that normally detect attacks only on pre-defined ports. For instance,
web signatures normally only analyze web traffic on port 80. The signature port
mapping feature provides you with a mechanism to analyze web traffic on other
ports such as 81, 8080, 8888, thus providing you with more complete coverage.
CIDS has four signature groupings that allow for port mapping:
TCP HIJACK
TCP SYNFLOOD
TCP TELNET
TCP HTTP
WARNING CIDS will not detect attacks launched against ports deleted from a specific
group of signatures.
Step 2
Step 3
Step 4
Step 5
Step 6
9-21
Select
Signature
Template
Click
Click OK
OK
Click
Click Add
Add
www.cisco.com
CSIDS 2.19-26
Configure the Sensor to monitor syslog messages from the network device
Note
The router must be configured to send syslog messages to the Sensor, and the IP
extended ACL to monitor must be configured to generate syslog messages (e.g.,
access-list 100 deny udp any any log).
9-22
Step 1
Step 2
Step 3
Step 4
Step 5
Step 6
Step 7
Click
Click Add
Add
Select
Select the
the
Monitoring
Monitoring
Tab
Tab
Click
Click OK
OK
www.cisco.com
CSIDS 2.19-27
The following steps are performed to configure the Sensor to accept Syslog
messages from network devices:
Step 1
Step 2
Step 3
Step 4
Step 5
Step 6
Step 7
9-23
Summary
This section summarizes what you learned in this chapter.
Summary
All signature severities and actions are modified in the signature template
in CSPM.
Signatures can be enabled or disabled.
Connection and string signatures are configured in the signature template
in CSPM.
Many signature templates can be created.
A given signature template is applied to one or many Sensors.
The minimum alarm severity level can be configured on a Sensor to limit
the alarms sent to the Director.
Signature filtering reduces false positives and other undesired alarms.
Signature parameter tuning is used to customize signature triggers in the
user environment.
Signature port mapping is used to customize port to signature settings in
the user environment.
ACL signatures generate alarms when ACL violations are detected in a
Cisco IOS router.
2001, Cisco Systems, Inc.
9-24
www.cisco.com
CSIDS 2.19-29
Objectives
In this lab exercise you will complete the following tasks:
Visual Objective
The following figure displays the lab topology you will use to complete this
exercise.
Pod Q
Peer Pod
172.30.1.0 /24
e0/1 .10P
sensorP
e0/0 .1
.4
idsmP
.6
10.0.P.0 /24
CSPM
e0/0 .1
.4
.6
idsmQ
10.0.Q.0 /24
10.0.P.3
CSPM
Host ID = 3, Org ID = P
Host Name = cspmP, Org Name = podP
sensorQ
rQ
rP
e0/1 .10Q
10.0.Q.3
Host ID = 3, Org ID = Q
Host Name = cspmQ, Org Name = podQ
www.cisco.com
CSIDS 2.19-31
9-25
Step 2
Step 3
Step 2
Step 3
Step 4
Step 5
Step 2
Step 3
Click the Approve Now button in the Command Approval section. Wait for the
configuration files to be downloaded to the Sensor.
Step 2
Step 3
Step 4
Step 5
Step 6
9-26
Step 7
Accept the default Direction (To), Occurrences (1), Severity (High), and
Action (Block, TCP Reset, IP Log).
Step 8
Step 9
Signature Type
Severity
Enable
Action
General
Medium
Enable
None
Connection
High
Enable
None
String
High
Enable
TCP Reset
General
High
Enable
IP Log
Step 1
Step 2
Step 3
Step 4
Step 5
Step 6
Step 7
Step 8
Step 9
9-27
Step 2
Step 5
9-28
Step 7
A)
Telnet to your peers router from your CSPM host.
At the router prompt, enter the string /etc/passwd. You will receive an error
message because this is not a valid router command.
r0> /etc/passwd
Step 10 Telnet to your Sensor and log in as netrangr with password attack.
c:> telnet 10.0.P.4
ls -l iplog.10.0.Q.3*
Step 2
Step 3
Step 4
Step 5
Step 6
Step 7
Enter the IP address and network mask of your peer pods laptop: 10.0.Q.3.
(where Q = peer pod number)
Step 8
9-29
Step 9
Step 2
Step 3
9-30
Step 2
Step 3
Step 4
Step 5
Choose all of the signatures to exclude from the Signature list. To choose all of
the signatures, choose the first signature, scroll down to the last signature, press
the Shift key, and choose the last signature.
Step 6
Step 7
Select Exclude alarms from a single IP address from the Source Address group
box. A field to enter an IP address appears. Enter the IP address of your peer
pods laptop, 10.0.Q.3, as assigned by your instructor.
(where Q = peer pod number)
Step 8
Select Exclude alarms to any IP address from the Destination Address group
box.
Step 9
Step 2
Step 5
9-31
10
IP Blocking
Configuration
Overview
This chapter describes how to configure the IP Blocking capability on a Sensor
and how IP blocking is used. In addition, it explains considerations you need to
make before you select the interface on which to apply the blocking access control
lists (ACLs).
This chapter includes the following topics:
Objectives
Introduction
Summary
Lab exercise
Objectives
This section lists the chapters objectives.
Objectives
Upon completion of this chapter, you will be
able to perform the following tasks:
Describe the Device Management capability of the
Sensor and how it is used to perform IP blocking
with a Cisco IOS router.
Design IP blocking into an IDS solution including
the ACL placement considerations when deciding
where to apply Sensor generated ACLs.
Configure a Sensor with Device Management,
which enables the IP Blocking capability.
Configure a Sensor to perform IP blocking through
a Master Blocking Sensor.
2001, Cisco Systems, Inc.
10-2
www.cisco.com
CSIDS 2.110-2
Introduction
This section explains what Device Management is and how to use it.
Definitions
www.cisco.com
CSIDS 2.110-4
IP Blocking Configuration
10-3
Device Management
Requirements
Cisco IOS router series
1600, 2500, 2600, 3600, 4500, 4700, 7200, and
7500
Sensor must be able to communicate with the
router.
Router must be configured to allow telnet
access from the Sensor.
VTY access
Enable password set
2001, Cisco Systems, Inc.
www.cisco.com
CSIDS 2.110-5
The following is the list of routers that have been approved and tested to work
with the Sensors and Device Management:
1600
2500
2600
3600
4500
4700
7200
7500
The Sensor must be able to communicate with the router. The Sensor must have a
route to or exist on the same subnet as the managed router. For the Sensor to
effectively defend a network using a Cisco IOS router, you must enable Telnet on
the router so that the Sensor can access it by
10-4
IP Blocking Guidelines
Implement anti-spoofing mechanisms.
Identify hosts that are to be excluded from
blocking.
Identify network entry points that will
participate in blocking.
Block signatures that are deemed as an
immediate threat.
Determine the appropriate blocking duration.
2001, Cisco Systems, Inc.
www.cisco.com
CSIDS 2.110-6
The CIDS IP blocking feature is a powerful feature that must be used after well
thought-out planning. The IP blocking feature generates ACLs based solely on the
IP addresses of the hosts that generate the alarms. CIDS will not determine
whether or not the attacking host should be considered a friend or foe.
Consequently, it is quite possible that the IP blocking feature will block legitimate
network traffic. Some key points to remember when designing and implementing
IP blocking are the following:
Critical hostsEach network has critical hosts that should not be blocked. It
is important to identify these hosts to prevent possible network disruptions.
IP Blocking Configuration
10-5
10.0.0.10
Deny
172.26.26.2
Protected
network
Attack
Untrusted
network
www.cisco.com
CSIDS 2.110-7
10-6
Step 1
An attack starts when an attacker executes a hack to gain access to the protected
network.
Step 2
The Sensor detects the attack and sends an alarm to the Director.
Step 3
At the same time, the Sensor automatically writes a new ACL on the managed
router denying traffic from the attacking host. The managed router will then deny
any future traffic generated by the attacking host until the Block is manually
removed or the default Block time expires.
Attacker
Provider
Y
Provider
X
Sensor
Sensor A
A
blocks
blocks
Sensor
Sensor B
B
blocks
blocks
Sensor B
Sensor A
...
Protected
network
Sensor
Sensor A
A
commands
commands
Sensor
Sensor B
B
to
to block
block
Victim
2001, Cisco Systems, Inc.
www.cisco.com
CSIDS 2.110-8
IP Blocking Configuration
10-7
Inbound
ACL
Internal
interfaces
Outbound
ACL
Protected
network
2001, Cisco Systems, Inc.
www.cisco.com
CSIDS 2.110-10
You must decide which interface and in what direction to apply the ACL. The
ACL may be applied on either the external or internal interface of the router. It
can also be configured for inbound or outbound on either interface.
Also consider that the Sensor must have full control of the assigned interface
ACL. Manually entered ACLs are not allowed on this interface, but may be
applied to other interfaces.
10-8
User-defined ACLs
applied to internal
interface
www.cisco.com
CSIDS 2.110-11
Applying the ACL to the external interface in the inward direction denies a host
access before packets are processed by the router. Applying the ACL to the
internal interface in the outward direction denies a host access to the protected
network, but allows packets to be processed by the router. This scenario is less
desirable, but may be required if outside inward ACLs are already used.
You must decide, based on your unique network architecture, which configuration
will meet your needs for security and functionality.
IP Blocking Configuration
10-9
www.cisco.com
CSIDS 2.110-13
Select the Sensor to be configured from the Network Topology Tree (NTT).
Step 5
Step 6
Enter the block duration, which is the amount of time the block will remain active
before the ACL entry will be removed.
Step 7
Enter the Cisco extended ACL number that will be used by the Sensor when
writing an ACL. The default value is 199.
Note
10-10
Cisco IDS will switch between the Cisco ACL number and one less the defined
number. For instance, if the Cisco ACL number defined is 184, Cisco IDS will use
183 and 184 when writing ACLs.
Blocking Device
www.cisco.com
CSIDS 2.110-14
To specify the information about the Cisco IOS router that the Sensor will use to
block detected attacks, perform the following steps:
Step 1
Step 2
Step 3
Step 4
Click Add to open the Blocking Device Properties windows and configure the
properties for IP blocking.
IP Blocking Configuration
10-11
Enter
Enter the
the
routers
routers enable
enable
password
password
Enter
Enter the
the
routers
routers Telnet
Telnet
username
username
Enter
Enter the
the
routers
routers Telnet
Telnet
password
password
Choose
Choose the
the
Interface
Interface
Direction
Direction
Enter
Enter the
the
Interface
Interface Name
Name
Step 5
www.cisco.com
CSIDS 2.110-15
Step 6
Click Add to add a line in the Blocking Interfaces section, which adds the router
interface or interfaces where the ACLs will be applied.
Step 7
Note
Step 8
Click Add again in the Blocking Interfaces section to add another router interface
definition. If no more interfaces need to be defined, then go to the next step.
Step 9
10-12
www.cisco.com
CSIDS 2.110-16
CIDS enables you to set IP addresses of hosts or networks that will never be
blocked. The Sensor adds permit statements for these addresses in the ACL. To
specify IP addresses that the Sensor will never block, perform the following steps:
Step 1
Step 2
Step 3
Select the Never Block Addresses tab within the Blocking tab.
Step 4
Click Add to add a line in the Never Block Addresses window tab, which adds an
IP address.
Step 5
Step 6
Click Add again in the Never Block Addresses tab to add another IP address to
never block. If no more IP addresses need to be defined, then go to the next step.
Step 7
Step 8
IP Blocking Configuration
10-13
www.cisco.com
CSIDS 2.110-17
To specify the information about the Master Blocking Sensor that the Sensor will
use to block detected attacks, perform the following steps:
Step 1
Step 2
Step 3
Select the Master Blocking Sensor tab within the Blocking tab.
Step 4
Click Add to open the Blocking Sensor Selection window and select the Master
Blocking Sensor.
Step 5
Select the Sensor name, which you want to make the Master Blocking Sensor,
from the list and click OK.
Step 6
Step 7
10-14
The Master Blocking sensor must exist in the CSPM network topology and be
configured to perform IP blocking.
Select
Select the
the
Sensor
Sensor
IP
IP address
address
Time
Time
remaining
remaining
or
or
Select
Select the
the
alarm
alarm
generated
generated by
by
the
the Sensor
Sensor
www.cisco.com
CSIDS 2.110-19
To view the list of IP addresses being blocked by a Sensor, as well as the time
remaining for that IP address on the block list, perform the following steps:
Step 1
On the Event Viewer select the Sensor on the Connection Status Pane or select an
alarm generated by that Sensor.
Step 2
Choose View>Block List from the Event Viewer menu. A window showing the
list of blocked IP addresses and the time remaining before they are removed from
the block list opens.
IP Blocking Configuration
10-15
Current
Current
Time
Time
Select
Select the
the
Sensor
Sensor
or
or
Select
Select the
the
alarm
alarm
generated
generated by
by
the
the Sensor
Sensor
IP
IP address
address
Version
Version
www.cisco.com
Status
Status
Type
Type
CSIDS 2.110-20
To view the list of network devices managed by a Sensor and device information,
perform the following steps:
10-16
Step 1
On the Event Viewer select the Sensor on the Connection Status Pane or select an
alarm generated by that Sensor.
Step 2
Choose View>Network Device from the Event Viewer menu. The Network
Device window opens displaying the managed device(s) and the devices current
time, status, type, and software version opens.
Select
Select the
the
alarm
alarm
generated
generated by
by
the
the Sensor
Sensor
IP
IP address
address
Block
Block
Duration
Duration
www.cisco.com
CSIDS 2.110-21
Step 2
IP Blocking Configuration
10-17
Select
Select the
the
Sensor
Sensor
or
or
Select
Select the
the
alarm
alarm
generated
generated by
by
the
the Sensor
Sensor
IP
IP address
address
www.cisco.com
CSIDS 2.110-22
To remove a host, network, or all devices being blocked by a Sensor perform the
following steps:
10-18
Step 1
On the Event Viewer select the Sensor on the Connection Status Pane or select an
alarm generated by that Sensor.
Step 2
Summary
This section summarizes what you learned in this chapter.
Summary
Device management is the Sensors ability to
dynamically reconfigure a Cisco IOS routers
ACLs to block the source of an attack in real
time.
Guidelines for designing an IDS solution with
IP blocking includes the following:
Implement an anti-spoofing mechanism.
Identify critical hosts and network entry
points.
Select applicable signatures.
Determine blocking duration.
2001, Cisco Systems, Inc.
www.cisco.com
CSIDS 2.110-24
IP Blocking Configuration
10-19
Summary (cont.)
CIDS Sensors can serve as a master blocking
server.
The ACLs may be applied on either the
external or internal interface of the router, and
can also be configured for inbound or
outbound on either interface.
The Sensor IP blocking feature is configured
from the Blocking tab in CSPM.
From CSPMs Event Viewer, you can view or
remove blocked hosts, and perform manual IP
blocking.
2001, Cisco Systems, Inc.
10-20
www.cisco.com
CSIDS 2.110-25
Objectives
In this lab exercise you will complete the following tasks:
Visual Objective
This figure displays the information you will need to complete this lab exercise.
Pod Q
Peer Pod
172.30.1.0 /24
e0/1 .10P
sensorP
e0/0 .1
.4
idsmP
sensorQ
e0/0 .1
.4
rQ
rP
.6
10.0.P.0 /24
CSPM
.6
idsmQ
10.0.Q.0 /24
10.0.P.3
CSPM
Host ID = 3, Org ID = P
Host Name = cspmP, Org Name = podP
e0/1 .10Q
10.0.Q.3
Host ID = 3, Org ID = Q
Host Name = cspmQ, Org Name = podQ
www.cisco.com
CSIDS 2.110-27
A pair of students has been assigned to a pod. Each pod has a complete set of
equipment to complete the lab exercise.
IP Blocking Configuration
10-21
Step 1
Step 2
Step 3
Step 4
Click Add to open the Blocking Device Properties window and configure the
properties for IP blocking.
Step 5
Value
Telnet IP Address
Telnet Username
Leave blank
Telnet Password
cisco
Enable Password
cisco
Interface Name
Ethernet0/1
Interface Direction
Inbound
Note
Do not add a space between the interface name and the interface number.
Step 6
Step 7
Step 8
10-22
Step 1
Step 2
Step 3
Step 4
Step 5
Value
String
Port
23 (Telnet)
Direction
Occurrences
Severity
Enable
Setting
Value
Actions
Comment
Step 6
Step 7
Click Update on the toolbar to save your changes and update the configuration
files.
Step 8
Step 9
next task.
From your own CSPM host, telnet to your peers router as assigned by the
instructor and log on with the password cisco.
Step 2
Step 3
Step 4
Attempt to telnet to your peers router to confirm the block was successful.
Choose Actions>Block >Network from the Event Viewer menu. The Shunning
of Hosts window opens showing the status of the block command.
IP Blocking Configuration
10-23
Step 1
After your peer triggers your string match signature go to your Event Viewer and
select the alarm that was triggered.
Step 2
Choose View>Block List from the Event Viewer menu. The Shun List window
opens.
Q 1) What are the IP addresses of the hosts or network address being blocked?
A)
Q 2) How much time is remaining before the block will be automatically removed for
each host or network?
A)
Step 3
10-24
Step 1
Choose Actions>Remove Block >All from the Event Viewer menu. The
Removing Shun of Hosts window opens.
Step 2
11
Overview
This chapter covers information on the Catalyst 6000 IDS Module (IDSM) and
how to configure it for intrusion detection.
This chapter includes the following topics:
Objectives
Troubleshooting
Summary
Lab exercise
Objectives
This section lists the chapters objectives.
Objectives
Upon completion of this chapter, you will
be able to perform the following tasks:
Describe the Catalyst 6000 IDS Module
features.
List the two methods of capturing network
traffic for analysis by the Catalyst 6000 IDS
Module.
Initialize a Catalyst 6000 IDS Module.
11-2
www.cisco.com
CSIDS 2.111-2
Objectives (cont.)
www.cisco.com
CSIDS 2.111-3
11-3
Physical dimensions
Height: 3.0 cm
(1.2 inches)
Width: 35.6 cm
(14.4 inches)
Depth: 40.6 cm
(16 inches)
Weight 2.27 kg
(5 lbs.)
2001, Cisco Systems, Inc.
www.cisco.com
CSIDS 2.111-5
The Catalyst 6000 Intrusion Detection System Module (IDSM) is a switch line
card designed specifically to address switched environments by integrating the
IDS functionality directly into the switch and taking traffic right off the switch
backplane, thus bringing both switching and security functionality into the same
chassis.
11-4
www.cisco.com
CSIDS 2.111-6
The Catalyst 6000 IDSM capabilities offers network and security administrators
the ability to overcome issues in switched environments. In switched network
environments, traffic must be copied to a monitoring port to capture traffic for
Intrusion Detection analysis. This SPAN feature is limited to the number of ports
and VLANs that can be captured. The Catalyst 6000 IDSM overcomes this
limitation by capturing traffic off the switch backplane using the Catalyst
Operation System (OS) VLAN ACL (VACL) feature. Performance is not affected
because the Catalyst 6000 IDSM is not in the switch-forwarding path.
The Catalyst 6000 IDSM is an integral part of the CIDS family of products. The
attacks and signatures detected parallels the 4200 appliance Sensor series.
11-5
Feature Comparison
IDSM Appliance
Yes
No
IP Blocking
No
SwitchesNo
RoutersYes
IP Logging
No
Yes
String Matching
Yes
Yes
Yes
Yes
No
Yes
No
www.cisco.com
CSIDS 2.111-7
The Catalyst 6000 IDSM and traditional appliance Sensor feature comparisons are
as follows:
11-6
The monitoring port for the Catalyst 6000 IDSM is by default a trunking
port, thus allowing for visibility of traffic from multiple VLANs.
The Sensor appliance has the ability to create Cisco IOS router ACLs to
block malicious activity.
The Sensor appliance can capture associated network traffic from a specific
IP address after a predefined attack is detected.
Both the IDSM and appliance Sensor enable you to create custom string
signatures.
The Catalyst 6000 IDSM has the flexibility of associating several ports with
signatures or a specific network service. This feature provides a broader
range of coverage to detect protocol specific attacks. For instance, HTTP
(Web) traffic occurs by default on port 80. Other HTTP ports often seen on
the Internet are 81, 82, 88, 8080, and 8888. By associating all these ports
with HTTP, HTTP attacks against these non-standard ports can be detected.
www.cisco.com
CSIDS 2.111-8
The Catalyst 6000 IDSM has the following Catalyst 6000 Family switch
requirements:
Supervisor 1A or 2
11-7
IDSM Ports
IDSM contains the following two ports:
Monitoring port
Defined as port 1 on the module
Set as a trunking port
Assigned as the destination capture port
Command and control port
Defined as port 2 on the module
Communicates with CSPM
Assigned an IP address
2001, Cisco Systems, Inc.
www.cisco.com
CSIDS 2.111-10
Port 2 is the command and control port used to communicate with the
Director software. Port 2 is assigned an IP address during the initial IDSM
setup.
Note
11-8
Capturing Traffic
www.cisco.com
CSIDS 2.111-11
The Catalyst 6000 IDSM can monitor 100Mbps of network traffic. Network
traffic is captured off the switch backplane and analyzed by the IDSM. The two
methods of capturing traffic depend on the features on the Catalyst 6000 switch.
Switches with a Policy Feature Card (PFC) can use the VLAN ACL feature. All
switches can use the Switch Port Analyzer (SPAN) feature.
11-9
Destination
traffic
Source traffic
Destination
traffic
Source traffic
Switch
backplane
Copied VACL or
SPAN traffic to
IDSM monitor port
IDSM
Alarms and configuration
through IDSM command
and control port
CSPM
2001, Cisco Systems, Inc.
www.cisco.com
CSIDS 2.111-12
The traffic flow is an important aspect of understanding how the IDSM captures
and analyzes network traffic. The Catalyst 6000 switch must first be configured to
capture traffic for Intrusion Detection analysis. If this is not done, IDSM will
never have visibility into the network traffic.
Traffic enters the Catalyst 6000 switch destined for a host or network. The traffic
is captured off the switch backplane and sent to the IDSM. The IDSM performs
Intrusion Detection analysis and performs the defined actions. These actions
include sending alarms and commands to Cisco Secure Policy Manager (CSPM).
11-10
Capturing Traffic
with SPAN Ports
SPAN mirrors traffic from one or more source
ports from any VLAN, or from one or more
VLANs to a destination port
SPAN limitations
Four transmit sessions (tx)
Two receive sessions (rx) or both (rx and tx)
Can only monitor Ethernet 10, 100, 1000
Mbps ports
www.cisco.com
CSIDS 2.111-13
The Switch Port Analyzer (SPAN) feature is one method of capturing network
traffic for Intrusion Detection analysis. SPAN mirrors traffic from one or more
source ports on any VLAN, or from one or more VLANs to a destination port for
analysis.
The following are three methods of deploying the SPAN feature:
Ingress SPAN copies network traffic received (rx) by the source ports for
analysis at the destination port.
Egress SPAN copies network traffic transmitted (tx) from the source ports for
analysis at the destination port.
Number of Sessions
rx or both
tx
The SPAN feature is also limited to the type of network traffic that can be
captured. It currently works with only Ethernet 10/100/1000 Mbps ports.
11-11
www.cisco.com
CSIDS 2.111-14
VLAN ACL (VACL) access controls all packets on a Catalyst 6000 switch with a
PFC. VACLs are strictly for security packet filtering and redirecting traffic to
specific physical switch ports. Unlike IOS ACLs, VACLs are not defined by
direction (input or output).
VACLs have a capture option to specify that packets that match the specified
flows are switched normally but are also captured and transmitted out of capture
ports. Only permit traffic is sent to capture ports. The Catalyst 6000 IDSM uses
this feature to capture traffic for Intrusion Detection analysis.
VACLs allow for granular control of traffic for Intrusion Detection analysis by
permitting interesting traffic. Traffic can by permitting based on
For instance, on a web farm port 80 (HTTP) and 443 (HTTPS) are the services
required for Internet users to access the web servers. Web server software exploits
are attempted against these ports. A VACL can be created to capture only traffic
destined to these ports, thus reducing the amount of traffic sent to the IDSM for
Intrusion Detection analysis.
Only one VACL per protocol can be applied to a single VLAN. CIDS only
examines IP traffic, so we are limited to one IP VACL per VLAN. The IP VACL
can be applied across multiple VLANS.
11-12
Configuration Tasks
Initialize the Catalyst 6000 IDSM.
Configure the switch for ID analysis
Assign the command and control port to the
proper VLAN.
Capture traffic for ID analysis.
Verify the configuration.
Add the Catalyst 6000 IDSM to CSPM.
www.cisco.com
CSIDS 2.111-15
To configure the Catalyst 6000 IDSM and have it report alarms to CSPM, perform
the following tasks:
Initialize the Catalyst 6000 IDSMThis includes setting the IDSM and
Director PostOffice parameters using the setup command facility.
Assign the command and control port to the VLAN that can communicate
with CPSMThis includes using the set vlan command.
Configure the Catalyst 6000 family switch settings to capture traffic for
Intrusion Detection analysisThis includes creating either SPAN sessions or
VACLs.
Add the IDSM to CSPMThis includes using the CSPM Add Sensor wizard
to add the IDSM to a network topology.
11-13
www.cisco.com
CSIDS 2.111-17
The Catalyst 6000 switch can be accessed either through a console management
session or telnet. After an interactive session has been established, you must
session into the IDSM. This is the only method to gain command-line access to
the IDSM. Login as the ciscoids user with the default password attack. You will
be logged in as a privileged user and can initialize the IDSM with the setup
command facility.
11-14
IDSM Setup
Session into IDSM.
Enter setup.
Press Enter
to continue.
www.cisco.com
CSIDS 2.111-18
Step 2
Step 3
11-15
Step 4
11-16
www.cisco.com
CSIDS 2.111-19
Value
Description
<password>
Sensors IP address
<IP Address>
<Subnet mask>
<IP Address>
<Host Name>
Sensors host id
1-65535
1-65535
<Org Name>
Sensors organization id
1-65535
Directors IP address
<IP Address>
<Host Name>
1-65535
Directors host id
1-65535
Step 5
Value
Description
1-65535
<Org Name>
Directors organization id
1-65535
Enter yes to apply the initial configuration and cause the IDSM to reset. The
IDSM is then initialized and can then communicate with the Director platform.
11-17
www.cisco.com
CSIDS 2.111-21
Assign the command and control port to a VLAN that will allow for
communication to the Director platform.
Clear unwanted VLAN traffic from being captured by using the following
commands:
Note
clear trunk
set trunk
Assign the monitoring port to a VLAN using the set vlan command.
Removing trunk traffic is not required for ID analysis.
Permitting only specific VLAN trunk traffic to the IDSM monitoring port is a
technique to optimize the Intrusion Detection analysis performance of the IDSM.
11-18
www.cisco.com
CSIDS 2.111-22
Use the set vlan command to set group ports into a VLAN, or to set the private
VLAN type. The syntax for the set vlan command is as follows:
set vlan vlan_num mod/ports
vlan_num
mod/ports
Note
The IDSM command and control port (port 2) must be assigned to a VLAN that can
communicate with CSPM.
11-19
www.cisco.com
CSIDS 2.111-23
Use the set span command to designate the source and destination SPAN ports.
Use the set span disable command to remove the destination ports from
monitoring traffic. The syntax of the set span command is as follows:
set span src_mod / src_ports | src_vlans dest_mod / dest_port tx | rx | both create
set span disable dest_mod/dest_port | all
src_mod/src_ports
src_vlans
dest_mod/dest_port
tx
rx
both
create
11-20
www.cisco.com
CSIDS 2.111-24
Note
11-21
www.cisco.com
CSIDS 2.111-25
Use the set security acl ip command to create VLAN ACLs to capture IP traffic
for Intrusion Detection analysis. Use the clear security acl map command to
remove VACL to VLAN mappings.
Note
VACLs have an implicit deny feature at the end of the list. All traffic not matching
the VACL will be dropped as a result.
11-22
acl_name
permit
src_ip_spec
protocol
dest_ip_spec
capture
ip | 0
icmp | 1
icmp-type
icmp-code
icmp-message
tcp | 6
operator
port
established
udp | 17
11-23
VACL Examples
switch>(enable) set security acl ip WEBONLY
permit tcp any host 172.30.1.50 eq 80 capture
switch>(enable) set security acl ip WEBONLY
permit ip any any
Sets VACL WEBONLY to capture only web traffic for IDS
analysis. Other IP traffic is allowed but not captured.
www.cisco.com
CSIDS 2.111-26
The WEB_ONLY VACL captures traffic destined for TCP port 80 (HTTP) for
Intrusion Detection analysis. All other IP traffic is permitted but is not capture.
The 10_NET VACL captures any IP traffic destined for or originating from the
10.0.0.0 network for Intrusion Detection analysis.
11-24
CSIDS 2.111-27
Use the commit security acl command to commit all Access Control Entries
(ACEs) or an ACE in NVRAM that have not been written to hardware. The
syntax for the commit security acl command is as follows:
commit security acl acl_name | all
acl_name
all
security acl
Use the set security acl map command to map an existing VACL to a VLAN.
Use the clear security acl map command set to remove VACL-to-VLAN
mapping. The syntax for the set security acl map command is as follows:
set security acl map acl_name vlan
acl_name
vlan
11-25
www.cisco.com
CSIDS 2.111-28
Port 1 on the IDSM is configured as the default destination capture port for all
captured VACL traffic. The set security acl capture command can be used to
specify other ports.
Use the set security acl capture-ports command to set the ports specified with
the capture option in the set security acl ip to show traffic captured on these ports.
Use the clear security acl capture-ports command to remove a port from the
capture port list.
set security acl capture-ports <mod/ports>[,<mod/ports>]
mod/ports
11-26
www.cisco.com
CSIDS 2.111-29
11-27
Trunk Traffic
switch> (enable)
www.cisco.com
CSIDS 2.111-30
Use the clear trunk command to restore a trunk port to its default trunk type and
mode or to clear specific VLANs from the allowed VLAN list for a trunk port.
The syntax for the clear trunk command is as follows:
clear trunk <mod/port> [vlans]
mod/port
vlans
Use the set trunk command to configure trunk ports and to add VLANs to the
allowed VLAN list for existing trunks. The syntax for the set trunk command is
as follows:
set trunk <mod/port> [vlans]
11-28
mod/port
vlans
www.cisco.com
CSIDS 2.111-31
Use the set vlan command to set group ports into a VLAN, or to set the private
VLAN type. The syntax for the set vlan command is as follows:
set vlan vlan_num mod/ports
vlan_num
mod/ports
Number of the module and ports on the module belonging to the VLAN.
11-29
Show Commands
switch>(enable) show config
switch> show span
switch> show security acl
Displays switch configurations including
span and VACL settings.
www.cisco.com
CSIDS 2.111-33
Use the show config switch command to display the nondefault system or module
configuration. The syntax for show config command is as follows:
show config
Use the show span switch command to display information about the current
SPAN configuration. The syntax for show span command is as follows:
show span
Use the show security acl switch command set to display the contents of the ACL
that are currently configured or last committed to NVRAM and hardware. The
syntax for show security acl command is as follows:
show security acl
Use the show configuration IDSM diagnostic command to display version and
configuration settings. The syntax for show configuration command is as
follows:
show configuration
Use the show eventfile IDSM command to display the contents of the IDSM
alarm log files. The syntax for show eventfile command is as follows:
show eventfile [current | backup | archive]
11-30
Clear Commands
www.cisco.com
CSIDS 2.111-34
Use the diag resetcount IDSM diagnostic command to reset the counters for IP
traffic received by the command and control port. The syntax for the diag
resetcount is as follows:
diag resetcount
Use the clear config command to clear the IDSM configuration. The syntax for
the clear config is as follows:
clear config
Note
11-31
www.cisco.com
CSIDS 2.111-36
11-32
Step 1
Step 2
Step 3
Select the Add Sensor wizard from the CSPM Wizards menu. The Sensor
Identification window opens.
Step 4
Enter the Sensor Identification parameters. Click Next to continue. The Sensor
Configuration window opens.
Step 5
Choose the Sensor Version from the Sensor Version drop-down menu.
Step 6
Choose the Signature Template from the Signature template drop-down menu.
Click Next to continue. The Ready to Proceed window opens.
Step 7
www.cisco.com
CSIDS 2.111-37
Verify the PostOffice parameters. Click Finish to generate the configuration files
and add the IDSM to the network topology.
CSPM will now receive alarms generated by the IDSM.
Note
11-33
IDSM Components
IDSM has two partitions: application and
maintenance.
IDSM can only have one active partition.
Application is by default the active
partition.
The application partition contains the IDS
engine.
Service pack and signature updates are
done from the application partition.
2001, Cisco Systems, Inc.
www.cisco.com
CSIDS 2.111-39
The IDSM has two independent partitions on its internal hard drive: the
application partition (hdd:1) and the maintenance partition (hdd:2). Each of these
partitions is 4 GB, contains its own image, and is capable of running even if the
other partition becomes corrupted. Only one partition may be active at a time. The
application partition contains the IDS engine and is active by default.
Note
11-34
The Catalyst set boot device command can be used to assign the default active
partition.
CSIDS 2.111-40
11-35
Updating IDSM
www.cisco.com
CSIDS 2.111-41
The IDSM updates are released as files. The update process requires that the
update files exist on an accessible FTP server. The update files can be obtained
online from Ciscos Software Center at www.cisco.com. A valid Cisco
Connection Online (CCO) account is required.
Partition image files are distributed in Microsoft Cab format. Two supporting files
are required: .lst and .dat. The .lst file contains a list of the cab files required to
install the image. The .dat file is a binary file containing installation information.
Signatures and service packs are distributed as self-extracting executables.
11-36
IDSM Files
Software Type
Signature version
Service pack level
IDSM version
Ex: IDSM-sig-2.5-1-S2.exe
www.cisco.com
CSIDS 2.111-42
Service pack levelThe service pack level identifies the level at which the
IDSM has been patched.
lstText file containing a list of the cab files required for an IDSM
software image.
datBinary file containing information required for installation of an
IDSM software image.
11-37
www.cisco.com
CSIDS 2.111-43
11-38
signatureupdate
servicepack
site
value
user
value
dir
value
file
value
www.cisco.com
CSIDS 2.111-44
/nw
/install
/server
ip_address
/user
username
/dir
directory
The directory where the files are located. The single quotes
are required.
/prefix
update_file
/save
yes | no
11-39
Troubleshooting
This section covers techniques to troubleshoot the Catalyst 6000 IDSM.
Green
IDSM is operational
Amber
Red
Off
www.cisco.com
CSIDS 2.111-46
The status LED is a quick method to determine the state of the IDSM. The status
LED is located in the left corner of the module.
11-40
Status Color
Description
Green
IDSM is operational
Amber
Red
Off
Switch Commands
switch> show module
Shows the status of the modules in
the switch. The ok state indicates
the module is online.
www.cisco.com
CSIDS 2.111-47
Use the show module command to display the module status and information.
The syntax for the show module command is as follows:
show module [mod]
mod
Use the show port command to display port status and counters.
show port [mod[/port]]
mod/port
Use the reset command to restart the system or an individual module, schedule a
system reset, or cancel a scheduled reset. The syntax for the reset command is as
follows:
reset mod_num hdd:partition
mod_num
hdd
partition
11-41
www.cisco.com
CSIDS 2.111-48
Use the set module power command to turn on or shut off the power to a module.
The IDSM must be shutdown before it can be removed from the switch chassis.
Use the IDSM shutdown command prior to powering off the module.
set module power up | down mod
up
down
mod
WARNING Do not remove the IDSM from the switch until after the IDSM shuts down
completely. Removing the IDSM without going through a shutdown procedure can damage
your IDSM.
11-42
IDSM Commands
idsm(diag)# nrconns
Displays the IDSM communication status with the
Director.
www.cisco.com
CSIDS 2.111-49
The following IDSM commands are executed in the diagnostics mode: nrconns,
diag bootresults, report systemstatus, and show errorfile. To enter the diagnostics
mode enter diag at the idsm prompt.
Use the nrconns command to display the current IDS communication service
status. The syntax for the nrconns command is as follows:
nrconns
Use the diag bootresults command to display the boot time diagnostic results.
The syntax for the diag bootresults command is as follows:
diag bootresults
Use the report systemstatus command to transfer the system status to an FTP
server. The file is in html format and contains diagnostic information and IDSM
configuration files. The filename is the name of the IDSM followed by
SystemStatusReport. For instance of the if the IDSM hostname is idsm0, the
filename is idsm0SystemStatusReport.html. The syntax for the report
systemstatus command is as follows:
report systemstatus site ip_address user username dir directory
site
user
username
dir
directory
11-43
idsm # shutdown
Performs a graceful shutdown of the IDSM.
www.cisco.com
CSIDS 2.111-50
Use the show errorfile diagnostic command to display the contents of the IDSM
error log files. The syntax for the show errorfile command is as follows:
show errorfile [filexferd | loggerd | packetd | postofficed | sapd] [current | backup]
filexfered
loggerd
packetd
postofficed
sapd
current
backup
Use the shutdown command to shut down the IDSM operating system. The
syntax for the shutdown command is as follows:
shutdown
11-44
Summary
This section summarizes what you have learned in this chapter.
Summary
The Catalyst 6000 IDSM is a line card for
the Catalyst 6000 Family switches.
The Catalyst 6000 IDSM is initialized using
the setup command.
The set span command is used to
configure a Catalyst switch to capture
traffic using the SPAN feature.
The set security acl command is used to
configure a Catalyst switch to capture
traffic using the VACL feature.
2001, Cisco Systems, Inc.
www.cisco.com
CSIDS 2.111-52
11-45
Summary (cont.)
The Add Sensor wizard in CSPM is used
to add the Catalyst 6000 IDSM to CSPM.
The following commands are used to
verify the Catalyst 6000 IDSM
configuration:
show configuration.
show eventfile.
2001, Cisco Systems, Inc.
11-46
www.cisco.com
CSIDS 2.111-53
Summary (cont.)
The following commands are used to
verify the Catalyst 6000 Family switch
configuration:
show config.
show span.
show security acl.
IDSM has two partitions: application and
maintenance.
2001, Cisco Systems, Inc.
www.cisco.com
CSIDS 2.111-54
11-47
Summary (cont.)
IDSM partitions are updated while offline.
The application partition and maintenance
partitions are updated using the IDSM
configuration ids-installer program.
Signature and service packs are installed
from the application partition.
Signatures and service packs are installed
using the apply IDSM configuration
command.
2001, Cisco Systems, Inc.
11-48
www.cisco.com
CSIDS 2.111-55
Objective
In this lab exercise you will complete the following tasks:
Configure the Catalyst 6000 Family switch to capture traffic for Intrusion
Detection analysis.
Visual Objective
The following figure displays the configuration you will complete in this lab
exercise.
Pod Q
Peer Pod
172.30.1.0 /24
e0/1 .10P
idsmP
sensorP
e0/0 .1
.4
.6
10.0.P.0 /24
CSPM
sensorQ
e0/0 .1
.4
.6
idsmQ
10.0.Q.0 /24
10.0.P.3
CSPM
Host ID = 3, Org ID = P
Host Name = cspmP, Org Name = podP
e0/1 .10Q
rQ
rP
10.0.Q.3
Host ID = 3, Org ID = Q
Host Name = cspmQ, Org Name = podQ
www.cisco.com
CSIDS 2.111-57
11-49
Setup
Before starting this lab exercise, set up your equipment so that you can ensure you
have connectivity to the switch that you are going to configure. Verify that your
pod has an FTP server with a public directory with write privileges for file
transfers.
Directions
Your task in this lab exercise is to configure the Catalyst 6000 Family switch and
IDSM to detect alarms and send alarm notifications to CSPM. Then you will add
the IDSM to an existing CSPM network topology. Follow the convention where
P=pod number and PVLAN=300 + P. For example, student pod 3 would have
PVLAN= 303. Your instructor will assign your Module number, M, and the IP
address of the switch, SW.
Your instructor will provide you with the values to complete the following table.
Parameter
Value
PVLAN
M
SW
Task 1
Initialize the IDSM
Perform the following lab steps to initialize the IDSM.
Step 1
Disable console error messages during your telnet session into the switch.
switch> (enable) set logging session disable
Step 3
Step 4
Step 5
11-50
Follow the system configuration dialog and enter the following CIDS
Communications Infrastructure parameters:
Parameter
Value
Sensors IP address
255.255.255.0
Parameter
Value
Sensors host id
45000
Sensors organization id
Directors IP address
Directors host id
Directors organization id
Note
Step 6
The IDSM command and control port is assigned the sensors settings.
After entering and reviewing all communication parameters enter yes when
prompted to apply this configuration. If you made any mistakes, enter no and rerun the setup command.
Note
The IDSM will reset after you accept and apply the configuration. You will be
logged out and returned to the switch prompt.
Step 2
Verify your IDS module status is ok. Do NOT continue until the module status is
ok.
switch>(enable) show module M
switch> (enable) show module 3
Mod Slot Ports Module-Type
Model
3 3
2
Intrusion Detection System WS-X6381-IDS
Sub Status
no ok
11-51
Step 3
Set the command and control port to the VLAN that can communicate with
CSPM:
switch>(enable) set vlan PVLAN M/2
Step 4
You will receive an error if you attempt to add the command and control interface
to a VLAN if the module status is not ok.
Task 3
Verify the switch and IDSM Configuration
Perform the following lab steps to verify the switch and IDSM configurations are
correct.
Step 1
11-52
Step 2
Step 3
Session into your IDS module and display the IDSM configuration:
idsm# show configuration
Using 46178304 out of 267702272 bytes of available memory
!
Using 460935168 out of 4211310592 bytes of available disk space
!
Sensor version is : 2.5(1)S1
!
Sensor application status:
nr.postofficed
running
nr.fileXferd
running
nr.loggerd
running
nr.packetd
running
nr.sapd
running
Configuration last modified Tue Nov 07 01:03:54 2000
Sensor:
IP Address:
10.0.0.6
Netmask:
255.255.255.0
Default Gateway:
10.0.0.1
Host Name:
idsm0
Host ID:
6
Host Port:
45000
Organization Name:
pod0
Organization ID:
100
Director:
IP Address:
10.0.0.84
Host Name:
director84
Host ID:
84
Host Port:
45000
Heart Beat Interval (secs): 5
Organization Name:
pod0
Organization ID:
100on
Step 4
11-53
Task 4
Add the IDSM to CSPM
Perform the following lab steps to add the IDSM to an existing network topology
in CSPM:
Step 1
Step 2
Log into the CSPM database as Administrator with the password attack.
Step 3
Choose the Add Sensor wizard from the CSPM menu bar. The Sensor
Identification window opens.
Step 4
Value
Sensors host id
Sensors organization id
Sensors IP address
Step 5
Step 6
Choose the Sensor Version and Signature Template to apply to the IDSM.
Your instructor will provide you with the values to complete the following table.
Parameter
Value
Sensor version
Signature template
Step 7
Step 8
Verify the PostOffice parameters. Click Finish to add the IDSM to the network
topology.
Step 9
Click Update on the toolbar to save your changes and update the configuration
files.
Step 10 Select idsmP (where P = pod number) from the Network Topology Tree.
Step 11 Select the Command tab in the Sensor view panel.
Step 12 Click the Approve Now button in the Command Approval section. Wait for the
next task.
Note
11-54
Notify the instructor that you have completed these tasks before proceeding.
Task 5
Apply a Signature Update
Performing the following lab steps to apply a signature update to the IDSM
application partition:
Step 1
Step 2
Step 3
Step 4
Value
FTPSITE
USERNAME
FTPDIR
FILENAME
idsm#(config) apply signatureupdate site FTPSITE user USERNAME dir FTPDIR file
FILENAME
Step 5
A warning message is displayed. Enter yes when prompted to continue with the
install.
Step 6
Enter the password attack when prompted. Wait for the file to download. When
the download is completed, the IDSM will shutdown and restart. You will be
logged out and returned to the switch prompt.
Step 7
Step 8
Task 6
Transfer the IDSM System Status Report
Performing the following lab steps to transfer the IDSM system status file:
Step 1
Step 2
11-55
Step 3
Step 4
Enter yes when prompted to continue generating the system status report.
Step 6
Step 7
Step 8
Open the IDSM system status report. In your web browser, choose File>Open.
Locate the file in your FTP directory. Use your browsers browse feature.
C:\InetPub\ftproot\idsm0SystemStatusReport.html
Completion Criteria
You completed this lab exercise if you were able to do the following:
11-56
Successfully transfer the IDSM System Status report to the CSPM host.
12
Authentication,
Authorization, and
Accounting
Configuration on the
Cisco PIX Firewall
Overview
This chapter includes the following topics:
Objectives
Introduction
Authentication configuration
Authorization configuration
Accounting configuration
Summary
Lab exercise
Objectives
This section lists the chapters objectives.
Objectives
Upon completion of this chapter, you will be able to
perform the following tasks:
Define authentication, authorization, and accounting.
Describe the differences between authentication,
authorization, and accounting.
Describe how users authenticate to the PIX Firewall.
Describe how cut-through proxy technology works.
Name the AAA protocols supported by the PIX Firewall.
Install and configure CSACS for Windows NT.
Configure AAA on the PIX Firewall.
12-2
www.cisco.com
CSPFA 2.012-2
Introduction
This section introduces the authentication, authorization, and accounting concepts
and how the Cisco Secure PIX Firewall supports them.
Authentication, Authorization,
and Accounting
Authentication
Who you are
Can exist without authorization
Authorization
What you can do
Requires authentication
Accounting
What you did
www.cisco.com
CSPFA 2.012-4
12-3
HTTP
Username: smith
Password: 2bon2b
Server:
Username: john
smith@john
Password: v1v10k4
2bon2b@vlvl0k4
FTP
PIX Firewall:
Username: smith@john
Password: 2bon2b@v1v10k4
2001, Cisco Systems, Inc.
www.cisco.com
CSPFA 2.012-5
You can authenticate with the PIX Firewall in one of three ways:
FTPYou get a prompt from the FTP program. If you enter an incorrect
password, the connection is dropped immediately. If the username or
password on the authentication database differs from the username or
password on the remote host to which you are accessing via FTP, enter the
username and password in the following formats:
aaa_username@remote_username
aaa_password@remote_password
The PIX Firewall sends the aaa_username and aaa_password to the AAA
server, and if authentication and authorization are successful, the
remote_username and remote_password are passed to the destination FTP
server.
Note
12-4
aaa_username@remote_username
aaa_password@remote_password
The PIX Firewall sends the aaa_username and aaa_password to the AAA
server, and if authentication and authorization are successful, the
remote_username and remote_password are passed to the destination HTTP
server.
Keep in mind that browsers cache usernames and passwords. If you believe
that the PIX Firewall should be timing out an HTTP connection but it is not,
re-authentication may actually be taking place with the web browser sending
the cached username and password back to the PIX Firewall. The Syslog
service will show this phenomenon. If Telnet and FTP seem to work
normally, but HTTP connections do not, this is usually why.
The PIX Firewall supports authentication usernames up to 127 characters and
passwords of up to 63 characters. A password or username may not contain an at
(@) character as part of the password or username string.
Note
If PIX Firewalls are in tandem, Telnet authentication works in the same way as a
single PIX Firewall, but FTP and HTTP authentication have additional complexity
because you have to enter each password and username with an additional at
(@) character and password or username for each in-tandem PIX Firewall.
Note
Once authenticated with HTTP, a user never has to reauthenticate no matter how
low the PIX Firewall uauth timeout is set. This is because the browser caches the
"Authorization: Basic=Uuhjksdkfhk==" string in every subsequent connection to
that particular site. This can only be cleared when the user exits all instances of
the web browser and restarts. Flushing the cache is of no use.
12-5
Internet
Internet
web server
remote_user@local_user
remote_pass@local_pass
Intranet
CSACS
2001, Cisco Systems, Inc.
www.cisco.com
CSPFA 2.012-6
The PIX Firewall gains dramatic performance advantages because of the cutthrough proxy, a method of transparently verifying the identity of users at the
firewall and permitting or denying access to any TCP- or UDP-based application.
This method eliminates the price and performance impact that UNIX systembased firewalls impose in similar configurations, and leverages the authentication
and authorization services of CSACS.
The PIX Firewalls cut-through proxy challenges a user initially at the application
layer, and then authenticates against standard TACACS or RADIUS+ databases.
After the policy is checked, the PIX Firewall shifts the session flow and all traffic
flows directly and quickly between the server and the client while maintaining
session state information.
12-6
Cisco
Cisco Secure
Secure
ACS
ACS NT
NT
RADIUS
Cisco
Cisco Secure
Secure
ACS
ACS UNIX
UNIX
Cisco
Cisco Secure
Secure
ACS
ACS NT
NT
Cisco
Cisco Secure
Secure
ACS
ACS UNIX
UNIX
Livingston
Livingston
Merit
Merit
TACACS+
TACACS+
Freeware
Freeware
www.cisco.com
CSPFA 2.012-7
The PIX Firewall supports the following AAA protocols and servers:
TACACS+ Freeware
Livingston
Merit
12-7
Installation Wizard
Note
www.cisco.com
CSPFA 2.012-9
Close all Windows programs before you run the setup program.
To start installation of CSACS for Windows NT, complete the following steps:
12-8
Step 1
Log in as the local system administrator to the machine on which you are
installing CSACS.
Step 2
Insert the CSACS CD-ROM into your CD-ROM drive. The Installation window
opens.
Step 3
Step 4
Read the Software License Agreement. Click Accept to agree to the licensing
terms and conditions. The Welcome window opens.
Step 5
Step 6
Verify that each condition is met, and then click the check box for each item.
Click Next.
Step 7
Click Next. (Click Explain for more information on the listed items. If any
condition is not met, click Cancel to exit the program.)
Step 8
Note
Step 9
Step 10 If Setup finds an existing configuration, you are prompted whether you want to
import the configuration. To keep the existing configuration, click Yes, import
configuration and click Next. To use a new configuration, deselect the check box
and click Next. The Choose Destination Location window opens.
Step 11 To install the software in the default directory, click Next. To use a different
directory, click Browse and enter the directory to use. If the directory does not
exist, you are prompted to create one. Click Yes. The Authentication Database
Configuration window opens.
Step 12 Click the option button for the authentication databases to be used by CSACS.
Check the CSACS Database only option (the default). Also check the Windows
NT User Database option. If you select the first option, Cisco Secure ACS will
use only the CSACS database for authentication; if you select the second option,
CSACS will check both databases.
Step 13 (Optional.) To limit dial-in access to only those users you specified in the
Windows NT User Manager, click the Yes, reference "Grant dialin permission
to user" setting. Click Next. The Network Access Server Details window opens.
12-9
Basic Configuration
Authenticate users using
TACACS+ (Cisco)
RADIUS (Cisco)
Access server name
Enter the PIX Firewall name
Access server IP address
Enter the PIX Firewall IP
address
Windows NT server IP address
Enter the AAA server IP
address
TACACS+ or RADIUS key
Enter a secret key
Must be the same in the PIX
Firewall
www.cisco.com
CSPFA 2.012-10
Access Server NameName of the network access server (NAS) that will be
using the CSACS services.
Access Server IP AddressIP address of the NAS that will be using the
CSACS services.
Step 15 The Interface Configuration options are disabled by default. Click the check box
to enable any or all of the options listed. Click Next. The Active Service
Monitoring window opens.
Note
Configuration options for these items are displayed in the CSACS interface only if
they are enabled. You can disable or enable any or all of these and additional
options after installation in the Interface Configuration: Advanced Options window.
Step 16 To enable the CSACS monitoring service, CSMon, check the Enable Log-in
Monitoring check box, then select a script to execute when the login process fails
the test:
12-10
You can also develop your own scripts to be executed if there is a system failure.
See the online documentation for more information.
Step 17 To have CSACS generate an e-mail message when administrator events occur,
check the Enable Mail Notifications check box, then enter the following
information:
SMTP Mail ServerThe name and domain of the sending mail server (for
example, server1.company.com).
Step 18 Click Next. The CSACS Service Initiation window opens. If you do not want to
configure a NAS from Setup, click Next. To configure a single NAS now, click
Yes, I want to configure Cisco IOS now. Click Next.
12-11
Authentication Configuration
This section discusses how to configure authentication on the PIX Firewall.
www.cisco.com
CSPFA 2.012-12
Use the aaa-server command to specify AAA server groups. The PIX Firewall
lets you define separate groups of TACACS+ or RADIUS servers for specifying
different types of traffic, such as a TACACS+ server for inbound traffic and
another for outbound traffic. The aaa command references the group tag to direct
authentication, authorization, or accounting traffic to the appropriate AAA server.
You can have up to 14 tag groups, and each group can have up to 16 AAA servers
for a total of up to 256 TACACS+ or RADIUS servers. When a user logs in, the
servers are accessed one at a time, starting with the first server you specify in the
tag group, until a server responds.
The default configuration provides these following two aaa-server protocols:
Note
12-12
If you are upgrading from a previous version of the PIX Firewall and have aaa
command statements in your configuration, using the default server groups
enables you to maintain backward compatibility with the aaa command statements
in your configuration
Note
The previous server type option at the end of the aaa authentication and aaa
accounting commands has been replaced with the aaa-server group tag.
Backward compatibility with previous versions is maintained by the inclusion of two
default protocols for TACACS+ and RADIUS.
Note
The PIX Firewall listens for RADIUS on ports 1645 and 1646. If your RADIUS
server uses ports 1812 and 1813, you will need to reconfigure it to listen on ports
1645 and 1646.
if_name
host server_ip
key
timeout seconds
protocol auth_protocol
12-13
Enable Authentication
pixfirewall (config)#
aaa authentication include|exclude authen_service
inbound|outbound|if_name local_ip local_mask foreign_ip
foreign_mask group_tag
Defines traffic to be authenticated
authen_service = any, ftp, http, or telnet
any = all TCP traffic
pixfirewall(config)# aaa authentication include any inbound
0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 MYTACACS
pixfirewall(config)# aaa authentication include telnet
outbound 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 MYTACACS
pixfirewall(config)# aaa authentication include ftp dmz
0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 MYTACACS
pixfirewall(config)# aaa authentication exclude any outbound
10.0.0.33 255.255.255.255 0.0.0.0 0.0.0.0 MYTACACS
2001, Cisco Systems, Inc.
www.cisco.com
CSPFA 2.012-13
The new include and exclude options are not backward compatible with PIX
Firewall versions 5.0 and earlier. If you downgrade to an earlier version, the aaa
authentication command statements are removed from your configuration.
The syntax for all forms of the aaa authentication command is as follows:
aaa authentication include | exclude authen_service inbound | outbound | if_name local_ip
local_mask foreign_ip foreign_mask group_tag
no aaa authentication [include | exclude authen_service inbound | outbound | if_name local_ip
local_mask foreign_ip foreign_mask group_tag]
12-14
clear aaa [authentication include | exclude authen_service inbound | outbound | if_name local_ip
local_mask foreign_ip foreign_mask group_tag]
include
exclude
authen_service
inbound
outbound
if_name
local_ip
local_mask
foreign_ip
foreign_mask
group_tag
12-15
pixfirewall(config)# nat
(inside) 1 10.0.0.0
255.255.255.0
pixfirewall(config)# aaa
authentication include
any outbound 0 0 MYTACACS
pixfirewall(config)# aaa
authentication exclude
any outbound 10.0.0.42
255.255.255.255 0.0.0.0
0.0.0.0 MYTACACS
172.26.26.0/24
192.168.0.0/24
3
1
.42
www.cisco.com
.5
10.0.0.0/24
AAA server
CSPFA 2.012-14
12-16
www.cisco.com
CSPFA 2.012-15
Click User Setup from the navigation bar. The Select window opens.
Step 2
Step 3
Click Add/Edit. The Edit window opens. The username being added or edited
appears at the top of the window.
The Edit window contains the following sections:
Account Disabled
User Setup
Account Disable
Account Disabled
If you need to disable an account, select the Account Disabled check box in the
Account Disabled section to deny access for this user.
Note
12-17
Real NameIf the username is not the users real name, enter the real name
here.
User Setup
In the User Setup group box, you can edit or enter the following information for
the user as applicable:
Note
Group to which the user is assignedFrom the Group to which the user is
assigned drop-down menu, choose the group to which to assign the user. The
user inherits the attributes and operations assigned to the group. By default,
users are assigned to the Default Group. Users who authenticate via the
Unknown User method who are not found in an existing group are also
assigned to the Default Group.
Account Disable
The Account Disable group box can be used to define the circumstances under
which the users account will become disabled.
Note
12-18
Never radio buttonSelect to keep the users account always enabled. This
is the default.
Date exceedsFrom the drop-down menus, choose the month, date, and
year on which to disable the account. The default is 30 days after the user
is added.
Failed attempts exceedSelect the check box and enter the number of
consecutive unsuccessful login attempts to allow before disabling the
account. The default is 5.
Failed attempts since last successful loginThis counter shows the
number of unsuccessful login attempts since the last time this user logged
in successfully.
If you are using the Windows NT user database, this expiration information is in
addition to the information in the Windows NT user account. Changes here do not
alter settings configured in Windows NT.
When you have finished configuring all user information, click Submit.
12-19
Authentication of Non-Telnet,
FTP, or HTTP Traffic
www.cisco.com
CSPFA 2.012-16
The PIX Firewall authenticates users via Telnet, FTP, or HTTP. But what if users
need to access a Microsoft file server on port 139 or a Cisco IP/TV server for
instance? How will they be authenticated? Whenever users are required to
authenticate to access services other than Telnet, FTP, or HTTP, they need to do
one of the following:
12-20
Internet
.1
192.168.0.0 /24
.2
PIX Firewall
.1
10.0.0.0 /24
1
.3
AAA server
\\Superserve
2001, Cisco Systems, Inc.
www.cisco.com
CSPFA 2.012-17
The virtual Telnet option provides a way to pre-authenticate users who require
connections through the PIX Firewall using services or protocols that do not
support authentication. The virtual Telnet IP address is used both to authenticate
in and authenticate out of the PIX Firewall.
When an unauthenticated user Telnets to the virtual IP address, the user is
challenged for the username and password, and then authenticated with the
TACACS+ or RADIUS server. Once authenticated, the user sees the message
Authentication Successful and the authentication credentials are cached in the
PIX Firewall for the duration of the user authentication (uauth) timeout.
If a user wishes to log out and clear the entry in the PIX Firewall uauth cache, the
user can again Telnet to the virtual address. The user is prompted for a username
and password, the PIX Firewall removes the associated credentials from the uauth
cache, and the user receives a Logout Successful message.
In the previous figure, the user wants to establish a NetBIOS session on port 139
to access the file server named Superserver. The user telnets to the virtual Telnet
address at 192.168.0.5, and is immediately challenged for a username and
password before being authenticated with the TACACS+ AAA server. Once
authenticated, the PIX Firewall allows the user to connect to the file server
without re-authentication.
12-21
www.cisco.com
CSPFA 2.012-18
When using virtual Telnet to authenticate inbound clients, the IP address must be
an unused global address. When using virtual Telnet to authenticate outbound
clients, the IP address must be an unused global address routed directly to the PIX
Firewall.
The syntax for the virtual telnet command is as follows:
virtual telnet ip_address
ip_address
12-22
Virtual HTTP
Virtual HTTP solves the problem of http
requests failing when web servers require
credentials that differ from those required by
the PIX Firewalls AAA server.
When virtual HTTP is enabled, it redirects the
browser to authenticate first to a virtual web
server on the PIX Firewall.
After authentication, the PIX Firewall forwards
the web request to the intended web server.
Virtual HTTP is transparent to the user.
2001, Cisco Systems, Inc.
www.cisco.com
CSPFA 2.012-19
With the virtual HTTP option, web browsers work correctly with the PIX
Firewalls HTTP authentication. The PIX Firewall assumes that the AAA server
database is shared with a web server and automatically provides the AAA server
and web server with the same information. The virtual HTTP option works with
the PIX Firewall to authenticate the user, separate the AAA server information
from the web clients URL request, and direct the web client to the web server.
The virtual HTTP option works by redirecting the web browsers initial
connection to an IP address, which resides in the PIX Firewall, authenticating the
user, then redirecting the browser back to the URL that the user originally
requested. This option is so named because it accesses a virtual HTTP server on
the PIX Firewall, which in reality does not exist.
This option is especially useful for PIX Firewall interoperability with Microsoft
Internet Information Server (IIS), but is useful for other authentication servers.
When using HTTP authentication to a site running Microsoft IIS that has Basic
text authentication or NT Challenge enabled, users may be denied access from
the Microsoft IIS server because the browser appends the string: Authorization:
Basic=Uuhjksdkfhk== to the HTTP GET commands. This string contains the
PIX Firewall authentication credentials. Windows NT Microsoft IIS servers
respond to the credentials and assume that a Windows NT user is trying to access
privileged pages on the server. Unless the PIX Firewall username and password
combination is exactly the same as a valid Windows NT username and password
combination on the Microsoft IIS server, the HTTP GET command is denied.
To solve this problem, the PIX Firewall redirects the browsers initial connection
to its virtual HTTP IP address, authenticates the user, then redirects the browser
back to the URL that the user originally requested. Virtual HTTP is transparent to
the user; therefore, users enter actual destination URLs in their browsers as they
normally would.
Note
Do not set the timeout uauth duration to 0 seconds when using the virtual HTTP
option. This will prevent HTTP connections to the real web server.
12-23
pixfirewall(config)# virtual
http 192.168.0.3
2001, Cisco Systems, Inc.
www.cisco.com
CSPFA 2.012-20
The virtual address identifies the IP address of the virtual HTTP server on the PIX
Firewall. For inbound use, ip_ address can be any unused global address. Access
to this address must be provided by an access-list and static command pair. For
outbound use, ip_address must be an address routed directly to the PIX
Firewall.The syntax for the virtual http command is as follows:
virtual http ip_address [warn]
no virtual http ip_address
12-24
ip_address
warn
Authentication of Console
Access
pixfirewall (config)#
pixfirewall(config)#
console MYTACACS
pixfirewall(config)#
console MYTACACS
pixfirewall(config)#
console MYTACACS
pixfirewall(config)#
console MYTACACS
2001, Cisco Systems, Inc.
CSPFA 2.012-21
The serial console option also logs to a Syslog server changes made to the
configuration from the serial console.
12-25
12-26
serial
enable
telnet
ssh
console
group_tag
www.cisco.com
CSPFA 2.012-22
Use the timeout uauth command to specify how long the cache should be kept
after the user connections become idle. The timeout command value must be at
least 2 minutes. Use the clear uauth command to delete all authorization caches
for all users, which will cause them to reauthenticate the next time they create a
connection.
The inactivity and absolute qualifiers cause users to reauthenticate after either a
period of inactivity or an absolute duration. The inactivity timer starts after a
connection becomes idle. If a user establishes a new connection before the
duration of the inactivity timer, the user is not required to reauthenticate. If a user
establishes a new connection after the inactivity timer expires, the user must
reauthenticate.
The absolute timer runs continuously, but waits to reprompt the user when the
user starts a new connection, such as clicking a link after the absolute timer has
elapsed. The user is then prompted to reauthenticate. The absolute timer must be
shorter than the xlate timer, otherwise a user could be reprompted after their
session already ended.
The inactivity timer gives users the best Internet access because they are not
prompted to regularly reauthenticate. Absolute timers provide security and
manage the PIX Firewall connections better. By being prompted to reauthenticate
regularly, users manage their use of the resources more efficiently. Also by being
reprompted, you minimize the risk that someone will attempt to use another users
access after they leave their workstation, such as in a college computer lab. You
may want to set an absolute timer during peak hours and an inactivity timer during
other times.
Both an inactivity timer and an absolute timer can operate at the same time, but
you should set the absolute timer duration for a longer time than the inactivity
timer. If the absolute timer is set less than the inactivity timer, the inactivity timer
never occurs. For example, if you set the absolute timer to 10 minutes and the
12-27
inactivity timer to an hour, the absolute timer reprompts the user every 10
minutes, and the inactivity timer will never be started.
If you set the inactivity timer to some duration, but the absolute timer to zero,
users are only reauthenticated after the inactivity timer elapses. If you set both
timers to zero, users have to reauthenticate on every new connection.
Note
Do not set the timeout uauth duration to 0 seconds when using the virtual HTTP
option or passive FTP.
12-28
uauth hh:mm:ss
absolute
inactivity
www.cisco.com
CSPFA 2.012-23
Use the auth-prompt command to change the AAA challenge text for HTTP,
FTP, and Telnet access. This is text that appears above the username and
password prompts that you view when logging in.
Note
accept
reject
prompt
string
12-29
Authorization Configuration
This section discusses the configuration of the PIX Firewall for authorization.
Enable Authorization
pixfirewall (config)#
www.cisco.com
CSPFA 2.012-25
The PIX Firewall uses authorization services with TACACS+ AAA servers that
determine which services an authenticated user can access.
Note
12-30
exclude author_service
inbound
outbound
if_name
local_ip
local_mask
foreign_ip
foreign_mask
group_tag
12-31
www.cisco.com
CSPFA 2.012-26
Complete the following steps to add authorization rules for specific services in
CSACS:
12-32
Step 1
Click Group Setup from the navigation bar. The Group Setup window opens.
Step 2
Scroll down in Group Setup until you find IOS Commands, and select the IOS
Commands check box.
Step 3
Step 4
Step 5
In the command field, enter one of the following allowable services: ftp, telnet,
or http.
Step 6
Step 7
Step 8
Click Submit to add more rules, or click Submit + Restart when finished.
www.cisco.com
CSPFA 2.012-27
Complete the following steps to add authorization rules for services to specific
hosts in CSACS:
Step 1
Click Group Setup from the navigation bar. The Group Setup window opens.
Step 2
Scroll down in Group Setup until you find IOS Commands and select the IOS
Command check box.
Step 3
Select Deny, which is found under Unmatched Cisco IOS commands, select
Deny.
Step 4
Step 5
In the command field, enter one of the following allowable services: ftp, telnet,
or http.
Step 6
In the Arguments field, enter the IP addresses of the host that users are authorized
to go to. Use the following format:
permit ip_addr
Step 8
Click Submit to add more rules, or click Submit + Restart when finished.
12-33
www.cisco.com
CSPFA 2.012-28
12-34
include author_service
exclude author_service
inbound
outbound
if_name
local_ip
local_mask
foreign_ip
foreign_mask
group_tag
12-35
www.cisco.com
CSPFA 2.012-29
Complete the following steps to add authorization rules for specific non-telnet,
FTP, or HTTP services in CSACS:
12-36
Step 1
Click Group Setup from the navigation bar. The Group Setup window opens.
Step 2
Scroll down in Group Setup until you find IOS Commands, and select the IOS
Command check box.
Step 3
Step 4
Step 5
In the command field, enter an allowable service using the following format:
protocol or port (where protocol is the protocol number and port is the port
number).
Step 6
Step 7
Step 8
Click Submit to add more rules, or click Submit + Restart when finished.
Accounting Configuration
This section demonstrates how to enable and configure accounting for all
services, select services, or no services.
Enable Accounting
pixfirewall (config)#
CSPFA 2.012-31
include acctg_service
exclude acctg_service
12-37
inbound
outbound
if_name
local_ip
local_mask
foreign_ip
foreign_mask
group_tag
To specify the value of the acctg.service argument using the protocol/port form,
enter the protocol as a number (6 for TCP, 17 for UDP, 1 for ICMP, and so on).
The port is the TCP or UDP destination port. A port value of 0 (zero) means all
ports. If the protocol specified is ICMP, the port is the ICMP type, such as 8 for
ICMP echo and 0 for ICMP echo-reply. Examples of the aaa accounting
command using protocol/port form follow:
12-38
www.cisco.com
CSPFA 2.012-32
In the PIX Firewall software versions 5.2 and higher, the match acl_name option
is available in the aaa command. The aaa command can take part of its input
from an access control list (ACL).
In the previous example, the acl mylist permits all TCP traffic from network
10.0.0.0 to network 172.26.26.0. The match acl_name option in the aaa
command instructs the PIX Firewall to require authentication when the action the
user is trying to perform matches the actions specified in mylist. Therefore, any
time a user on the 10.0.0.0 internal network uses any TCP application to access
network 172.26.26.0, he will be required to authenticate. In other words, the
command aaa authentication match mylist outbound MYTACACS is equal to
aaa authentication include any outbound 10.0.0.0 255.255.255.0 172.26.26.0
255.255.255.0 MYTACACS.
Traditional aaa command configuration and functionality continue to work as in
previous versions and are not converted to the ACL format. Hybrid
configurations, which are traditional configurations combined with the new ACL
configurations, are not recommended.
The syntax for the aaa authentication | authorization | accounting command is
as follows:
aaa authentication | authorization | accounting match acl_name inbound | outbound | if_name
group_tag
match acl_name
inbound
12-39
12-40
outbound
if_name
group_tag
www.cisco.com
CSPFA 2.012-33
Complete the following steps to add authorization rules for specific non-telnet,
FTP, or HTTP services in CSACS:
Step 1
Click Reports and Activity from the navigation bar. The Report and Activity
window opens.
Step 2
Click TACACS+ Accounting from the Reports to display the accounting records.
12-41
Accounting of Non-Telnet,
FTP, or HTTP Traffic
pixfirewall (config)#
www.cisco.com
CSPFA 2.012-34
The syntax for the aaa accounting of non-Telnet, FTP, or HTTP traffic command
is as follows:
aaa accounting include | exclude acctg_service inbound | outbound | if_name local_ip
local_mask foreign_ip foreign_mask group_tag
no aaa accounting include | exclude authen_service inbound | outbound | if_name group_tag
clear aaa [accounting [include | exclude authen_service inbound | outbound | if_name
group_tag]]
12-42
include acctg_service
exclude acctg_service
inbound
outbound
if_name
local_ip
local_mask
foreign_ip
foreign_mask
group_tag
12-43
show Commands
pixfirewall (config)#
show aaa-server
pixfirewall (config)#
www.cisco.com
CSPFA 2.012-36
The syntax for the show aaa-server and show aaa commands are as follows:
show aaa-server
clear aaa-server [group_tag]
no aaa-server group_tag (if_name) host server_ip key timeout seconds
show aaa [authentication | authorization | accounting]
12-44
group tag
if_name
host server_ip
key
timeout seconds
authentication
authorization
accounting
12-45
pixfirewall (config)#
auth-prompt
Authenticate to the Firewall
Youve been Authenticated
Authentication Failed
www.cisco.com
CSPFA 2.012-37
The syntax for the show auth-prompt, show timeout uauth, and the show
virtual commands are as follows:
show auth-prompt [prompt | accept | reject]
show timeout uauth
show virtual [http | telnet]
12-46
prompt
accept
reject
timeout uauth
http
telnet
Summary
This section summarizes what you have learned in this chapter.
Summary
Authentication is who you are, authorization is what you can
do, and accounting is what you did.
The PIX Firewall supports the following AAA protocols:
TACACS+ and RADIUS.
Users are authenticated with Telnet, FTP, or HTTP by the PIX
Firewall.
Cut-through proxy technology allows users through the PIX
Firewall after authenticating.
To enable AAA, two steps must be taken:
Configure AAA on the PIX Firewall.
Install and configure CSACS on a server.
www.cisco.com
CSPFA 2.012-39
12-47
Objectives
In this lab exercise you will complete the following tasks:
Visual Objective
The following figure displays the configuration you will complete in this lab
exercise.
12-48
172.26.26.0
Internet
.50
Backbone server
web/FTP/TFTP
Perimeter router
.1
e1
192.168.P.0
.2
e0
.1
PIX Firewall
172.16.P.0
e2
.1
.2
e1
10.0.P.0
.3
AAA server
Student
workstation
www.cisco.com
CSPFA 2.012-41
Install CSACS on your Windows NT server from the CD-ROM or from the files
on your hard drive, as indicated by the instructor.
When installing from files in your hard drive, complete the following:
Open the folder where the installation files are located and double-click
the setup.exe program to start installation.
Or choose Start>Run and enter setup.exe with a full path to the file.
Step 2
Step 3
Click Accept to accept the Software License Agreement. The Welcome window
opens.
Step 4
Read the Welcome panel. Click Next to continue. The Before You Begin window
opens.
Step 5
Read and then select all four check boxes for the items in the Before You Begin
panel. This is a reminder of things you should do prior to installation. Click Next
to continue. The Choose Destination Location window opens.
Step 6
Use the default installation folder indicated in the Choose Destination Location
windows by clicking Next to continue. The Authentication Database
Configuration windows open.
12-49
Step 7
Verify that Check the Cisco Secure ACS database only is already selected in the
Authentication Database Configuration panel. Click Next to continue.
Step 8
Enter the following information in the Cisco Secure ACS Network Access Server
Details panel:
Step 10 Select all six items displayed in the Advanced Options panel. Click Next to
continue.
Step 11 Verify that Enable Log-in Monitoring is already selected in the Active Service
CAUTION Do not select Yes, I want to configure Cisco IOS software now in the Network Access Server
Configuration panel; this only applies to Cisco IOS routers.
Initiation panel:
Yes, I want Setup to launch the Cisco Secure ACS Administrator from my
browser following installation
Note
12-50
The CSACS interface should now be displayed in your web browser. Click User
Setup to open the User Setup interface.
Step 2
Step 3
Step 4
Give the user a password by entering aaapass in both the Password and Confirm
Password fields.
Step 5
Click Submit to add the new user to the CSACS database. Wait for the interface
to return to the User Setup main window.
Create a group tag called MYTACACS and assign the TACACS+ protocol to it:
pixP(config)# aaa-server MYTACACS protocol tacacs+
Step 2
Step 3
Configure the PIX Firewall to require authentication for all inbound traffic:
pixP(config)# aaa authentication include any inbound 0.0.0.0 0.0.0.0 0.0.0.0
0.0.0.0 MYTACACS
Step 2
Step 3
Note
Step 4
If your web browser is open, close it. Choose File>Close from the web browsers
menu.
You must now test a peer pod inbound web authentication. Open your web
browser, and go to a peers DMZ web server:
http://192.168.Q.11
12-51
Step 5
When the web browser prompts you, enter aaauser for the username and aaapass
for the password. On your PIX Firewall console, you should see the following:
109001: Auth start for user '???' from 192.168.Q.10/1726 to 10.0.P.2/80
109011: Authen Session Start: user 'aaauser', sid 0
109005: Authentication succeeded for user 'aaauser' from 10.0.P.2/80 to
192.168.Q.10/1921 on interface outside
302001: Built outbound TCP connection 3928 for faddr 192.168.Q.10/1921 gaddr
192.168.P.10/80 laddr 10.0.P.3/80 (aaauser)
After a peer successfully authenticates to your PIX Firewall, display your PIX
Firewall authentication statistics:
pixP(config)# show uauth
Current
Most Seen
Authenticated Users
1
1
Authen In Progress
0
1
user 'pixuser' at 192.168.Q.10, authenticated
absolute timeout: 0:05:00
inactivity timeout: 0:00:00
Configure the PIX Firewall to require authentication for all outbound traffic:
pixP(config)# aaa authentication include any outbound 0.0.0.0 0.0.0.0 0.0.0.0
0.0.0.0 MYTACACS
Step 2
Step 3
12-52
Step 5
Step 6
Most Seen
1
1
If your web browser is open, close it. Choose File>Exit from the web browsers
menu.
Test web outbound authentication. Open your web browser and go to the
following URL:
http://172.26.26.50
Step 7
When you are prompted for a username and password, enter aaauser as the
username and aaapass as the password:
User Name: aaauser
Password: aaapass
Step 8
12-53
Step 2
Step 3
aaa authentication
include any outside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 MYTACACS
include any inside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 MYTACACS
include any 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 MYTACACS
Step 6
Most Seen
1
1
Step 7
Step 8
12-54
Step 4
Most Seen
1
1
Step 5
If your web browser is open, close it. Choose File>Close from the web browsers
menu.
Test that you are authenticated. Open your web browser and enter the following in
the URL field:
http://172.26.26.50
Most Seen
1
1
12-55
Note
Step 7
If your web browser is open, close it. Choose File>Close from the web browsers
menu.
Test that you are not authenticated and need to reauthenticate. Open your web
browser and enter the following in the URL field:
http://172.26.26.50
Step 8
When you are prompted, enter aaauser for the username and aaapass for the
password.
Step 2
Step 3
Step 4
Step 5
Step 7
Step 8
Set the message that users get when their authentication is rejected:
pixP(config)# auth-prompt reject Authentication Failed, Try Again
Step 9
auth-prompt
Please Authenticate
You've been Authenticated
Authentication Failed, Try Again
Most Seen
1
1
Copyright 2001, Cisco Systems, Inc.
Step 11 Telnet to the Virtual Telnet IP address to test your new authentication prompts.
Configure the PIX Firewall to require authorization for all outbound FTP traffic:
pixP(config)# aaa authorization include ftp outbound 0.0.0.0 0.0.0.0 0.0.0.0
0.0.0.0 MYTACACS
Step 2
Configure the PIX Firewall to require authorization for all outbound ICMP traffic:
pixP(config)# aaa authorization include icmp/8 outbound 0.0.0.0 0.0.0.0 0.0.0.0
0.0.0.0 MYTACACS
Step 3
Step 4
12-57
Step 7
Step 8
Verify that your user belongs to the selected group. Click Users in Group to
display the users under that group. The following information should be shown
for the user:
Step 9
User: aaauser
Status: Enabled
Step 10 Scroll down in Group Settings until you find IOS Commands, and select the IOS
220-FTP authentication :
220
User (172.26.26.50:(none)): aaauser@ftpuser
331-Password:
331
Password: aaapass@ftppass
230-220 172.26.26.50 FTP server ready.
331-Password required for ftpuser
230-User ftpuser logged in.
230
ftp>
Configure the PIX Firewall to perform accounting for all outbound traffic:
pixP(config)# aaa accounting include any outbound 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
MYTACACS
Step 2
Step 3
12-59
Step 4
Most Seen
1
1
Step 5
View the accounting records. On CSACS, click Reports and Activity to open the
Reports and Activity interface.
Step 6
Step 7
Click the TACACS+ Accounting active.csv link to open the accounting records.
You should see the following:
Date
Time
4/27/00
11:14:45
Note
Step 8
User-Name GroupName
aaauser
Default
Group
Caller-Id
Acct-Flags
10.0.P.2
start
NASPortname
PIX
NAS-IPAddress
10.0.P.1
cmd
ftp
If your web browser is open, close it. Choose File>Exit from the web browsers
menu.
Test web outbound accounting. Open your web browser and enter the following in
the URL field:
http://172.26.26.50
Step 9
Step 10 Click the TACACS+ Accounting active.csv link to open the accounting records.
Time
4/27/00
10.0.0.2 start
10.0.0.2 start
4/27/00
4/27/00
4/27/00
4/27/00
12-60
UserName
10.0.0.2 start
10.0.0.2 stop
10.0.0.2 stop
NASNAS-IP- cmd
Portna Address
me
PIX
10.0.0.1 http
PIX
10.0.0.1 http
PIX
10.0.0.1 http
PIX
10.0.0.1 http
PIX
10.0.0.1 http
4/27/00
4/27/00
4/27/00
4/27/00
4/27/00
4/27/00
4/27/00
10.0.0.2 start
10.0.0.2 start
10.0.0.2 start
10.0.0.2 start
10.0.0.2 start
10.0.0.2 start
10.0.0.2 start
PIX
10.0.0.1 http
PIX
10.0.0.1 http
PIX
10.0.0.1 http
PIX
10.0.0.1 http
PIX
10.0.0.1 http
PIX
10.0.0.1 http
PIX
10.0.0.1 ftp
12-61
13
Overview
This chapter describes the event notification and alarm reporting features in Cisco
Secure Policy Manager (CSPM).
This chapter includes the following topics:
Objectives
Event notification
Alarm reporting
Summary
Objectives
This section lists the chapters objectives.
Objectives
13-2
www.cisco.com
CSIDS 2.113
Event Notification
This section discusses the event notification features, e-mail notification, script
execution, and how to configure these features within CSPM.
Features
www.cisco.com
CSIDS 2.113
The Cisco Intrusion Detection System (CIDS) is able to notify network security
administrators via e-mail. The e-mail notification feature provides a method to
notify network security administrators while away from the CSPM host. The email message can be customized to provide a detailed or brief message regarding
the alarm generated.
CIDS also has a script execution feature that enables network security
administrators to create and execute custom scripts. The CSPM host passes alarm
arguments to the script, which handles the arguments. The network security
administrators could, for example, create a script that will generate an SNMP trap,
which could then be sent to a central network management station (NMS).
Both the e-mail notification method and script execution is assigned per alarm
severity level. CSPM provides three alarm severity levels: low, medium, and high.
E-mail notification and script execution can be performed simultaneously per
alarm severity level. For instance, you could assign an e-mail to be sent to the
network security administrator for high level alarms and a script be executed that
would also send an SNMP trap to the NMS.
13-3
E-mail Notification
Sensor
CSPM
Untrusted
network
Targets
SMTP
server
Hacker
www.cisco.com
CSIDS 2.113
The illustration demonstrates how the e-mail notification process occurs. The
sensor detects an attack launched by the hacker and generates an alarm that is sent
to CSPM. Based on the severity of the attack, CSPM generates an e-mail message
and forwards the message to a Simple Mail Transfer Protocol (SMTP) server. The
SMTP server delivers the message to the defined recipients. CSPM also enables
you to specify multiple e-mail recipients.
Note
13-4
Configuration Tasks
www.cisco.com
CSIDS 2.113
Note
Add an SMTP server to the Network Topology Tree (NTT). This task may
involve adding a new network to the CSPM NTT.
Add an SMTP server only if one does not already exist in the NTT.
Choose the CIDS event alarm severity level. Notification can be configured
per alarm severity level.
Define the message subject and content. Customize the subject and content of
the e-mail message.
Choose the E-mail notification method and assign e-mail recipients. Select email as the notification method and assign who will receive the e-mail
messages.
Save the changes to CSPM. This task saves the configuration changes made
to CSPM and enables the notification feature.
13-5
Right-click
Right-click and
and
choose
choose
New>Host
New>Host
Select
Select the
the
network
network
www.cisco.com
CSIDS 2.113
To add a new SMTP host to the CSPM NTT, perform the following tasks:
Step 1
13-6
If the SMTP server does not exist in a defined network within the NTT, a new
network object must be created.
Step 2
Right click and choose New>Host. The Host window opens in the right pane.
Step 3
Rename the hostname in the NTT. (This step is recommended but not required.)
Enter
Enter the
the IP
IP
Address
Address
Click
Click Add
Add
www.cisco.com
CSIDS 2.113
Step 4
Step 5
Click the Add button. The IP address appears in the list box below the IP
Addresses field.
13-7
Click
Click Add
Add
Choose
Choose
SMTP
SMTP
CSIDS 2.113
Step 6
Click the Add button associated with the Resident Client/Server products. The
Add Client/Server Product window opens.
Step 7
Step 8
13-8
www.cisco.com
The default product name is the product name with a version number appended
(for example, SMTP 1).
Click
Click
SMTP
SMTP
Rename
Rename
Service
Service
Name
Name
Click
Click
OK
OK
Step 9
www.cisco.com
CSIDS 2.113
Click the SMTP product name tab. The SMTP general settings screen opens.
13-9
Select
Select
CSPM
CSPM Host
Host
Choose
Choose
SMTP
SMTP server
server
www.cisco.com
CSIDS 2.113
The CSPM host must know about an SMTP host before the e-mail notification
can be enabled. To assign an SMTP server to the CSPM host, perform the
following tasks:
13-10
Step 1
Select the CSPM host from the NTT. The CSPM general window opens.
Step 2
Choose the SMTP server from the SMTP Server drop-down menu.
Step 3
Step 4
Configure Notification
Choose
Choose
Tools>Configure
Tools>Configure Notification
Notification
www.cisco.com
CSIDS 2.113
CSPM has been configured to enable the e-mail notification feature. Now the email notification feature needs to be configured. To configure the e-mail
notification feature, perform the following tasks:
Step 1
13-11
Choose
Choose the
the
alarm
alarm
severity
severity
Select
Select
Log
Log event
event and
and
issue
issue notification
notification
specified
specified below
below
www.cisco.com
CSIDS 2.113
CSPM is able to log and notify on events including CIDS. CIDS notification is
handled by selecting IDS Events.
Note
Step 2
Step 3
Choose the alarm severity level from the Event Description column.
Note
Step 4
13-12
For more information regarding CSPM notifications, refer to the Cisco Secure
Policy Manager Configuring and Reporting Documentation.
Notification is assigned per alarm severity level. You have to configure each alarm
severity level individually.
Select Log event and issue event specified below from the Event Disposition
group box. The Notification Scheduling, Notification Message, and Notification
Methods group boxes appear.
Assign
Assign
values
values
www.cisco.com
CSIDS 2.113
CIDS enables the network security administrator to configure when a CIDS alarm
triggers a notification method. The following table identifies the configurable
scheduling parameters.
Scheduling Parameter
Description
19998
19998
19998
The initial notification is generated after five occurrences of the CIDS event are
triggered. The next notification is generated after the tenth CIDS event is
triggered because the fifth alarm was triggered, which would be the fifteenth
actual event. The CIDS event counter is reset after two hours.
13-13
Click
Click
Message
Message
Enter
Enter information
information in
in
the
the Subject
Subject and
and
Message
Message fields
fields
www.cisco.com
CSIDS 2.113
Note
The body of the message can be customized with alarm data. The following tables
identify the alarm variables that can be defined in the body of the e-mail message.
Applicable to All CIDS Event Types
13-14
Alarm Variable
Description
${MsgType}
2Error
3Command
4Alarm
Alarm Variable
Description
${RecordID}
${GlobalTime}
${LocalTime}
Sensor local timestamp for when the event was generated (expressed
in seconds since midnight, January 1, 1970).
${DateStr}
Sensor local date stamp for when the event was generated (in
YYYY/MM/DD format).
${TimeStr}
Sensor local timestamp for when the event was generated (in
HH:MM:SS format).
${ApplID}
${HostID}
${OrgID}
${MsgCount}
Description
${SrcDirection}
${DstDirection}
${AlarmLevel}
${SigID}
${SubSigID}
${ProtocolType}
${SrcIpAddr}
${DstIpAddr}
${SrcIpPort}
${DstIpPort}
${RouterIpAddr}
${AlarmDetails}
Description
${CmdApplID}
${CmdHostID}
13-15
Alarm Variable
Description
${CmdOrgID}
${CmdMsg}
13-16
Alarm Variable
Description
${ErrMsg}
Select
Select
E-Mail
E-Mail
www.cisco.com
CSIDS 2.113
Step 5
The e-mail notification method is grayed out if an SMTP server has not been
assigned to the CSPM host.
Select E-Mail in the Notification Methods group box. The Addresses button
becomes available for selection.
Note
The e-mail notification and script execution notification methods can be enabled
simultaneously.
13-17
Click
Click
Addresses
Addresses
Enter
Enter the
the
e-mail
e-mail
addresses
addresses of
of
the
the recipients
recipients
Click
Click
Add
Add
www.cisco.com
CSIDS 2.113
Now you need to assign who will receive the e-mail messages once the
notification is triggered based on the notification scheduling values.
Step 6
Step 7
13-18
The addresses can be comma delimited. There is a 30-character limit for the
Recipient(s) text box. Use the Add feature to add additional e-mail addresses to
overcome this limitation.
Step 8
Click the Add button to add the recipient. You can add multiple recipients by
repeating Step 7 and this step.
Step 9
Click the OK button when you finish adding all e-mail recipients.
Click
Click
Apply
Apply
www.cisco.com
CSIDS 2.113
grayed out.
13-19
www.cisco.com
CSIDS 2.113
To enable the notification feature, the configuration setting changes must be saved
in CSPM.
Step 11 Click the Save button on the toolbar.
13-20
Script Execution
CSPM
Sensor
script.bat
Untrusted
network
Targets
Hacker
www.cisco.com
CSIDS 2.113
The figure demonstrates how the script execution process occurs. The Sensor
detects an attack launched by the hacker and generates an alarm, which is sent to
CSPM. Based on the severity of the attack, CSPM executes a script. CSPM then
passes alarm arguments to the script or program, and the script parses the
arguments and performs the defined actions.
Note
The script must be executable. The script can be a binary executable (that is, a
program).
13-21
Configuration Tasks
Choose the CIDS event alarm severity level.
Choose the log event and issue notification
disposition.
Assign the notification scheduling values.
Choose the script notification method.
Assign the scripts to be executed.
Apply the notification configuration.
Save the changes to CSPM.
2001, Cisco Systems, Inc.
www.cisco.com
CSIDS 2.113
13-22
Save the changes to CSPMThis task saves the configuration changes made
to CSPM and enables the notification feature.
Configure Notification
Choose
Choose
Tools>Configure
Tools>Configure Notification
Notification
www.cisco.com
CSIDS 2.113
13-23
Select
Select the
the
Alarm
Alarm
Severity
Severity
Select
Select
Log
Log event
event and
and
issue
issue notification
notification
specified
specified below
below
2001, Cisco Systems, Inc.
www.cisco.com
CSIDS 2.113
CSPM is able to log and notify on events including CIDS. CIDS notification is
handled by selecting IDS Events.
Note
Step 2
Select IDS Events from the Select Event Category group box.
Step 3
Select the alarm severity level from the Event Description column.
Note
Step 4
13-24
For more information regarding CSPM notifications, refer to the Cisco Secure
Policy Manager Configuring Notification and Reporting documentation.
Notification is assigned per alarm severity level. You will have to configure each
alarm severity level individually.
Select Log event and issue event specified below from the Event Disposition
box. The Notification Scheduling, Notification Message, and Notification
Methods group boxes appear.
Assign
Assign
values
values
www.cisco.com
CSIDS 2.113
CIDS enables the network security administrator to configure when a CIDS alarm
triggers a notification method. The following table identifies the configurable
scheduling parameters.
Scheduling Parameter
Description
19998
19998
19998
The initial notification is generated after five occurrences of the CIDS event are
triggered. The next notification is generated after the tenth CIDS event is
triggered because the fifth alarm was triggered, which would be the fifteenth
actual event. The CIDS event counter is reset after two hours.
13-25
www.cisco.com
CSIDS 2.113
Step 5
Select Script in the Notification Methods group box. The Name button becomes
available for selection.
Note
13-26
The script notification method can function properly without an SMTP defined in
the NTT.
The e-mail notification and script execution notification methods can be enabled
simultaneously.
Enter
Enter the
the
script
script name
name
Click
Click
Add
Add
Click
Click
Name
Name
www.cisco.com
CSIDS 2.113
Now you need to assign the name of the script to be executed once the
notification is triggered based on the notification scheduling values.
Step 6
Click the Name button in the Notification Methods group box. The Notification
Script(s) window opens.
Step 7
Enter the location and names of the scripts in the Script Name(s) text box.
Note
It is recommended to enter the full path name of the location of the script. If the full
path name is not given, CSPM will attempt to locate the script in the system
executable path. The system path is defined by the PATH system variable.
The script must be executable by the CSPM host, and it is responsible for parsing
the arguments passed to it by CSPM. The tables below identify the arguments that
will be passed to the script.
Note
The arguments are sent to the script in the order listed. The arguments sent to the
script are dependent on the IDS event type except for events applicable to all IDS
event types.
Description
${MsgType}
2Error
3Command
4Alarm
13-27
Alarm Variable
Description
${RecordID}
${GlobalTime}
${LocalTime}
Sensor local timestamp for when the event was generated, expressed
in seconds since midnight, January 1, 1970.
${DateStr}
Sensor local date stamp for when the event was generated, in
YYYY/MM/DD format.
${TimeStr}
${ApplID}
${HostID}
${OrgID}
${MsgCount}
Note
The message count is passed in as the last parameter in the argument list for all
event types.
13-28
Alarm Variable
Description
${SrcDirection}
${DstDirection}
${AlarmLevel}
${SigID}
${SubSigID}
${ProtocolType}
${SrcIpAddr}
${DstIpAddr}
${SrcIpPort}
${DstIpPort}
${RouterIpAddr}
${AlarmDetails}
Description
${CmdApplID}
${CmdHostID}
${CmdOrgID}
${CmdMsg}
Description
${ErrMsg}
13-29
www.cisco.com
CSIDS 2.113
13-30
Click the Apply button. The configuration is applied and the Apply button is
grayed out.
www.cisco.com
CSIDS 2.113
To enable the script execution feature, the configuration setting changes must be
saved in CSPM.
Step 9
13-31
Alarm Reporting
This section discusses the alarm reporting feature of CSPM.
Features
Reports generated from CSPM database
Reports accessible remotely via HTTP, HTTPS,
and the CSPM View Reports feature
Customizable reports
Summary Reports
Top n Reports
Sensor Reports
Day and Hour Reports
Correlation Reports
2001, Cisco Systems, Inc.
www.cisco.com
CSIDS 2.113
CSPM has a powerful alarm reporting feature that provides the network security
administrator with the tool to generate custom CIDS reports. The alarm reports
are generated from the data in the CSPM alarm database.
Note
Reports cannot currently be generated from archived or offline CIDS log files.
HTTPThe reports can be accessed remotely via a web browser using the
HTTP protocol. This method is not recommended because information is
sent in clear-text.
HTTPSThe reports can be access remotely via a web browser using Secure
Socket Layer, which provides an encrypted session. It is recommended to use
this method when accessing and generating reports outside of CSPM.
13-32
Top Alarms
Alarm Source
Alarm Destination
Alarms
Alarms by Hour
Alarms by Day
Alarms by Sensor
13-33
Choose
Choose
Tools>View
Tools>View
Reports
Reports
www.cisco.com
CSIDS 2.113
To view the CIDS alarm reports from within CSPM, perform the following tasks:
Step 1
13-34
Choose Tools>View Reports from the main menu. The Cisco Secure Policy
Manager Reports window opens in the right pane.
On Demand Reports
www.cisco.com
CSIDS 2.113
Click the On Demand button. The CSPM Reports index window opens in the
right pane.
Note
The remaining discussion focuses on accessing the reports via a web browser.
The same alarm reports can be generated from within CSPM.
13-35
www.cisco.com
CSIDS 2.113
The alarm reports can be accessed remotely via HTTP. However, this method is
considered insecure because the login information and the report data will
traverse the network in the clear. This method may be acceptable for out-of-band
management networks.
To access reports via HTTP, perform the following tasks:
Step 1
Step 2
Step 3
Select the report to generate. The Enter Network Password window opens.
Step 4
Log in with a valid CSPM user account with privileges to generate and view
reports.
Note
13-36
www.cisco.com
CSIDS 2.113
The alarm reports can be accessed remotely securely via HTTPS. The HTTPS
method uses Secure Sockets Layer (SSL) to ensure privacy.
To access reports via HTTPS, perform the following tasks:
Step 1
Step 2
or
https://director0:443
Step 3
Select the report to generate. The Enter Network Password window opens.
Step 4
Log in with a valid CSPM user account with privileges to generate and view
reports.
Note
13-37
www.cisco.com
CSIDS 2.113
The Intrusion Detection Summary report has the following configurable filters:
13-38
Since dawn of timeThe default selection that will query the database
for the oldest possible record.
RPC-based Application
Signatures
SATAN Signatures
DNS Signatures
Finger Signatures
SMTP/Sendmail Signatures
FTP Signatures
SSH Signatures
ICMP Signatures
IDENT Signatures
IMAP Signatures
INN Signatures
Telnet Signatures
IP Header Signatures
Loki Signatures
POP Signatures
WWW Signatures
Rlogin Signatures
Authorization Failure
Signatures
13-39
www.cisco.com
CSIDS 2.113
The Top Sources of Alarm report has the following configurable filters:
13-40
Since dawn of timeThe default selection that will query the database
for the oldest possible record.
Note
RPC-based Application
Signatures
SATAN Signatures
DNS Signatures
Finger Signatures
SMTP/Sendmail Signatures
FTP Signatures
SSH Signatures
ICMP Signatures
IDENT Signatures
IMAP Signatures
INN Signatures
Telnet Signatures
IP Header Signatures
Loki Signatures
POP Signatures
WWW Signatures
Rlogin Signatures
Authorization Failure
Signatures
13-41
13-42
www.cisco.com
CSIDS 2.113
The Top Destination of Alarm report has the following configurable filters:
Since dawn of timeThe default selection that will query the database
for the oldest possible record.
13-43
Note
13-44
RPC-based Application
Signatures
SATAN Signatures
DNS Signatures
Finger Signatures
SMTP/Sendmail Signatures
FTP Signatures
SSH Signatures
ICMP Signatures
IDENT Signatures
IMAP Signatures
INN Signatures
Telnet Signatures
IP Header Signatures
Loki Signatures
POP Signatures
WWW Signatures
Rlogin Signatures
Authorization Failure
Signatures
13-45
Top Alarms
www.cisco.com
CSIDS 2.113
13-46
Since dawn of timeThe default selection that will query the database
for the oldest possible record.
RPC-based Application
Signatures
SATAN Signatures
DNS Signatures
Finger Signatures
SMTP/Sendmail Signatures
FTP Signatures
SSH Signatures
ICMP Signatures
IDENT Signatures
IMAP Signatures
INN Signatures
Telnet Signatures
IP Header Signatures
Loki Signatures
POP Signatures
WWW Signatures
Note
Rlogin Signatures
Authorization Failure
Signatures
13-47
13-48
www.cisco.com
CSIDS 2.113
The Top Source Destination Pairs of Alarms report has the following configurable
filters:
Since dawn of timeThe default selection that will query the database
for the oldest possible record.
13-49
13-50
RPC-based Application
Signatures
SATAN Signatures
DNS Signatures
Finger Signatures
SMTP/Sendmail Signatures
FTP Signatures
SSH Signatures
ICMP Signatures
IDENT Signatures
IMAP Signatures
INN Signatures
Telnet Signatures
IP Header Signatures
Loki Signatures
POP Signatures
WWW Signatures
Note
Rlogin Signatures
Authorization Failure
Signatures
13-51
Alarm Source
www.cisco.com
CSIDS 2.113
13-52
Since dawn of timeThe default selection that will query the database
for the oldest possible record.
RPC-based Application
Signatures
SATAN Signatures
DNS Signatures
Finger Signatures
SMTP/Sendmail Signatures
FTP Signatures
SSH Signatures
ICMP Signatures
IDENT Signatures
IMAP Signatures
INN Signatures
Telnet Signatures
IP Header Signatures
Loki Signatures
POP Signatures
WWW Signatures
Note
Rlogin Signatures
Authorization Failure
Signatures
13-53
Alarm CountA numeric value must be entered in the Alarm Count text
box.
13-54
Alarm Destination
www.cisco.com
CSIDS 2.113
Since dawn of timeThe default selection that will query the database
for the oldest possible record.
13-55
13-56
RPC-based Application
Signatures
SATAN Signatures
DNS Signatures
Finger Signatures
SMTP/Sendmail Signatures
FTP Signatures
SSH Signatures
ICMP Signatures
IDENT Signatures
IMAP Signatures
INN Signatures
Telnet Signatures
IP Header Signatures
Loki Signatures
POP Signatures
WWW Signatures
Note
Rlogin Signatures
Authorization Failure
Signatures
Alarm CountA numeric value must be entered in the Alarm Count text
box.
13-57
Alarms
www.cisco.com
CSIDS 2.113
13-58
Since dawn of timeThe default selection that will query the database
for the oldest possible record.
RPC-based Application
Signatures
SATAN Signatures
DNS Signatures
Finger Signatures
SMTP/Sendmail Signatures
FTP Signatures
SSH Signatures
ICMP Signatures
IDENT Signatures
IMAP Signatures
INN Signatures
Telnet Signatures
IP Header Signatures
Loki Signatures
POP Signatures
WWW Signatures
Note
Rlogin Signatures
Authorization Failure
Signatures
13-59
Alarm CountA numeric value must be entered in the Alarm Count text
box.
13-60
www.cisco.com
CSIDS 2.113
The Alarm Source Destination Pair report has the following configurable filters:
Since dawn of timeThe default selection that will query the database
for the oldest possible record.
13-61
13-62
RPC-based Application
Signatures
SATAN Signatures
DNS Signatures
Finger Signatures
SMTP/Sendmail Signatures
FTP Signatures
SSH Signatures
ICMP Signatures
IDENT Signatures
IMAP Signatures
INN Signatures
Telnet Signatures
IP Header Signatures
Loki Signatures
POP Signatures
WWW Signatures
Note
Rlogin Signatures
Authorization Failure
Signatures
Alarm CountA numeric value must be entered in the Alarm Count text
box.
13-63
Alarms by Hour
www.cisco.com
CSIDS 2.113
13-64
Since dawn of timeThe default selection that will query the database
for the oldest possible record.
RPC-based Application
Signatures
SATAN Signatures
DNS Signatures
Finger Signatures
SMTP/Sendmail Signatures
FTP Signatures
SSH Signatures
ICMP Signatures
IDENT Signatures
IMAP Signatures
INN Signatures
Telnet Signatures
IP Header Signatures
Loki Signatures
POP Signatures
WWW Signatures
Note
Rlogin Signatures
Authorization Failure
Signatures
13-65
Alarm CountA numeric value must be entered in the Alarm Count text
box.
13-66
Alarms by Day
www.cisco.com
CSIDS 2.113
Since dawn of timeThe default selection that will query the database
for the oldest possible record.
13-67
13-68
RPC-based Application
Signatures
SATAN Signatures
DNS Signatures
Finger Signatures
SMTP/Sendmail Signatures
FTP Signatures
SSH Signatures
ICMP Signatures
IDENT Signatures
IMAP Signatures
INN Signatures
Telnet Signatures
IP Header Signatures
Loki Signatures
POP Signatures
WWW Signatures
Note
Rlogin Signatures
Authorization Failure
Signatures
Alarm CountA numeric value must be entered in the Alarm Count text
box.
13-69
Alarms by Sensor
www.cisco.com
CSIDS 2.113
13-70
Since dawn of timeThe default selection that will query the database
for the oldest possible record.
RPC-based Application
Signatures
SATAN Signatures
DNS Signatures
Finger Signatures
SMTP/Sendmail Signatures
FTP Signatures
SSH Signatures
ICMP Signatures
IDENT Signatures
IMAP Signatures
INN Signatures
Telnet Signatures
IP Header Signatures
Loki Signatures
POP Signatures
WWW Signatures
Note
Rlogin Signatures
Authorization Failure
Signatures
13-71
Alarm CountA numeric value must be entered in the Alarm Count text
box.
13-72
www.cisco.com
CSIDS 2.113
The Sensor Alarm Correlation report has the following configurable filters:
Since dawn of timeThe default selection that will query the database
for the oldest possible record.
13-73
13-74
RPC-based Application
Signatures
SATAN Signatures
DNS Signatures
Finger Signatures
SMTP/Sendmail Signatures
FTP Signatures
SSH Signatures
ICMP Signatures
IDENT Signatures
IMAP Signatures
INN Signatures
Telnet Signatures
IP Header Signatures
Loki Signatures
POP Signatures
WWW Signatures
Note
Rlogin Signatures
Authorization Failure
Signatures
Alarm CountA numeric value must be entered in the Alarm Count text
box.
Note
13-75
Sample Reports
This section has CIDS sample reports that can be generated.
www.cisco.com
CSIDS 2.113
This is a sample IDS Intrusion Detection Summary report. The report has the
following sections:
13-76
Alarms by Level
Alarm Level
Count
Alarm Level
Src Dir
Dest Dir
Count
Percent
Alarm Level
Signature Category
Count
Percent
Top Source
www.cisco.com
CSIDS 2.113
This is a sample IDS Top Source report. The report has the following sections:
Summary
Alarm Level
Count
Src IP Address
Details
Alarm Level
Count
Src IP Address
Dest IP Address
Signature
Percent
Most Recent
13-77
www.cisco.com
CSIDS 2.113
This is a sample IDS Top Source Destination Pair report. The report has the
following sections:
13-78
Summary
Alarm Level
Count
Src IP Address
Dest IP Address
Details
Alarm Level
Count
Src IP Address
Dest IP Address
Signature
Percent
Most Recent
Alarms
www.cisco.com
CSIDS 2.113
This is a sample IDS Alarms report. The report has the following section:
Summary
Alarm Level
Count
Signature
13-79
Alarm Source
www.cisco.com
CSIDS 2.113
This is a sample IDS Alarm Source report. The report has the following sections:
13-80
Summary
Alarm Level
Count
Src IP Address
Details
Alarm Level
Count
Src IP Address
Dest IP Address
Signature
Percent
Most Recent
www.cisco.com
CSIDS 2.113
This is a sample IDS Alarm Source Destination Pair report. The report has the
following sections:
Summary
Details
Summary
Alarm Level
Count
Src IP Address
Dest IP Address
Details
Alarm Level
Count
Src IP Address
Dest IP Address
Signature
Percent
Most Recent
13-81
Alarm by Day
www.cisco.com
CSIDS 2.113
This is a sample IDS Alarm by Day report. The report has the following sections:
13-82
Summary
Date
Alarm Level
Count
Details
Date
Alarm Level
Count
Src IP Address
Dest IP Address
Signature
Percent
Alarm by Hour
www.cisco.com
CSIDS 2.113
This is a sample IDS Alarm by Hour report. The report has the following sections:
Summary
Date/Hour
Alarm Level
Count
Details
Date/Hour
Alarm Level
Count
Src IP Address
Dest IP Address
Signature
Percent
13-83
Alarm by Sensor
www.cisco.com
CSIDS 2.113
This is a sample IDS Alarm by Sensor report. The report has the following
sections:
13-84
Summary
Sensor
Alarm Level
Count
Details
Sensor
Alarm Level
Count
Src IP Address
Dest IP Address
Signature
Percent
Most Recent
Summary
This section summarizes the event notification and alarm reporting features in
CSPM.
Summary
Notification processing is done by the CSPM
host.
An SMTP server must exist in the NTT to
perform CSIDS e-mail notification.
Custom scripts can be executed after an alarm
is detected.
CSPM provides CIDS HTML and text alarm
reports.
Alarm reporting is provided over HTTP or
HTTPS.
2001, Cisco Systems, Inc.
www.cisco.com
CSIDS 2.113
13-85
Lab Exercise
Complete the following laboratory exercises to practice what you learned in this
chapter.
Objectives
In this lab you will complete the following tasks:
Visual Objective
This figure displays the information you will need to complete this laboratory
exercise.
Pod Q
Peer Pod
172.30.1.0 /24
e0/1 .10P
sensorP
e0/0 .1
.4
idsmP
e0/1 .10Q
sensorQ
e0/0 .1
.4
rQ
rP
.6
10.0.P.0 /24
10.0.P.3
Host ID = 3, Org ID = P
Host Name = cspmP, Org Name = podP
idsmQ
10.0.Q.0 /24
10.0.P.10
CSPM
.6
SMTP/POP
10.0.Q.10
CSPM
SMTP/POP
10.0.Q.3
Host ID = 3, Org ID = Q
Host Name = cspmQ, Org Name = podQ
www.cisco.com
CSIDS 2.113
A pair of students has been assigned to a pod. Each pod has a complete set of
equipment to do the lab.
13-86
Step 2
Choose New>Host. A host general properties panel appears in the right pane. The
cursor focus is in the hostname box.
Step 3
Rename the host to my smtp server. The new name appears in the NTT.
Step 4
Step 5
Click the top Add button. The IP address appears in the IP address list box.
Step 6
Click the bottom Add button. The Add Client/Server Product window opens.
Step 7
Step 8
Step 9
Click the SMTP tab in the host properties pane. The SMTP properties pane
appears.
Note
Select the CSPM host, directorP, from the NTT. The CSPM host General
properties pane appears.
(where P = pod number)
Step 2
Step 3
Step 4
Click Save in the main toolbar to save the changes to the CSPM database.
13-87
Step 2
Step 3
Step 4
Choose the Event Disposition Log Event and issue notification specified
below.
Step 5
Step 6
Step 7
Step 8
Step 9
Enter the following message in the text box (the variable names will be
substituted with the actual alarm values in the message):
Sensor ${HostID} detected Signature ${SigID} launched by ${SrcIpAddr}:${SrcIpPort}
against ${DstIpAddr}:${DstIpPort} at ${TimeStr} on ${DateStr}.
Note
The variable names are case sensitive. Enter the variable names exactly as they
appear.
opens.
Step 13 Enter the e-mail addresses of the recipients as assigned by the instructor.
E-mail Address
Step 14 Click Add. The e-mail recipients address appears.
Step 15 Click OK to close the E-mail recipients window.
Step 16 Click Apply to accept the notification settings.
Step 17 Click Save in the main toolbar to save the changes to the CSPM database.
13-88
Step 2
Step 5
Launch your web browser and enter the following in the URL field:
https://localhost/Reports
Step 2
Step 3
Step 4
Click View (Window) to generate a default report. A new web browser opens
displaying the CIDS alarm report.
13-89
Cisco Intrusion
Detection System
Signature Structures
and Implementations
CIDS Signature ID
CIDS Signature
Name
CIDS Signature
Structure
CIDS Signature
Implementation
1000
IP options-Bad Option
List
ATOMIC
CONTEXT
1001
IP options-Record
Packet Route
ATOMIC
CONTEXT
1002
IP options-Timestamp
ATOMIC
CONTEXT
1003
IP options-Provide s,
c, h, and tcc
ATOMIC
CONTEXT
1004
IP options-Loose
Source Route
ATOMIC
CONTEXT
1005
IP options-SATNET
ID
ATOMIC
CONTEXT
1006
IP options-Strict
Source Route
ATOMIC
CONTEXT
1100
IP Fragment Attack
ATOMIC
CONTEXT
1101
Unknown IP Protocol
ATOMIC
CONTEXT
1102
Impossible IP Packet
ATOMIC
CONTENT
1103
IP Fragments Overlap
COMPOSITE
CONTEXT
1104
IP Localhost Source
Spoof
ATOMIC
CONTENT
1105
Broadcast Source
Add
ATOMIC
CONTENT
CIDS Signature ID
CIDS Signature
Name
CIDS Signature
Structure
CIDS Signature
Implementation
Address
1106
Multicast Ip Source
Address
ATOMIC
CONTENT
1200
IP Fragmentation
Buffer Full
ATOMIC
CONTENT
1201
IP Fragment Overlap
ATOMIC
CONTENT
1202
IP Fragment Overrun
- Datagram Too Long
ATOMIC
CONTENT
1203
IP Fragment
Overwrite - Data is
Overwritten
ATOMIC
CONTENT
1204
IP Fragment Missing
Initial Fragment
ATOMIC
CONTENT
1205
IP Fragment Too
Many Datagrams
ATOMIC
CONTENT
1206
IP Fragment Too
Small
ATOMIC
CONTENT
1207
IP Fragment Too
Many Frags
ATOMIC
CONTENT
1208
IP Fragment
Incomplete Datagram
ATOMIC
CONTENT
1220
Jolt2 Fragment
Reassembly DoS
attack
COMPOSITE
CONTENT
2000
ATOMIC
CONTEXT
2001
ICMP Host
Unreachable
ATOMIC
CONTEXT
2002
ATOMIC
CONTEXT
2003
ICMP Redirect
ATOMIC
CONTEXT
2004
ATOMIC
CONTEXT
2005
ATOMIC
CONTEXT
2006
ICMP Parameter
Problem on Datagram
ATOMIC
CONTEXT
2007
ICMP Timestamp
Request
ATOMIC
CONTEXT
2008
ICMP Timestamp
Reply
ATOMIC
CONTEXT
2009
ICMP Information
Request
ATOMIC
CONTEXT
2010
ICMP Information
Reply
ATOMIC
CONTEXT
2011
ATOMIC
CONTEXT
2012
ATOMIC
CONTEXT
2100
COMPOSITE
CONTEXT
A-2
CIDS Signature ID
CIDS Signature
Name
CIDS Signature
Structure
CIDS Signature
Implementation
w/Echo
2101
COMPOSITE
CONTEXT
2102
COMPOSITE
CONTEXT
2150
Fragmented ICMP
Traffic
ATOMIC
CONTEXT
2151
ATOMIC
CONTEXT
2152
ICMP Flood
COMPOSITE
CONTEXT
2153
Smurf
COMPOSITE
CONTEXT
2154
ATOMIC
CONTEXT
3000
TCP Ports
ATOMIC
CONTEXT
3001
COMPOSITE
CONTEXT
3002
COMPOSITE
CONTEXT
3003
COMPOSITE
CONTEXT
3005
COMPOSITE
CONTEXT
3006
COMPOSITE
CONTEXT
3010
COMPOSITE
CONTEXT
3011
COMPOSITE
CONTEXT
3012
COMPOSITE
CONTEXT
3015
COMPOSITE
CONTEXT
3016
COMPOSITE
CONTEXT
3020
COMPOSITE
CONTEXT
3021
COMPOSITE
CONTEXT
3030
COMPOSITE
CONTEXT
3031
COMPOSITE
CONTEXT
3032
COMPOSITE
CONTEXT
3033
COMPOSITE
CONTEXT
3034
COMPOSITE
CONTEXT
3035
COMPOSITE
CONTEXT
3036
COMPOSITE
CONTEXT
3037
COMPOSITE
CONTEXT
A-3
CIDS Signature ID
CIDS Signature
Name
CIDS Signature
Structure
CIDS Signature
Implementation
Host Sweep
3038
Fragmented NULL
TCP Packet
ATOMIC
CONTEXT
3039
Fragmented
Orphaned FIN packet
ATOMIC
CONTEXT
3040
ATOMIC
CONTEXT
3041
SYN/FIN Packet
ATOMIC
CONTEXT
3042
ATOMIC
CONTEXT
3043
Fragmented SYN/FIN
Packet
ATOMIC
CONTENT
3045
Queso Sweep
COMPOSITE
CONTEXT
3050
COMPOSITE
CONTEXT
3100
Smail Attack
COMPOSITE
CONTENT
3101
Sendmail Invalid
Recipient
COMPOSITE
CONTENT
3102
Sendmail Invalid
Sender
COMPOSITE
CONTENT
3103
Sendmail
Reconnaissance
COMPOSITE
CONTENT
3104
Archaic Sendmail
Attacks
COMPOSITE
CONTENT
3105
Sendmail Decode
Alias
COMPOSITE
CONTENT
3106
Mail Spam
COMPOSITE
CONTEXT
3107
Majordomo Execute
Attack
COMPOSITE
CONTENT
3108
COMPOSITE
CONTENT
3109
COMPOSITE
CONTENT
3110
Suspicious Mail
Attachment
COMPOSITE
CONTENT
3150
FTP Remote
Command Execution
COMPOSITE
CONTENT
3151
COMPOSITE
CONTENT
3152
COMPOSITE
CONTENT
3153
FTP Improper
Address Specified
ATOMIC
CONTENT
3154
ATOMIC
CONTENT
3155
ATOMIC
CONTENT
3156
ATOMIC
CONTENT
3157
COMPOSITE
CONTENT
A-4
CIDS Signature ID
CIDS Signature
Name
CIDS Signature
Structure
CIDS Signature
Implementation
3200
COMPOSITE
CONTENT
3201
COMPOSITE
CONTENT
3202
COMPOSITE
CONTENT
3203
COMPOSITE
CONTENT
3204
COMPOSITE
CONTENT
3205
COMPOSITE
CONTENT
3206
COMPOSITE
CONTENT
3207
COMPOSITE
CONTENT
3208
WWW campas
Attack
COMPOSITE
CONTENT
3209
WWW Glimpse
Server Attack
COMPOSITE
CONTENT
3210
COMPOSITE
CONTENT
3211
COMPOSITE
CONTENT
3212
COMPOSITE
CONTENT
3213
WWW TEST-CGI
Attack
COMPOSITE
CONTENT
3214
COMPOSITE
CONTENT
3215
COMPOSITE
CONTENT
3216
COMPOSITE
CONTENT
3217
COMPOSITE
CONTENT
3218
COMPOSITE
CONTENT
3219
COMPOSITE
CONTENT
3220
COMPOSITE
CONTENT
3221
COMPOSITE
CONTENT
3222
COMPOSITE
CONTENT
3223
COMPOSITE
CONTENT
A-5
CIDS Signature ID
CIDS Signature
Name
CIDS Signature
Structure
CIDS Signature
Implementation
3224
HTTP WebGais
COMPOSITE
CONTENT
3225
HTTP Gais
Websendmail
COMPOSITE
CONTENT
3226
COMPOSITE
CONTENT
3227
COMPOSITE
CONTENT
3228
COMPOSITE
CONTENT
3229
COMPOSITE
CONTENT
3230
Website Uploader
COMPOSITE
CONTENT
3231
Novell convert
COMPOSITE
CONTENT
3232
COMPOSITE
CONTENT
3233
WWW count-cgi
Overflow
COMPOSITE
CONTEXT
3250
TCP Hijack
COMPOSITE
CONTEXT
3251
TCP Hijacking
Simplex Mode
COMPOSITE
CONTEXT
3300
ATOMIC
CONTEXT
3301
NETBIOS Stat
ATOMIC
CONTENT
3302
NETBIOS Session
Setup Failure
ATOMIC
CONTEXT
3303
ATOMIC
CONTENT
3304
Windows Null
Account Name
ATOMIC
CONTENT
3305
Windows Password
File Access
ATOMIC
CONTENT
3306
Windows Registry
Access
ATOMIC
CONTENT
3307
Windows Redbutton
Attack
COMPOSITE
CONTENT
3308
Windows LSARPC
Access
ATOMIC
CONTENT
3309
Windows SRVSVC
Access
ATOMIC
CONTENT
3400
Sunkill
COMPOSITE
CONTENT
3401
Telnet-IFS Match
COMPOSITE
CONTENT
3450
Finger Bomb
ATOMIC
CONTENT
3500
COMPOSITE
CONTENT
3525
IMAP Authenticate
Buffer Overflow
COMPOSITE
CONTENT
3526
COMPOSITE
CONTENT
3530
ATOMIC
CONTENT
A-6
CIDS Signature ID
CIDS Signature
Name
CIDS Signature
Structure
CIDS Signature
Implementation
Attack
3540
ATOMIC
CONTEXT
3550
COMPOSITE
CONTENT
3575
COMPOSITE
CONTEXT
3576
COMPOSITE
CONTENT
3600
COMPOSITE
CONTENT
3601
IOS Command
History Exploit
COMPOSITE
CONTENT
3602
ATOMIC
CONTENT
3603
COMPOSITE
CONTENT
3650
SSH RSAREF2
Buffer Overflow
COMPOSITE
CONTEXT
3990
BackOrifice BO2K
TCP Non Stealth
COMPOSITE
CONTENT
3991
BackOrifice BO2K
TCP Stealth 1
COMPOSITE
CONTENT
3992
BackOrifice BO2K
TCP Stealth 2
COMPOSITE
CONTENT
4000
UDP Packet
ATOMIC
CONTEXT
4001
COMPOSITE
CONTEXT
4002
UDP Flood
COMPOSITE
CONTEXT
4050
UDP Bomb
ATOMIC
CONTEXT
4051
Snork
ATOMIC
CONTEXT
4052
Chargen DoS
ATOMIC
CONTEXT
4053
Back Orifice
COMPOSITE
CONTENT
4054
RIP Trace
ATOMIC
CONTENT
4055
BackOrifice BO2K
UDP
COMPOSITE
CONTENT
4100
COMPOSITE
CONTENT
4150
Ascend Denial of
Service
COMPOSITE
CONTENT
4600
COMPOSITE
CONTEXT
5034
COMPOSITE
CONTENT
5035
COMPOSITE
CONTENT
5036
WWW Windows
Password File Access
Attempt
COMPOSITE
CONTENT
5037
WWW SGI
MachineInfo Attack
COMPOSITE
CONTENT
A-7
CIDS Signature ID
CIDS Signature
Name
CIDS Signature
Structure
CIDS Signature
Implementation
5038
COMPOSITE
CONTENT
5039
COMPOSITE
CONTENT
5040
WWW Perl
Interpreter Attack
COMPOSITE
CONTENT
5041
COMPOSITE
CONTENT
5042
COMPOSITE
CONTENT
5043
COMPOSITE
CONTENT
5044
WWW Webcom.se
Guestbook attack
COMPOSITE
CONTENT
5045
COMPOSITE
CONTENT
5046
WWW dumpenv.pl
recon
COMPOSITE
CONTENT
5047
COMPOSITE
CONTENT
5048
COMPOSITE
CONTENT
5049
WWW IIS
showcode.asp access
COMPOSITE
CONTENT
5050
COMPOSITE
CONTENT
5051
ATOMIC
CONTENT
5052
FrontPage Extensions
PWD Open Attempt
ATOMIC
CONTENT
5053
FrontPage _vti_bin
Directory List Attempt
ATOMIC
CONTENT
5054
WWWBoard
Password
ATOMIC
CONTENT
5055
HTTP Basic
Authentication
Overflow
COMPOSITE
CONTENT
5056
COMPOSITE
CONTENT
5057
WWW Sambar
Samples
COMPOSITE
CONTENT
5058
WWW info2www
Attack
COMPOSITE
CONTENT
5059
COMPOSITE
CONTENT
5060
COMPOSITE
CONTENT
5061
WWW
catalog_type.asp
Access
COMPOSITE
CONTENT
A-8
CIDS Signature ID
CIDS Signature
Name
CIDS Signature
Structure
CIDS Signature
Implementation
5062
WWW classifieds.cgi
Attack
COMPOSITE
CONTENT
5063
WWW
dmblparser.exe
Access
COMPOSITE
CONTENT
5064
WWW imagemap.cgi
Attack
COMPOSITE
CONTENT
5065
WWW IRIX
infosrch.cgi Attack
COMPOSITE
CONTENT
5066
WWW man.sh
Access
COMPOSITE
CONTENT
5067
WWW plusmail
Attack
COMPOSITE
CONTENT
5068
WWW formmail.pl
Access
COMPOSITE
CONTENT
5069
WWW whois_raw.cgi
Attack
COMPOSITE
CONTENT
5070
WWW msadcs.dll
Access
COMPOSITE
CONTENT
5071
WWW msacds.dll
Attack
COMPOSITE
CONTENT
5072
COMPOSITE
CONTENT
5073
WWW EZshopper
loadpage.cgi Attack
COMPOSITE
CONTENT
5074
WWW EZshopper
search.cgi Attack
COMPOSITE
CONTENT
5075
COMPOSITE
CONTENT
5076
COMPOSITE
CONTENT
5077
COMPOSITE
CONTENT
5078
WWW Piranha
passwd attack
COMPOSITE
CONTENT
5079
ATOMIC
CONTENT
5080
WWW IBM
WebSphere Access
ATOMIC
CONTENT
5081
WWW WinNT
cmd.exe Access
ATOMIC
CONTENT
5082
ATOMIC
CONTENT
5083
ATOMIC
CONTENT
5084
ATOMIC
CONTENT
5085
ATOMIC
CONTENT
A-9
CIDS Signature ID
CIDS Signature
Name
CIDS Signature
Structure
CIDS Signature
Implementation
5086
WWW WEBactive
Logfile Access
ATOMIC
CONTENT
5087
ATOMIC
CONTENT
5088
WWW Akopia
MiniVend Access
ATOMIC
CONTENT
5089
ATOMIC
CONTENT
5090
WWW FrontPage
htimage.exe Access
ATOMIC
CONTENT
5091
WWW Cart32
Remote Admin
Access
COMPOSITE
CONTENT
5092
WWW CGI-World
Poll It Access
ATOMIC
CONTENT
5093
WWW PHP-Nuke
admin.php3 Access
ATOMIC
CONTENT
5095
ATOMIC
CONTENT
5096
ATOMIC
CONTENT
5097
WWW FrontPage
MS-DOS Device
Attack
COMPOSITE
CONTENT
5099
WWW GWScripts
News Publisher
Access
ATOMIC
CONTENT
5100
ATOMIC
CONTENT
5101
ATOMIC
CONTENT
5102
WWW
phpPhotoAlbum
explorer.php Access
ATOMIC
CONTENT
5103
ATOMIC
CONTENT
5104
ATOMIC
CONTENT
5105
WWW Ranson
Johnson mailto.cgi
Attack
ATOMIC
CONTENT
5106
WWW Ranson
Johnson mailform.pl
Access
ATOMIC
CONTENT
5107
WWW Mandrake
Linux /perl Access
ATOMIC
CONTENT
A-10
CIDS Signature ID
CIDS Signature
Name
CIDS Signature
Structure
CIDS Signature
Implementation
5108
ATOMIC
CONTENT
5109
ATOMIC
CONTENT
5110
ATOMIC
CONTENT
5111
WWW Solaris
Answerbook 2
Access
ATOMIC
CONTENT
5112
WWW Solaris
Answerbook 2 Attack
ATOMIC
CONTENT
5113
WWW CommuniGate
Pro Access
ATOMIC
CONTENT
5114
ATOMIC
CONTENT
6001
COMPOSITE
CONTENT
6002
COMPOSITE
CONTENT
6050
ATOMIC
CONTENT
6051
ATOMIC
CONTENT
6052
ATOMIC
CONTENT
6053
ATOMIC
CONTENT
6054
ATOMIC
CONTENT
6055
ATOMIC
CONTENT
6056
COMPOSITE
CONTENT
6057
COMPOSITE
CONTEXT
6100
ATOMIC
CONTENT
6101
RPC Port
Unregistration
ATOMIC
CONTENT
6102
RPC Dump
ATOMIC
CONTENT
6103
ATOMIC
CONTENT
6104
ATOMIC
CONTENT
6105
ATOMIC
CONTENT
6110
COMPOSITE
CONTEXT
6111
RPC RUSERSD
Sweep
COMPOSITE
CONTEXT
6112
COMPOSITE
CONTEXT
6113
RPC MOUNTD
Sweep
COMPOSITE
CONTEXT
6114
RPC YPPASSWDD
Sweep
COMPOSITE
CONTEXT
A-11
CIDS Signature ID
CIDS Signature
Name
CIDS Signature
Structure
CIDS Signature
Implementation
6115
RPC
SELECTION_SVC
Sweep
COMPOSITE
CONTEXT
6116
COMPOSITE
CONTEXT
6117
COMPOSITE
CONTEXT
6118
COMPOSITE
CONTENT
6150
ypserv Portmap
Request
ATOMIC
CONTENT
6151
ypbind Portmap
Request
ATOMIC
CONTENT
6152
yppasswdd Portmap
Request
ATOMIC
CONTENT
6153
ypupdated Portmap
Request
ATOMIC
CONTENT
6154
ypxfrd Portmap
Request
ATOMIC
CONTENT
6155
mountd Portmap
Request
ATOMIC
CONTENT
6175
rexd Portmap
Request
ATOMIC
CONTENT
6180
rexd Attempt
ATOMIC
CONTEXT
6190
COMPOSITE
CONTEXT
6191
RPC.tooltalk buffer
overflow
COMPOSITE
CONTENT
6192
COMPOSITE
CONTENT
6193
ATOMIC
CONTENT
6194
ATOMIC
CONTENT
6195
COMPOSITE
CONTENT
6200
COMPOSITE
CONTENT
6201
Ident Newline
COMPOSITE
CONTENT
6202
Ident Improper
Request
COMPOSITE
CONTENT
6250
FTP Authorization
Failure
COMPOSITE
CONTENT
6251
Telnet Authorization
Failure
COMPOSITE
CONTENT
6252
Rlogin Authorization
Failure
COMPOSITE
CONTENT
6253
POP3 Authorization
Failure
COMPOSITE
CONTENT
6255
SMB Authorization
Failure
COMPOSITE
CONTENT
A-12
CIDS Signature ID
CIDS Signature
Name
CIDS Signature
Structure
CIDS Signature
Implementation
6300
COMPOSITE
CONTEXT
6302
COMPOSITE
CONTEXT
6500
RingZero Trojan
COMPOSITE
CONTENT
6501
COMPOSITE
CONTENT
6502
COMPOSITE
CONTENT
6503
Stacheldraht Client
Request
COMPOSITE
CONTENT
6504
Stacheldraht Server
Reply
COMPOSITE
CONTENT
6505
COMPOSITE
CONTENT
6506
COMPOSITE
CONTENT
6507
COMPOSITE
CONTENT
6508
Mstream Control
Traffic
COMPOSITE
CONTENT
8000
2302
Telnet-/etc/shadow
Match
COMPOSITE
CONTENT
8000
2101
FTP Retrieve
Password File
COMPOSITE
CONTENT
8000
2303
Telnet-+ +
COMPOSITE
CONTENT
8000
51301
Rlogin-IFS Match
COMPOSITE
CONTENT
8000
51302
Rlogin-/etc/shadow
Match
COMPOSITE
CONTENT
8000
51303
Rlogin-+ +
COMPOSITE
CONTENT
A-13
Cisco
Intrusion Detection
System Signatures
and Recommended
Alarm Levels
Overview
This Appendix contains recommended CIDS signature alarm levels. The tables
are meant solely as a reference guide. The recommended alarm levels are:
General Signatures
B-2
Recommended
Alarm Level
1000
Low
1001
Low
1002
IP options-Timestamp
Low
1003
Low
1004
High
1005
IP options-SATNET ID
Low
1006
High
1100
IP Fragment Attack
Medium
1101
Unknown IP Protocol
Low
1102
Impossible IP Packet
High
1103
IP Fragments Overlap
High
1104
High
1200
Low
1201
IP Fragment Overlap
High
1202
High
1203
High
1204
Low
1205
Low
1206
Low
1207
Low
1208
Low
1220
High
2000
Disable
2001
Disable
2002
Disable
2003
ICMP Redirect
Disable
2004
Disable
2005
Disable
2006
Disable
2007
Disable
2008
Disable
2009
Disable
2010
Disable
2011
Disable
2012
Disable
Recommended
Alarm Level
2100
Medium
2101
High
2102
High
2150
Disable
2151
Disable
2152
ICMP Flood
High
2153
Smurf
High
2154
High
3001
High
3002
Medium
3003
High
3005
High
3006
High
3010
Disable
3011
High
3012
High
3015
High
3016
High
3020
High
3021
High
3030
Low
3031
High
3032
High
3033
High
3034
High
3035
High
3036
High
3037
High
3038
High
3039
High
3040
High
3041
SYN/FIN Packet
High
3042
High
3043
High
3045
Queso Sweep
High
3050
High
3100
Smail Attack
High
B-3
B-4
Recommended
Alarm Level
3101
High
3102
High
3103
Sendmail reconnaissance
Low
3104
Low
3105
Medium
3106
Mail Spam
Medium
3107
High
3108
High
3109
High
3110
Medium
3150
Low
3151
Disable
3152
High
3153
High
3154
High
3155
High
3156
High
3157
High
3200
High
3201
High
3202
High
3203
High
3204
High
3205
Disable
3206
Disable
3207
Disable
3208
High
3209
High
3210
Medium
3211
Disable
3212
Medium
3213
Medium
3214
Disable
3215
High
3216
High
3217
High
3218
High
Recommended
Alarm Level
3219
High
3220
Disable
3221
Medium
3222
Medium
3223
Medium
3224
HTTP WebGais
Medium
3225
Medium
3226
Medium
3227
Medium
3228
Medium
3229
High
3230
Website Uploader
Medium
3231
Novell convert
High
3232
Medium
3233
High
3250
TCP Hijack
High
3251
High
3300
High
3301
NETBIOS Stat
Disable
3302
Disable
3303
Low
3304
Disable
3305
High
3306
High
3307
High
3308
Disable
3309
Disable
3400
Sunkill
Medium
3401
Telnet-IFS Match
Medium
3450
Finger Bomb
Medium
3500
High
3525
High
3526
High
3530
Medium
3540
High
3550
High
3575
High
B-5
B-6
Recommended
Alarm Level
3576
High
3600
High
3601
High
3602
Low
3603
High
3650
High
3990
High
3991
High
3992
High
4001
High
4002
UDP Flood
Disable
4050
UDP Bomb
Medium
4051
Snork
Medium
4052
Chargen DoS
Medium
4053
Back Orifice
High
4054
RIP Trace
High
4055
High
4100
High
4150
Medium
4600
High
5034
High
5035
High
5036
High
5037
Medium
5038
High
5039
Medium
5040
High
5041
High
5042
High
5043
High
5044
High
5045
High
5046
Medium
5047
High
5048
High
5049
Medium
5050
High
Recommended
Alarm Level
5051
Medium
5052
High
5053
High
5054
WWWBoard Password
Medium
5055
High
5056
Disable
5057
Medium
5058
High
5059
High
5060
Medium
5061
High
5062
High
5063
Medium
5064
High
5065
High
5066
Medium
5067
High
5068
Medium
5069
High
5070
High
5071
High
5072
High
5073
High
5074
High
5075
Medium
5076
Medium
5077
Medium
5078
High
5079
Medium
5080
Medium
5081
High*
5082
Low
5083
Medium
5084
Medium
5085
Medium
5086
Low
5087
Medium
B-7
B-8
Recommended
Alarm Level
5088
Medium
5089
Medium
5090
Medium
5091
Medium
5092
Medium
5093
Medium
5095
5096
Medium
5097
Medium
5098
Medium
5099
Medium
5100
Medium
5101
Medium
5102
Medium
5103
Medium
5104
Medium
5105
Medium
5106
Medium
5107
Medium
5108
Medium
5109
Medium
5110
Low
5111
Medium
5112
Medium
5113
Medium
5114
High
6001
High
6002
High
6050
Medium
6051
Low
6052
High
6053
Low
6054
Medium
6055
High
6056
High
6057
High
6100
High
Recommended
Alarm Level
6101
High
6102
RPC Dump
High
6103
Low
6104
High
6105
High
6110
High
6111
High
6112
High
6113
High
6114
High
6115
High
6116
High
6117
High
6118
High
6150
Low
6151
Low
6152
Disable
6153
Low
6154
Low
6155
Disable
6175
Medium
6180
rexd Attempt
High
6190
High
6191
High
6192
High
6193
High
6194
High
6195
High
6200
High
6201
Ident Newline
High
6202
High
6250
Low
6251
Low
6252
Low
6253
Low
6255
Low
6300
High
B-9
Recommended
Alarm Level
6302
High
6500
RingZero Trojan
High
6501
High
6502
High
6503
High
6504
High
6505
High
6506
High
6507
High
6508
High
Connection Signatures
B-10
Signature ID
Sub Signature ID
Signature Name
Recommended
Alarm Level
3000
Disable
3000
Disable
3000
Disable
3000
11
Disable
3000
13
Disable
3000
15
Disable
3000
19
Disable
3000
20
Disable
3000
21
Disable
3000
23
Disable
3000
25
Disable
3000
37
Disable
3000
43
Disable
3000
53
Disable
3000
70
Disable
3000
79
Disable
3000
80
Disable
3000
87
Disable
3000
88
Disable
3000
95
Disable
3000
101
Disable
3000
102
Disable
3000
103
Disable
Signature ID
Sub Signature ID
Signature Name
Recommended
Alarm Level
3000
104
Disable
3000
105
Disable
3000
109
Disable
3000
110
Disable
3000
111
Disable
3000
117
Disable
3000
119
Disable
3000
123
Disable
3000
137
Disable
3000
138
Disable
3000
139
Disable
3000
143
Disable
3000
144
Disable
3000
177
Disable
3000
178
Disable
3000
179
Disable
3000
194
Disable
3000
220
Disable
3000
372
Disable
3000
512
Medium
3000
513
Medium
3000
514
Medium
3000
515
Disable
3000
530
Disable
3000
540
Disable
3000
600
Disable
3000
750
Disable
3000
3128
Disable
3000
8080
Disable
4000
Disable
4000
Disable
4000
13
Disable
4000
19
Disable
4000
37
Disable
4000
53
Disable
4000
69
Medium
4000
70
Disable
B-11
Signature ID
Sub Signature ID
Signature Name
Recommended
Alarm Level
4000
80
Disable
4000
88
Disable
4000
111
Disable
4000
123
Disable
4000
177
Disable
4000
179
Disable
4000
220
Disable
4000
372
Disable
4000
512
Disable
4000
513
Disable
4000
514
Disable
4000
515
Disable
4000
517
Disable
4000
518
Disable
4000
520
Disable
4000
2049
Disable
String Signatures
B-12
Recommended
Alarm Level
8000
2101
High
8000
2302
Telnet-/etc/shadow Match
High
8000
2303
Telnet-+ +
Low
8000
51301
Rlogin-IFS Match
High
8000
51302
Rlogin-/etc/shadow Match
High
8000
51303
Rlogin-+ +
Low
Cisco Intrusion
Detection System
Log Files
Overview
Cisco Intrusion Detection System (CIDS) provides four levels of
logging:
Events (Alarms)
Errors
Commands
IP Sessions
The active Cisco IDS log file located in /usr/nr/var. The IP log files
are located in /usr/nr/var/iplog. Each CIDS service maintains its own
error log file and is located in /usr/nr/var. The active log files are
closed and archived, and a new active log files are created when the
file size or time thresholds are exceeded. By default, log files will be
archived and a new one created when the active log reaches 1 GB or
after 60 minutes, which ever comes first. IP log files, by default, will
remain active for 30 minutes or until the session that triggered the IP
log action is terminated. Archived log files are located in
/usr/nr/var/new or CIDS log and error log files and in
/usr/nr/var/iplog/new for IP session log files.
This appendix will focus on CIDS log file filename conventions and
event and command records found in CIDS log files.
CIDS Log file filename convention
IP log file
iplog.XXX.XXX.XXX.XXX.YYYYMMDDHHMM
log.YYYYMMDDHHMM
error.service.processid
A CIDS error log file for the managed service. The managed service
has system process identification number 928.
C-2
The following table has the fields associated with event records found
in CIDS log files.
Event Record fields
Record Type
Record ID
GMT Timestamp
Local Timestamp
Application ID
10000postofficed
10003managed
10004eventd
10005loggerd
10006smid
10007sapd
10008packetd
10010fileXferd
10010iosids
20001CSPM
Host ID
Organization ID
Source Direction
Destination
Direction
Alarm Level
1Low
3Medium
5High
Signature ID
Sub-signature ID
Protocol
Source IP
Address
Destination IP
Address
Source Port
Destination Port
Data Source IP
Address
Optional Event
detail
Optional Event
context
C-4
1000010
2001/01/30
17:03:47
2001/01/30
11:03:47
10008
100
OUT
IN
8000
2302
10.0.0.84
172.30.1.208
1045
23
0.0.0.0
/etc/shadow
FFFD01FFFD03FFF
B0161008007377
6964733E202F6574
632F736861646F
The following table has the fields associated with command log
records found in CIDS log files.
Command Log Record fields
Record Type
Record ID
GMT Timestamp
Local Timestamp
Application ID
10000postofficed
10003managed
10004eventd
10005loggerd
10006smid
10007sapd
10008packetd
10010fileXferd
10010iosids
20001CSPM
Host ID
Organization ID
Application ID
10000postofficed
10003managed
10004eventd
10005loggerd
10006smid
10007sapd
10008packetd
10010fileXferd
10010iosids
20001CSPM
Host ID
Organization ID
Command
C-6
24
2001/01/30
17:18:35
2001/01/30
11:18:35
10003
100
84
100
EXEC ShunNet
171.69.2.0
255.255.255.0 1440
Cisco Intrusion
Detection System
Software Update
Overview
This appendix discusses the process and procedures to update the Cisco Intrusion
Detection System (CIDS) software.
This chapter includes the following topics:
Note
D-2
Appliance Sensors
IDS Management
D-3
D-4
Readme files contain the current information regarding the software update.
Please read the file to insure your Sensor or Director meets the requirements.
Step 2
Log in as root.
Step 3
Step 4
Step 5
Step 6
Change to the directory were the software update files are stored:
# cd /var/temp
Step 7
Change the file permissions to 755. This will make the file executable.
# /var/temp> chmod 755 filename.bin
Where filename is the CSIDS software upgrade filename.
Step 8
or
# /var/temp> filename.bin -I
Where filename is the CSIDS software upgrade filename.
The following steps are performed to install a signature update for a UNIX CIDS
Sensor or Director with a tarred software update file:
Step 1
Step 2
Step 3
Step 4
Step 5
Change to the directory where the software update files are stored:
# cd /var/temp
Step 6
Step 7
D-5
Step 2
Log in as root.
Step 3
Step 4
Step 5
Step 6
Change to the directory were the software update files are stored:
# cd /var/temp
Step 7
Change the file permissions to 755. This will make the file executable.
# /var/temp> chmod 755 filename.bin
Where filename is the CSIDS software upgrade filename.
Step 8
or
# /var/temp> filename.bin -U
Where filename is the CSIDS software upgrade filename.
The following steps are performed to install a signature update for a UNIX CIDS
Sensor or Director with a tarred software update file:
Step 1
Step 2
Step 3
Step 4
Step 5
Change to the directory where the software update files are stored:
# cd /var/temp
Step 6
Step 7
D-6
Step 2
Step 3
Step 4
Step 5
or
# reboot
Step 6
Step 7
Verify that the boot sequence is Floppy Drive, CD-ROM, Hard Drive. The Sensor
was booted from the CD before the hard drive to perform the upgrade/recovery.
Step 8
Exit the BIOS Setup Menu, saving changes to the boot sequence if necessary.
Step 9
Read the upgrade or recovery installation instructions. Use the spacebar to scroll
through the instructions.
Step 10 Enter yes when prompted to re-image the Sensor. The upgrade or recovery will
Your screen may blink or blank out depending on the monitors energy saving
capabilities. DO NOT turn the Sensor off. The upgrade/recovery may still be active.
Step 11 Remove the Upgrade/Recovery CD, and reboot the Sensor when prompted.
Step 12 Enter ok to reboot the Sensor.
The Sensor is restored to the initial factory software installation. The passwords
are reset to the default password of attack. The Sensor will need to be
bootstrapped using the sysconfig-sensor command before it will communicate
with the Director.
Copyright 2001, Cisco Systems, Inc.
D-7
D-8
Cisco Intrusion
Detection System
Signature Tuning and
Port Mapping
Overview
Cisco IDS allows for certain signatures to be tuned for your network environment.
Signature tuning provides the security administrator with more control over how
the signatures are triggered.
CIDS also enables you to map TCP ports to CIDS intrusion detection engines.
Signature port mapping provides the security administrator with the ability to
configure ports of interest for CIDS signatures that detect malicious activity
associated with HTTP, Syn Flood, Telnet, and HiJack attacks.
Signature Name
Parameter(s)
1103
IP Fragmentation
Overlap
Expiration
1-250 (10)
2100
Expiration
1-65536 (90)
Threshold
1-65536 (5)
Expiration
1-65536 (90)
Threshold
1-65536 (5)
Expiration
1-65536 (90)
Threshold
1-65536 (5)
ICMP Flood
Expiration
1-65536 (5)
Threshold
1-65536 (25)
Expiration
1-65536 (5)
Threshold
1-65536 (25)
Expiration
1-65536 (90)
Threshold
1-65536 (5)
Expiration
1-65536 (90)
Threshold
1-65536 (5)
Expiration
1-65536 (90)
Threshold
1-65536 (5)
Expiration
1-65536 (90)
Threshold
1-65536 (5)
Expiration
1-65536 (90)
Threshold
1-65536 (5)
Expiration
1-65536 (90)
Threshold
1-65536 (5)
Expiration
1-65536 (90)
Threshold
1-65536 (5)
Expiration
1-65536 (90)
Threshold
1-65536 (5)
Expiration
1-65536 (90)
Threshold
1-65536 (5)
Expiration
1-65536 (90)
Threshold
1-65536 (5)
Expiration
1-65536 (90)
2101
2102
2152
2153
3001
3002
3003
3005
3006
3010
3011
3012
3015
3016
3020
E-2
ICMP Smurf
Allowable Value(s)
(Default)
Signature
ID
Signature Name
Sweep
Parameter(s)
Allowable Value(s)
(Default)
Threshold
1-65536 (5)
Expiration
1-65536 (90)
Threshold
1-65536 (5)
Expiration
1-65536 (90)
Threshold
1-65536 (5)
Expiration
1-65536 (90)
Threshold
1-65536 (5)
Expiration
1-65536 (90)
Threshold
1-65536 (5)
Expiration
1-65536 (90)
Threshold
1-65536 (5)
Expiration
1-65536 (90)
Threshold
1-65536 (5)
Expiration
1-65536 (90)
Threshold
1-65536 (5)
Expiration
1-65536 (90)
Threshold
1-65536 (5)
Expiration
1-65536 (90)
Threshold
1-65536 (5)
3045
Expiration
1-65536 (90)
3050
Expiration
1-65536 (5)
Threshold
1-65536 (50)
3021
3030
3031
3032
3033
3034
3035
3036
3037
3106
Sendmail SPAM
Max Number
of RCPT TO
Allowed
1-65536 (50)
3108
Max MIME
content length
1-65536 (200)
3109
1-65536 (250)
3219
1-65536 (128)
3220
1-65536 (7168)
3300
Expiration
1-65536 (10)
3307
Windows Redbutton
Expiration
1-65536 (30)
3526
1-65536 (128)
3650
Expiration
1-65536 (15)
4001
Expiration
1-65536 (90)
E-3
Signature
ID
4002
UDP Flood
Parameter(s)
Allowable Value(s)
(Default)
Threshold
1-65536 (5)
Expiration
1-65536 (10)
Threshold
1-65536 (100)
6001
Expiration
1-65536 (15)
6110
Expiration
1-65536 (20)
Threshold
1-65536 (5)
Expiration
1-65536 (20)
Threshold
1-65536 (5)
Expiration
1-65536 (20)
Threshold
1-65536 (5)
Expiration
1-65536 (20)
Threshold
1-65536 (5)
RPC YPPASSWDD
Port Sweep
Expiration
1-65536 (20)
Threshold
1-65536 (5)
Expiration
1-65536 (20)
Threshold
1-65536 (5)
Expiration
1-65536 (20)
Threshold
1-65536 (5)
Expiration
1-65536 (20)
Threshold
1-65536 (5)
Expiration
1-65536 (20)
Threshold
1-65536 (5)
SMB Authorization
failure
Expiration
1-65536 (60)
Threshold
1-65536 (3)
ICMP Loki
Expiration
1-65536 (60)
Threshold
1-65536 (3)
Expiration
1-65536 (60)
Threshold
1-65536 (3)
6111
6112
6113
6114
6115
6116
6117
6118
6255
6300
6302
E-4
Signature Name
Default Ports
21,23,25,80,110,143,513
21,23,25,80,110,113,119,143,513,1080,8000,8080
23
80,3128,8080
WARNING CIDS will not detect attacks launched against ports deleted from a specific
group of signatures.
E-5
Kudos
Technical inaccuracies
Grammatical/style inaccuracies
General suggestions