Download Safari Books Online apps: Apple iOS | Android

Entire Site

Safari Books Online

    Free Trial

    Safari Books Online is a digital library providing on-demand subscription access to thousands of learning resources.


    • Create BookmarkCreate Bookmark
    • Create Note or TagCreate Note or Tag
    • DownloadDownload
    • PrintPrint
    Share this Page URL
    Help

    Chapter 3. Cisco Intrusion Detection and... > Configuring Signatures and Alerts

    Configuring Signatures and Alerts

    Signatures are the foundation of an intrusion prevention system (IPS). This chapter shows you how to tune and configure signatures to control how the sensor behaves. There are default signatures, tuned signatures (default signatures that you have modified), and your own custom signatures. Most built-in signatures generate an alert when fired.

    Event actions can be defined either per signature, or as part of an event action override policy. When possible, it is simpler to manage using the policy.

    Frequent configuration tasks include enabling or disabling signatures and defining the actions that should occur upon firing.

    To access the signatures for configuration, choose Configuration, Signature Definitions, Signature Configuration.

    Here are the possible actions that you can configure in response to a signature firing:

    • Deny Attacker Inline terminates the current packet and future packets from the attacker address for a specified period of time. If the attack uses TCP traffic, it also sends a TCP Reset packet to the host under attack. This is the most severe of the deny actions.

    • Deny Attacker Service Pair Inline terminates the current packet and future packets from the attacker address victim port pair for a specified period of time. For example, if the attack uses TCP port 80, future traffic from that attacker to any protected host on port 80 is blocked, but traffic on other ports is allowed.

    • Deny Attacker Victim Pair Inline terminates the current packet and future packets from the attacker address and victim address pair for a specified period of time. Future traffic on port from the attacking IP address to the victim IP address is blocked.

    • Deny Connection Inline terminates the current packet and future packets in the TCP flow.

    • Deny Packet Inline drops the packet.

    • Log Attacker Packets starts IP logging on packets that contain the attacker address. A pcap format file is captured on the sensor.

    • Log Pair Packets starts IP logging on packets that contain the attacker and victim IP address pair.

    • Log Victim Packets starts IP logging on packets that contain the victim address.

    • Produce Alert generates an alert.

    • Produce Verbose Alert generates an alert that contains a pcap of the packet that caused the signature to fire.

    • Request Block Connection sends a request to a blocking device to block the connection. Blocking devices can be ASA firewalls, switches, routers, or access points.

    • Request Block Host sends a request to a blocking device to block the attacker host.

    • Request SNMP Trap generates an SNMP trap if the trap destination is already configured.

    • Reset TCP Connection sends one or more TCP Reset packets.

    • Modify Packet Inline modifies illegal portions of a packet. This event action is only available to the Normalizer engine.

    Notice that many of the response actions to a signature firing involve denying attackers access to your protected network. To manage denied attackers, choose Monitoring, Denied Attackers.