csids.book page 836 tuesday, september 18, 2001 11:06 am
TRANSCRIPT
I N D E X
Symbols & Numerics/usr/nr/etc/hosts file entries, 714–715
1000 Bad Option List signatures, 2481000 Series signatures. See IP signatures10000 Series policy-violation signatures, 378, 3881001 IP Options-Record Packet Route
signatures, 2481002 IP Options-Timestamp signatures, 2481003 IP Options-Provide s, c, h, tcc signatures, 2491004 IP Options-Loose Source Route
signatures, 2491005 IP Options-SATNET ID signatures, 2501006 IP Options-Strict Source Route, 2501100 IP Fragment Attack signatures, 2521101 Unknown IP Protocol signatures, 2561102 Impossible IP Packet signatures, 2571103 IP Fragments Overlap signatures, 2521104 IP Localhost Source Spoof signatures, 2571200 IP Fragmentation Buffer List signatures, 2521201 IP Fragment Overlap signatures, 2531202 IP Fragment Overrun-Datagram Too Long
signatures, 2531203 IP Fragment Overwrite-Data Is Overwritten
signatures, 2541204 IP Fragment Missing Initial Fragment
signatures, 2541205 IP Fragment Too Many Datagrams, 2541206 IP Fragment Too Small signatures, 2551207 IP Fragment Too Many Frags signatures, 2551208 IP Fragment Incomplete Datagram
signatures, 2551220 Jolt2 Fragment Reassembly DoS Attack
signatures, 2562000 ICMP Echo Reply signatures, 2582000 Series ICMP signatures. See ICMP
signatures2001 ICMP Host Unreachable signatures, 2622002 ICMP Source Quench signatures, 2632003 ICMP Redirect signatures, 2632004 ICMP Echo Request signatures, 2592005 ICMP Time Exceeded for a Datagram
signatures, 264
2006 ICMP Parameter Problem on a Datagram signatures, 264
2007 ICMP Timestamp Request signatures, 2592008 ICMP Timestamp Reply signatures, 2602009 ICMP Information Request signatures, 2602010 ICMP Information Reply signatures, 2612011 ICMP Address Mask Request signatures, 2612012 ICMP Address Mask Reply signatures, 2612100 ICMP Network Sweep with Echo
signatures, 2652101 FTP RETR passwd signature, 3762101 ICMP Network Sweep with Timestamp
signatures, 2652102 ICMP Network Sweep with Address Mask
signatures, 2662150 Fragmented ICMP Packet signatures, 2662151 Large ICMP Packet signatures, 2672152 ICMP Flood signatures, 2672153 ICMP Smurf Attack signatures, 2682154 Ping of Death Attack signatures, 2682301 Telnet IFS=/ signature, 3762302 Telnet /etc/shadow signatures, 3772303 Telnet + + signatures, 3773000 Series TCP signatures. See TCP signatures3001 TCP Port Sweep signatures, 2723002 TCP SYN Port Sweep signatures, 2723003 Fragmented TCP SYN Port Sweep
signatures, 2733005 TCP FIN Port Sweep signatures, 2733006 Fragmented TCP FIN Port Sweep
signatures, 2733010 TCP High Port Sweep signatures, 2743011 TCP FIN High Port Sweep signatures, 2753012 Fragmented TCP FIN High Port Sweep
signatures, 2753015 TCP Null Port Sweep signatures, 2753016 Fragmented TCP Null Port Sweep
signatures, 2763020 TCP SYN-FIN Port Sweep signatures, 2763021 Fragmented TCP SYN-FIN Port
Sweep signatures, 2773030 TCP SYN Host Sweep signatures, 2783031 Fragmented TCP SYN Host Sweep
signatures, 2783032 TCP FIN Host Sweep signatures, 279
CSIDS.book Page 837 Tuesday, September 18, 2001 11:06 AM
838
3033 Fragmented TCP FIN Host Sweep signatures, 279
3034 TCP NULL Host Sweep signatures, 2793035 Fragmented TCP NULL Host Sweep
signatures, 2803037 Fragmented TCP SYN-FIN Host Sweep
signatures, 2803038 Fragmented NULL TCP Packet
signatures, 2813039 Fragmented Orphaned FIN Packet
signatures, 2823040 NULL TCP Packet signatures, 2823041 SYN/FIN Packet signatures, 2833042 Orphaned FIN Packet signatures, 2833043 Fragmented SYN/FIN Packet signatures, 2833045 Queso Sweep signatures, 2773050 Half-Open SYN Attack signatures, 3083100 Small Attack signatures, 2843101 Sendmail Invalid Recipient signatures, 2853102 Sendmail Invalid Sender signatures, 2853103 Sendmail Reconnaissance signatures, 2853104 Archaic Sendmail Attacks signatures, 2863105 Sendmail Decode Alias signatures, 2863106 Sendmail SPAM Attack signatures, 2863107 Majordomo Exec Bug signatures, 2873108 MIME Overflow Bug signatures, 2873109 Qmail Length Crash signatures, 2883150 FTP Remote Command Execution
signatures, 2883151 FTP SYST Command Attempt signatures, 2893152 FTP CWD ~root Command signatures, 2893153 FTP Improper Address Specified
signatures, 2893154 FTP Improper Port Specified signatures, 2903155 FTP RETR Pipe Filename Command
Execution signatures, 2903156 FTP STOR Pipe Filename Command
Execution signatures, 2903157 FTP PASV Port Spoof signatures, 2913200 WWW Phf Attack signatures, 2923201 WWW General cgi-bin Attack signatures, 2923202 WWW .url File Request signatures, 2933203 WWW .lnk File Requested signatures, 2933204 WWW .bat File Requested signatures, 2943205 HTML File Has .url Link signatures, 2943206 HTML File Has .lnk Link signatures, 2943207 HTML File Has .bat Link signatures, 295
3208 WWW campas Attack signatures, 2953209 WWW Glimpse Server Attack signatures, 2953210 WWW IIS View Source Attack signatures, 2963211 WWW IIS Hex View Source Attack
signatures, 2963212 WWW NPH-TEST-CGI Attack signatures, 2963213 WWW TEST-CGI Attack signatures, 2973214 IIS DOT DOT VIEW Attack signatures, 2973215 IIS DOT DOT EXECUTE Bug signatures, 2973216 IIS Dot Dot Crash Attack signatures, 2983217 WWW php View File Attack signatures, 2983218 WWW SGI Wrap Attack signatures, 2983219 WWW PHP Buffer Overflow signatures, 2993220 IIS Long URL Crash Bug signatures, 2993221 WWW cgi-viewsource Attack signatures, 2993222 WWW PHP Log Scripts Read Attack
signatures, 2993223 WWW IRIX cgi-handler Attack
signatures, 3003224 HTTP WebGais signatures, 3003225 HTTP Gais Websendmail signatures, 3003226 WWW Webdist Bug signatures, 3013227 WWW Htmlscript Bug signatures, 3013228 WWW Performer Bug signatures, 3013229 Website Win-C Sample Buffer Overflow
signatures, 3013230 Website Uploader signatures, 3023231 Novell Convert Bug signatures, 3023232 Finger Attempt signatures, 3023233 WWW count-cgi Overflow signatures, 3033250 TCP Hijacking signatures, 3083251 TCP Hijacking Simplex Mode signatures, 3083300 NETBIOS OOB Data signatures, 3033301 NETBIOS Stat signatures, 3043302 NETBIOS Session Setup Failure
signatures, 3043303 Windows Guest Login signatures, 3053304 Windows Null Account Name signatures, 3053305 Windows Password File Access signatures, 3053306 Windows Registry Access signatures, 3063307 Windows Redbutton Attack signatures, 3063308 Windows LSARPC Access signatures, 3073309 Windows SRVSVC Access signatures, 3073400 Sun Kill Telnet DoS signatures, 3103401 Telnet-IFS Match signatures, 3103405 Finger Bomb signatures, 3103500 rlogin-froot signatures, 311
3033 Fragmented TCP FIN Host Sweep signatures
CSIDS.book Page 838 Tuesday, September 18, 2001 11:06 AM
839
3525 IMAP Authenticate Overflow signatures, 3113526 IMAP Login Buffer Overflow signatures, 3113530 Cisco Secure ACS Oversized TACACS+
Attack signatures, 3123540 Cisco Secure ACS CSAdmin Attack
signatures, 3123550 Pop Buffer Overflow signatures, 3123575 INN Buffer Overflow signatures, 3123576 INN Control Message Exploit signatures, 3133600 IOS Telnet Buffer Overflow signatures, 3133601 IOS Command History Exploit signatures, 3133602 Cisco IOS Identity signatures, 3143603 IOS Enable Bypass signatures, 3143650 SSH RSAREF Buffer Overflow
signatures, 3143990 BackOffice BO2K TCP Non Stealth
signatures, 3153991 BackOffice BO2K TCP Stealth 1
signatures, 3153992 BackOrifice BO2K TCP Stealth 2
signatures, 3154000 Series UDP signatures. See UDP
signatures4002 UDP Flood signaturess, 3184050 UDP Bomb signatures, 3184051 Snork signatures, 3194052 Chargen DoS signatures, 3194053 Back Orifice signatures, 3204054 RIP Trace signatures, 3204055 BackOrifice BO2K UDP signatures, 3204100 TFTP Passwd signatures, 3214150 Ascend Denial of Service signatures, 3214200 Series Sensing Configuration Screen (CSPM),
389–3924200 Series sensors, 77
appliances, 145IDS-4210, 148–149IDS-4230, 146–147
bootstrap, configuring, 151–158checking, 168–169configuration files, pushing to, 167–168configuring
4200 Series Sensing Configuration Screen (CSPM), 389–392
saving, 166–167sysconfig-sensor command, 152–158updating, 166–167
CSPM Directoradding to, 158–169installing within, 145
default gateway, entering, 161–162logon accounts, 149–151management access, 149PDP (policy distribution point), selecting, 166PostOffice identification parameters, entering,
159–161settings, verifying, 163signature templates, entering, 162–163
4600 IOS UDP Bomb signature, 3215000 Series Web/HTTP signatures, 321–3495034 WWW IIS newdsn Attack signature, 3245035 HTTP cgi HylaFAX Faxsurvey signature, 3255036 WWW Windows Password File Access
Attempt signature, 3255037 WWW SGI MachineInfo Attack signature, 3255038 WWW wwwsql File Read Bug signature, 3265039 WWW Finger Attempt signature, 3265040 WWW Perl Interpreter Attack signature, 3265041 WWW anyform Attack signature, 3275042 WWW CGI Valid Shell Access signature, 3275043 WWW Cold Fusion Attack signature, 3275044 WWW Webcom.se Guestbook Attacks
signature, 3285045 WWW xterm Display Attack signature, 3285046 WWW dumpenv.pl Recon signature, 3295047 WWW Server Side Include POST Attack
signature, 3295048 WWW IIS BAT EXE Attack signature, 3295049 WWW IIS Showcode .asp Attack
signature, 3305050 WWW IIS .htr Overflow signature, 3305051 IIS Double Byte Code Page signature, 3305052 FrontPage Extensions PWD Open Attempt
signature, 3315053 FrontPage_vti_bin Directory List Attempt
signature, 3315054 WWWBoard Password signature, 3315055 HTTP Basic Authentication Overflow
signature, 3315056 WWW Cisco IOS % % DoS signature, 3325057 WWW Sambar Samples signature, 3325058 WWW info2www Attack signature, 3325059 WWW Alibaba Attack signature, 333
5059 WWW Alibaba Attack signature
CSIDS.book Page 839 Tuesday, September 18, 2001 11:06 AM
840
5060 WWW Excite AT-generate.cgi Access signature, 333
5061 WWW catalog_type.asp Access signature, 3335062 WWW classifieds.cgi Attack signature, 3345063 WWW dmblparser.exe Access signature, 3345064 WWW imagemap.cgi Attack signature, 3345065 WWW IRIX Infosrch.cgi Attack signature, 3345066 WWW man.sh Access signature, 3355067 WWW plusmail Attack signature, 3355068 WWW formmail.pl Access signature, 3355069 WWW whois_raw.cgi Attack signature, 3365070 WWW msacds.dll Access signature, 3365071 WWW msacds.dll Attack signature, 3365072 WWW bizdb 1-search Attack signature, 3375073 WWW EZshopper loadpage.cgi Attack
signature, 3375074 WWW EZshopper search.cgi Attack
signature, 3375075 WWW IIS Virtualized UNC Bug
signature, 3375076 WWW webplus Bug signature, 3385077 WWW Excite AT-admin.cgi Access
signature, 3385078 WWW Pirahna Password Attack
signature, 3395079 WWW PCCS MySQL Admin Access
signature, 3395080 WWW IBM WebSphere Access signature, 3395081 WWW WinNT cmd.exe Access signature, 3405083 WWW Virtual Vision FTP Browser Access
signature, 3405084 WWW Alibaba Attack 2 signature, 3405085 WWW IIS Source Fragment Access
signature, 3415086 WWW WEBactive Logfile Access
signature, 3415087 WWW Sun Java signature, 3415088 WWW Akopia MiniVend Access
signature, 3415089 WWW Big Brother Directory Access
signature, 3425090 WWW FrontPage htimage.exe Access
signature, 3425091 WWW Cart32 Remote Admin Access
signature, 3425092 WWW CGI-World Poll It Access
signature, 343
5093 WWW PHP-Nuke admin.php3 Access signature, 343
5095 WWW CGI Script Center Account Manager Attack signature, 343
5096 WWW CGI Script Center Subscribe Me Attack signature, 344
5097 WWW FrontPage MS-DOS Device Attack signature, 344
5099 WWW GWScripts News Publisher Access signature, 344
5100 WWW CGI Center Auction Weaver File Access signature, 344
5101 WWW CGI Center Auction Weaver Attack signature, 345
5102 WWW phpPhotoAlbum explorer.php Access signature, 345
5103 WWW SuSE Apache CGI Source Attack signature, 345
5104 WWW YaBB File Access signature, 3465105 WWW Ranson Johnson mailto.cgi Attack
signature, 3465106 WWW Ranson Johnson multiform.pl Access
signature, 3465107 WWW Mandrake Linux/Perl Access
signature, 3475108 WWW Netgrity Site Minder Access
signature, 3475109 WWW Sambar Beta search.dll Access
signature, 3475110 WWW SuSE Installed Packages Access
signature, 3485111 WWW Solaris Anwerbook2 Access
signature, 3485112 WWW Solaris Answerbook 2 Attack
signature, 3485113 WWW CommuniGate Pro Access
signature, 3495114 WWW IIS Unicode Attack signature, 34951301 Rlogin IFS=/ signature, 37651302 Rlogin /etc/shadow signature, 37751303 Rlogin + + signature, 3776000 Series cross-protocol signature.
See cross-protocol signature6001 Normal SATAN Probe signature, 3506002 Heavy SATAN Probe signature, 3506050 DNS HINFO Request signature, 3516051 DNS Zone Transfer Request signature, 352
5060 WWW Excite AT-generate.cgi Access signature
CSIDS.book Page 840 Tuesday, September 18, 2001 11:06 AM
841
6052 DNS Zone Transfer from High Point signature, 352
6053 DNS Request for All Records signature, 3536054 DNS Version Request signature, 3536055 DNS Inverse Query Buffer Overflow
signature, 3536056 BIND NXT Buffer Overflow signature, 3546057 BIND SIG Buffer Overflow signature, 3546100 RPC Port Registration signature, 3566101 RPC Port Unregistration signature, 3566102 RPC Dump signature, 3576103 Proxied RPC Request signature, 3576104 RPC Set Spoof signature, 3576105 RPC Unset Spoof signature, 3586110 RPC RSTATD Sweep signature, 3586111 RPC RUSERSD Sweep signature, 3586112 RPC NFS Sweep signature, 3596113 RPC MOUNTD Sweep signature, 3596114 RPC YPPASSWDD Sweep signature, 3596115 RPC SELECTION_SVC Sweep signature, 3596116 RPC REXD Sweep signature, 3606117 RPC STATUS Sweep signature, 3606118 RPC ttdb Sweep signature, 3606150 ypserv Portmap Request signature, 3616151 ypbind Portmap Request signature, 3616152 yppasswdd Portmap Request signature, 3616153 ypupdated Portmap Request signature, 3626154 ypxfrd Portmap Request signature, 3626155 mountd Portmap Request signature, 3636175 rexd Portmap Request signature, 3636180 rexd Attempt signature, 3636190 statd Buffer Overflow signature, 3646191 RPC.tooltalk Buffer overflow signature, 3646192 RPC mountd Buffer Overflow signature, 3646193 RPC CMSD Buffer Overflow signature, 3646194 sadmind RPC Buffer Overview signature, 3656195 RPC and Buffer Overflow signature, 3656200 Ident Buffer Overflow signature, 3666201 Ident Newline signature, 3676202 Ident Improper Request signature, 3676250 FTP Authorization Failure signature, 3686251 Telnet Authorization Failure signature, 3686252 Rlogin Authorization Failure signature, 3696253 POP3 Authorization Failure signature, 3696255 SMB Authorization Failure signature, 3696300 Loki ICMP Tunneling signature, 3706302 General Loki ICMP Tunneling signature, 370
6500 RingZero Trojan signature, 3666501 TFN Client signature, 3716502 TFN Server Reply signature, 3716504 Stacheldraht Server Reply signature, 3726505 Trinoo Client Request signature, 3736506 Trinoo Server Reply signature, 3736507 TFN2K Control Traffic signature, 3736508 mstream Control Traffic signature, 3748000 Series string-matching signature, 375–378
Aabnormal TCP packets, TCP signatures, 281–283access
administrative access, limiting, 36anonymous access, reducing, 36management access, 4200 Series Sensors, 149
access class signature, 235access control lists (ACLs). See ACLs (access
control lists)accessing
sensors, 757–759user accounts, 17
accountsaccess attacks, 17logon accounts, 4200 Series Sensors, 149–151netrangr account, 150
ACLs (access control lists), 237, 464. See also IP blocking
applying to E1 interface, 660applying to external interfaces, 473applying to inbound traffic, 464applying to internal interfaces, 473blocking
enhancements, 619related tokens, 708–709
contents, displaying, 511denied hosts, adding, 656IP blocking
anti-spoofing mechanisms, 466at the router, 468–469configuring, 474–476critical hosts, 467default block time, 470disabling, 477, 479duration of, 468
ACLs (access control lists)
CSIDS.book Page 841 Tuesday, September 18, 2001 11:06 AM
842
entry points, 467signature selection, 467
IP blocking, implementing, 466logging policy violations, 653placement, 471–473signatures, 237
creating, 455–456SYSLOG sources, defining, 456–457tokens, 706
actionsallowed by authorized hosts, 717applying to signatures, 433–434default, setting, 594defining for Cisco IOS Firewall IDS, 582
Actions group box (Event Viewer Preferences window)
Command Timeout, 208–209Subnet Mask, 209Time To Block, 209
active Cisco Secure IDS version, displaying, 696active partition, 514Active Scripting Pages (ASPs), 339ad hoc attacks, 15Add Host Wizard
Host Type window, 545sensors, adding, 541–549Shunning Initialization window, 548starting, 543
Add Host Wizard (nrConfigure), 561Add Host Wizard Finished window
(nrConfigure), 564Add Sensor Wizard, 159–160adding
Cisco IOS Firewall to Director configuration, 601–602, 604
comments to configuration files, 700communication parameters to Cisco IOS
Firewall IDS, 642–643configured sensors to Director, 561
host type selection, 564parameters, 563
connection signatures, 435–436denied hosts to ACLs, 656hosts to Director configuration, 560–561IDSM to CSPM, 513secondary Directors, 561
Additional Destinations Configuration Screen (CSPM), 406
address mask requests, 258addressing, PostOffice protocol, 89administrative access, limiting, 36advanced signature configuration, 451
Port Mapping, 453, 455Signature Tuning, 451–453
advanced signature filtering, 447–449Advisory/Related Information Links field (NSDB
Related Vulnerability page), 197Affected Programs field (NSDB Related
Vulnerability page), 196Affected Systems field (NSDB Related Vulnerability
page), 196agents, 27alarm event record fields, log files, 741–744alarms, 468
benign triggers, 192context buffer, viewing, 187, 189deleting, 197–198destinations, configuring, 716–717Director platforms
displays, 80responses, 81
expansion boundaries, modifying, 204–205false positives, 182
reducing, 759–762fields, 180
Count field, 181Destination Information fields, 183General Information fields, 181–182Signature Information fields, 183–184Source Information fields, 182
forwarding related tokens, 710high-severity, 779host names, resolving, 184–186low-severity, 779medium-severity, 779notification queue, setting, 588–589resuming display (Event Viewer), 199–200Severity values, 184
configuring, 214suspending display (Event Viewer), 199–200temporary exclusions, 762
AlarmThrottle master signature parameter, 630Alias field (NSDB Related Vulnerability page), 195
ACLs (access control lists)
CSIDS.book Page 842 Tuesday, September 18, 2001 11:06 AM
843
analyzing network topology, 97critical components, 100–101entry points, 98–100remote networks, 102security policy retrictions, 102–103size and complexity issues, 102
anomaly detection, IDSs (Intrusion Detection Systems), 54–58
benefits, 56–58drawbacks, 57–58issues, 56neutral networks, 56rule-based approach, 55statistical sampling, 55
anonymous access, reducing, 36answers to review questions, 815–835anti-spoofing mechanisms, 466appliances, 4200 Series Sensors, 145
IDS-4210, 148–149IDS-4230, 146–147
application holes, 23Application Name field (Cisco Secure IDS alarm
records), 182application partition, 515applications
TCP signatures, 309–315UDP signatures, 319–321
apply command, 517applying
ACLsinterface selection, 471–472specifying traffic direction, 473to E1 interfaces, 660to external interfaces, 473to inbound traffic, 464to internal interfaces, 473
actions to signatures, 433–434audit rules, 595, 597–598initial configuration to IDSM, 499saved configuration versions, 571signature templates to sensors, 442signature updates to IDSM, 517transient configuration versions, 571
architectureCisco Secure IDS sensors, 687
nr.fileXferd, 690nr.loggerd, 689
nr.managed, 689nr.packetd, 689nr.postofficed, 689nr.sapd, 689
CSPM Director, 690services, 691–692
archived log files, 740ARP (Address Resolution Protocol), 19ASPs (Active Scripting Pages), 339assigned port numbers, 435assigning
command and control port on ISDM, 502signature templates to sensors, 442
atomic signatures, 192, 233, 581ATOMIC.ICMP signature engine, 628ATOMIC.IPOPTIONS signature engine, 628ATOMIC.L3.IP signature engine, 628ATOMIC.TCP signature engine, 628ATOMIC.UDP signature engine, 629attacks, 6–7
ad hoc, 15attributes, 7common points of, 16
network protocols, 18–19network resources, 16–17
DoSdistributed attacks, 27, 29host resource starvation, 26network resource overload, 24–25out-of-bounds, 26
exploitation tools, 20authentication compromises, 21–22compromised trust relationships, 23–24poorly configured services, 22protocol weaknesses, 22
external threats, 9goal setting, 11–12ICMP, 266internal threats, 9–10Internet, usage estimates, 98man-in-the-middle, 18methodical, 15patient, 16publishing publicly, 57reconnaissance, 12–13reconnaissance tools, 19–20script kiddies, 7–8
attacks
CSIDS.book Page 843 Tuesday, September 18, 2001 11:06 AM
844
spoofing, 19structured threats, 9surgical strikes, 15Trojan horses, 17UDP signatures, 318–319unstructured threats, 7–8variable time-to-live attacks, 63
attributes of attackers, 7audit rules
configuring on Cisco IOS Firewall IDS, 593–598
creating, 595–598packet auditing process, 593–594
authenticationadministrative access. limiting, 36anonymous access, reducing, 36common privilege groups, defining, 35–36compromising, 21–22failures, signatures, 367–369improving, 35–36one-time passwords, 36trust relationships, minimizing, 36
authorization, troubleshooting Oracle database, 731authorized hosts, 717automatic monitoring, network security, 43availability, 11
Bback doors, 24bandwidth consumption attacks, 24–25benign signatures, 238benign triggers, 192bin directory, 697blades
configuring multiple per chassis, 678general setup, 680–685limitations per IDSM, 678–679network diagram, 680VACL definition, 680
Blank Left value (Event Viewer), configuring, 209–210
Blank Right value (Event Viewer), configuring, 210blocking, 661
ACL enhancements, 619Catalyst 5000 RSM, 619
IDSM, 620master blocking sensor, 709PIX, 619related tokens, 708–709sensors, 100
Blocking Configuration Screen (CSPM), 397–400bootstraps, configuring on 4200 Series
sensors, 151–158boundaries, establishing, 37–39Boundaries group box (Event Viewer Preferences
window), 212brute-force attacks, 21
Ccable requirements, laptop-to-COM port
connections, 758Cannot write message to Director error,
troubleshooting, 722capturing traffic, 495
SPAN feature (IDSM), 496limitations, 497spanning ports, 496spanning VLANs, 496
VACLs, 497interesting traffic, 498limitations, 498
with IDSM, 490case studies
Cisco IOS Firewall IDSgeneral setup, 641–644limitations, 639–640network diagram, 640required equipment, 640troubleshooting tips, 644–650
configuring multiple blades per chassis, 678general setup, 680–685limitations per IDSM, 678network diagram, 679required equipment, 679VACL definition, 680
router management, 657general setup, 658–666limitations, 657network diagram, 658required equipment, 658
attacks
CSIDS.book Page 844 Tuesday, September 18, 2001 11:06 AM
845
troubleshooting tips, 666–669SYSLOG files, reporting to sensors, 650
general setup, 651–655limitations, 650network diagram, 651required equipment, 650troubleshooting tips, 656–657
tiered director hierarchy, 670alarm delay limitations, 670general setup, 671–675network diagram, 670required equipment, 670troubleshooting tips, 675–678
Catalyst 5000 RSM, blocking with, 619Catalyst 6000 IDSM, 489–490
blocking with, 620commands, 509–512comparing to traditional platforms, 491disk structure
active partition, 514application partition, 515maintenance partition, 515
ID analysis, configuring, 501–507assign command and control port, 502clearing unwanted VLAN traffic, 507–509
images, updating, 515–516initialization, 499–501ports, 493–494requirements, 492software files, 516
updating, 517–518traffic flow, 494traffic, capturing, 495
SPAN, 496VACLs, 497–498
verifying configuration, 509–513Cells group box (Event Viewer Preferences
window), 209–210checking
configurations, sensors, 168–169sensor errors, 421
Cisco IOS Firewall IDSactions,
defining, 582configurable, 641
adding to Director configuration, 601–604alarm notification queue, setting, 588–589
audit rules, configuring, 593–598configuring
general setup, 641–644limitations, 639–640network diagram, 640required equipment, 640troubleshooting tips, 644–650
impact on network performance, 580initialization, 583–589PostOffice parameters, configuring, 584–585prospective customers, 578protected networks, defining, 587–588signatures, 797–800
configuring, 589–592excluding, 591–592implementing, 581response options, 581
verifying configuration, 598–601Cisco Secure Communications Deployment
worksheet (CSPM), 124Cisco Secure IDS, 71
active version, displaying, 696communications deployment worksheet,
803–805configuration GUI, 691–692configuring, 72–76daemon, starting and stopping, 727Director platforms, 80–83directory structure, 696
bin directory, 697etc directory, 698install directory, 696var directory, 698
functions and features, 72–76Home submap, removing sensor icon, 567IP blocking configuration, 474–476log files, naming conventions, 739modules, 77–80PostOffice protocol, 84sensors
architecture, 687blocked addresses, viewing, 480–481master blocking sensors, configuring, 479Never Block Addresses, configuring,
478–479nr.fileXferd, 690nr.loggerd, 689
Cisco Secure IDS
CSIDS.book Page 845 Tuesday, September 18, 2001 11:06 AM
846
nr.managed, 689nr.packetd, 689nr.postofficed, 689nr.sapd, 689platforms, 77–80
servicesstopping, 694verifying operability, 695
Signature Engine Supplement, 630user-defined signatures, 628–633User Guide, 148–149version 3.0, 614–620
configuration enhancements, 614–615installation enhancements, 614–615shunning enhancements, 618–620signatures enhancements, 616–618
version 4.0, 620–625blocking, 624configuration, 620–622installation, 620–623signatures, 623–624
Cisco Secure Intrusion Detection Director (CSIDD). See CSIDD (Cisco Secure Intrusion Detection Director)
Cisco Secure Policy Manager (CSPM). See CSPM Cisco Secure VPN Client, installing CSPM, 125Cisco Security Wheel, 34–42classes, signatures, 234–235
access class signatures, 235denial of service class signatures, 235informational class signatures, 234reconnaissance class signatures, 234
clear config command, 513clear ip audit configuration command, 600clear ip audit statistics command, 600clear trunk command, 509clearing unwanted VLAN traffic from IDSM, 507CLI (command-line interface), Catalyst 6000 switch
commands, 509–512client-server configurations, CSPM, 120closing
active log files, 740Configuration Library, 572
collapsing columns (Event Viewer), 203–204viewing fields, 201–202
Color value (Event Viewer), configuring, 213
columnsdeleting, 205expansion boundaries, modifying, 204–205moving, 205nrConfigure screen display, 558selecting for display (Event Viewer), 207
COM port (sensors)configuring, 759connecting to, 757–759
command and control networks, Cisco Secure IDS deployment, 107
command and control port, Catalyst 6000 IDSM, 494
command event record fields, log files, 744–746Command Timeout value, configuring, 208–209commands
apply, 517Catalyst
reset, 520–521show module, 520show port, 520
clear config, 513clear ip audit configuration, 600clear ip audit statistics, 600clear trunk, 509commit security acl, 506cvtnrlog, 692diag, 513EXPN sendmail command, 233GET command, 293grep, 237, 751ids-installer, 518IDSM, 521
diag bootresults, 522nrconns, 522report systemstatus, 522show errorfile, 523
ip audit name, 595ip audit po protected, 587ip audit po remote, 585ip audit signature, 591mailx, 732more, 754, 756–757nrconns, 694, 753nrstart, 693, 727nrstatus, 695, 750–751, 756nrstatus command, 536
Cisco Secure IDS
CSIDS.book Page 846 Tuesday, September 18, 2001 11:06 AM
847
nrstop, 694, 727nvers, 696ping, 750ping-R, 248redirect, 692session, 499session (Catalyst switch), 499set boot device, 514set security acl ip, 504–505set span, 503set trunk, 508show config, 509–510show configuration, 513show ip audit configuration, 643show ip audit debug, 600show ip audit interface, 644show ip audit statistics, 599show security acl, 511show span, 510–511snoop, 150Solaris, snoop, 752sysconfig-sensor, 152–158, 410sysconfig-sensor command, 540
exiting, 158tail command, 81tail -f, 753TRACEON, 320VRFY, 233write memory, 653
comments, inserting in configuration files, 700commit security acl command, 506common privilege groups, defining, 35–36communication link (Director/sensor), verifying
operability, 694, 753–754communication parameters, adding to Cisco IOS
Firewall IDS, 642–643communications deployment worksheet, Cisco
Secure IDS, 803–805comparing
Catalyst 6000 IDSM and traditional platforms, 491
MSFC and standalone routers, 492composite signatures, 192, 233compound signatures, 581confidentiality, 11, 39–41
Configuration File Management Utilityremoving sensors from nrConfigure
Director, 566starting, 542
configuration files, 699–700auths, 717comments, inserting, 700CSIDD, creating, 535daemons, 718destinations, 716–717hosts, naming convention, 714–715intrusion detection, 700loggerd.conf, tokens, 710nr.postofficed.conf, fault management,
712–714reviewing periodically, 45routes file, 715–716sensors, pushing to, 167–168tokens, 699
DupDestination, 710FilenameOfIPLog, 711FilenameOfLog, 711general signature, 702internal network, 701MinutesOfAutoLog, 711MinutesOfAutoShun, 709NameOfPacketDevice, 701NetDevice, 708NeverShunAddress, 709NumberOfSwitchBytes, 711NumberOfSwitchMinutes, 711RecordOfDataSource, 707RecordOfExcludedNetAddress, 707–708RecordOfFilterName, 706RecordOfStringName, 704–705ShunInterfaceCisco, 708SigOfFilterName, 706SigOfStringMatch, 704–705SigOfTcpPacket, 703–704SigOfUdpPacket, 703–704WatchDogInterval, 713WatchDogNumProcessRestarts, 713WatchDogProcDeadAlarmLevel, 714WatchDogProcTimeOutAlarmLevel, 714WatchDogResponseTimeout, 713
configuration files
CSIDS.book Page 847 Tuesday, September 18, 2001 11:06 AM
848
Configuration Libraryclosing, 572opening, 568saved versions, applying, 571transient versions, 569–571versions
deleting, 571–572numbering, 570saving, 571
Configuration Management Utilities (nrConfigure), troubleshooting, 733
configuring4200 Series Sensors
bootstrap, 151–158sysconfig-sensor command, 152–158
Catalyst 6000 IDSMinitialization, 499, 501
Cisco IOS Firewall IDSaudit rules, 593–595, 597–598general setup, 641–644initialization, 583–589limitations, 639–640network diagram, 640PostOffice parameters, 584–585required equipment, 640signatures, 589–592SPAM signatures, 589–590troubleshooting tips, 644, 646–650verification, 598–601
CSIDDconfiguration files, 535identification parameters, 532–534signature responses, 665–666
CSPM, 119–136domain name, 732dual-homed Director, 666–669Event Viewer
Blank Left value, 209–210Blank Right value, 210Color value, 213Command Timeout value, 208–209Default Expansion value, 212Event Batching value, 213Icon value, 213Maximum Events Per Grid value, 212Subnet Mask value, 209Time To Block value, 209
events, destinations, 716–717HTML browser, location, 558IDSM
ID analysis, 501–509verification, 509–513
IP blocking, 474Never Block Addresses, 478–479setting blocking device properties,
475–476mail server, 732master blocking sensors, 479multiple blades per chassis, 678
general setup, 680–685limitations per IDSM, 678network diagram, 679required equipment, 679VACL definition, 680
nrConfigure, HTML browser, 558sensors
advanced changes, 416–420basic changes, 410–414checking, 168–169CSIDD, 540–549COM port settings, 759CSPM sensor configuration screens,
386–409Director platforms, 81error checks, 421identification parameters, 410–411installing, 105–111internal networks, 412–413IP fragment reassembly, 416–417log files, 414–416packet capture devices, 413–414pushing new ones to, 420–421saving, 166–167, 421TCP session reassembly, 417–419updating, 166–167, 421
signaturesactions, 433–434advanced settings, 451–455CSPM templates, 428–429filtering, 444simple signature filtering, 444, 447string signatures, 437–438
TCP reset response, 72–74
Configuration Library
CSIDS.book Page 848 Tuesday, September 18, 2001 11:06 AM
849
connecting laptops/PCs to sensor COM port, 757–759
connection signatures, 236, 434–435, 617, 791–793adding, 435–436modifying, 436
Connection Status pane (Event Viewer), 214Connection Status window, 215–216Reset Statistics window, 220Sensor Statistics window, 219Service Status window, 216–218Service Versions window, 218
Connection Status window, 215–216Consequences field (NSDB Related Vulnerability
page), 196content-based signatures, 192, 232context buffer, viewing, 187–189context signatures, 192, 232core dumps, 733corporate network reorganization, troubleshooting,
648–650Count field (Cisco Secure IDS alarm records), 181Countermeasures field (NSDB Related Vulnerability
page), 197creating
ACL signatures, 455–456advanced filters, 449audit rules, 595, 597–598signature templates, 440string signatures, 438VACLs, 504–505
critical hosts, identifying, 467cross-protocol signatures (6000 Series), 349
authentication failures, 367–369DDoS attacks, 371–374DNS attacks, 351–354Ident attacks, 366–367Loki attacks, 370RPC attacks, 355–366SATAN attacks, 349–350
CSIDD (Cisco Secure Intrusion Detection Director), 531
daemons, run verification, 536–537Exclude mechanism, 760HP Open View NNM
environment initialization, 537–539starting, 537
installing, 531–535
configuration files, 535identification parameters, 532–534install script, 532netrangr password, 532–533rebooting, 535
NNM, navigation buttons, 539–540sensors
adding, 541–549configuring, 540–549
signatures responses, configuring, 665–666, 760–762
starting, 536–540submaps, 538verifying smid process, 756
CSPM (Cisco Secure Policy Manager), 81, 1174200 Series Sensors
adding to Director, 158–169installing, 145
Cisco Secure Communications Deployment worksheet, 124
Cisco Secure VPN Client, installing on, 125database
alarms, removing, 197–198rows, deleting, 199entries, viewing, 178
Director platformadding sensors to, 158–169architecture, 690operating as, 81–82services, 691–692smid process, verifying, 755
General tab, signature configuration, 428–429hosts
adding to topology, 164–165resolving names, 186
identification parameters, verifying, 659installing
account information, 129basic settings, 129configuring, 119–121finalization, 134–136license acceptance, 126–127modes, 127–130PostOffice protocol, 132–135requirements, 121–124settings, 124–136
licensing options, 123–124
CSPM (Cisco Secure Policy Manager)
CSIDS.book Page 849 Tuesday, September 18, 2001 11:06 AM
850
logging on, 136manual blocking operations, 482–483sensor configuration screens, 386–409
4200 Series Sensing Configuration Screen, 389–392
Blocking Configuration Screen, 397–400Filtering Configuration Screen, 400–403IDSM Sensing Configuration Screen,
392–397Logging Configuration Screen, 402–406Sensor Command Configuration
Screen, 406–409Sensor Internal Networks Configuration
Screen, 389Sensor Monitoring Configuration
Screen, 388Sensor Properties Configuration
Screen, 387sensors, configuring within, 385–421service versions, obtaining, 218signatures
filtering, 760templates, creating, 440viewing properties, 430–431
Signatures tab, 429software feature sets, 118–119starter videos, 137–139starting, 136–139string signatures, creating, 438support applications, 122TechSmith Screen Capture Codec,
installing, 131Tools menu, View Sensor Events
command, 178Windows NT 4.0 hosts, building, 125–126
CSPM Event Viewer. See Event Viewercustomizing Event Viewer, view settings, 207cvtnrlog.exe, 692
DDaemon Versions window (Event Viewer), 218daemons
application ID, 718–719configuration files, 699–700fault management, related tokens, 713–714operability, verifying, 536–537
data integrity, 11data sources, public, 12databases
Cisco Secure IDS alarm records, fields, 181CSPM, removing alarms, 197–198NSDB
Exploit Signature page, 190–193opening, 189Related Vulnerability page, 194–197
Oracle database instance name, changing, 730troubleshooting, 728–729
DDoS (distributed denial-of-service) attacks, 27signatures, 371–374
default actions, signature configuration, 594default block time, 470Default Expansion value (Event Viewer),
configuring, 212Default signature template, 428defining
common privilege groups, 35–36endpoints, 40–41interesting traffic, 498protected networks, 587–588security zones, 38signature severity, 430–431SYSLOG sources for ACL signature
monitoring, 456–457untrusted links, 39
Delete Selected Rows button (Event Viewer), 199deleting
alarms, 197–198columns in Event Viewer, 205saved configuration versions, 571–572sensors from nrConfigure Director, 566
denial-of-service attacksanti-spoofing mechanisms, 466class signatures, 235
CSPM (Cisco Secure Policy Manager)
CSIDS.book Page 850 Tuesday, September 18, 2001 11:06 AM
851
denied hosts, adding to ACLs, 656deploying sensors
installation, 103–111preparation, 97–103
Description column (nrConfigure screen display), 558
Destination Address field (Cisco Secure IDS alarm records), 183
Destination Information fields (Cisco Secure IDS alarm records), 183
Destination Location field (Cisco Secure IDS alarm records), 183
Destination Port field (Cisco Secure IDS alarm records), 183
destinations file, 716–717viewing, 754
Details field (Cisco Secure IDS alarm records), 184device management
requirements, 465sensors, 100, 107
devicesblocking devices, configuring identification
parameters, 475hosts
/usr/nr/etc/hosts file entries, 714–715IP address configuration, 715–716names, resolving, 184–186
managed network devices, viewing, 482MSFC versus standalone router, 492
diag bootresults command (ISDM), 522diag command, 513Diagnostics mode (IDSM)
commands, 521diag bootresults, 522nrconns, 522report system status, 522show errorfile, 523
enabling on IDSM, 513dialog boxes, Sensor Identification, 159dictionary password crackers, 21Director platforms, 80–83
alarmsdisplays, 80responses, 81
Cisco Secure IDS Director for UNIX, 82communication with sensors, verifying,
753–754
compared, 83CSIDD. See CSIDDCSPM, 159
adding sensors to, 158–169architecture, 690operating as, 81–82services, 691–692smid process, verifying, 755
error log files, viewing, 756–757features, 80forwarding alarms, related tokens, 710hosts, adding to configuration, 560–561inability to write to socket, troubleshooting, 722LD_LIBRARY_PATH variable,
troubleshooting, 724overflowing socket buffer, troubleshooting, 722permissions, troubleshooting, 722–723secondary, adding, 561semaphore files, troubleshooting, 723–724sensors
4200 Series Sensors, adding to, 158–169logging, 726maximum allowable alarms, 726remote configuration, 81routing threshold, 725severity status, 725
Show Current Events window, troubleshooting, 726
directory structure (Cisco Secure IDS)bin directory, 697etc directory, 698install directory, 696var directory, 698
Disable alarm level, 779disabling
debugging commands, 601IP blocking, 477–479signatures, 431–432, 761–762
disk structure (IDSM)active partition, 514application partition, 515maintenance partition, 515
Display Popup Window status event, 212displaying
ACL contents, 511active Cisco Secure IDS version, 696blocked IP addresses, 480–481
displaying
CSIDS.book Page 851 Tuesday, September 18, 2001 11:06 AM
852
context buffer, 187–189log files, 179managed network devices, 482selected columns (Event Viewer), 207signature template, 428
distributed attacks, 27, 29distributed configurations, CSPM, 120distributed denial-of-service (DDoS) attacks, 27,
371–374DNS (Domain Name System), 13
attack signatures, 351–354cache poisoning, 23host name resolution, 186
documentation, security policies, 10–11domain name, configuring, 732Domain Name System (DNS). See DNS DOS (Disk Operating System), FAT (File Allocation
Table), 121DoS (denial-of-service) attacks
distributed attacks, 27–29host resource starvation, 26network resource overload, 24–25out-of-bounds, 26
dual-homed Director, configuring, 666–669dual-tier signature response, 649–650DupDestination token, 710duplicate alarms, troubleshooting, 675duration of IP blocking time, selecting, 468
EE1 interface, applying ACLs, 660echo requests, 258EDI (Event Database Interface), 691eliminating false positives from vulnerability
scanner alarms, 645–647enabling
Diagnostic mode on IDSM, 513Promiscuous mode on sniffing interface, 752signatures, 431–432Telnet, 466
encryptionhost-to-host encryption, 40site-to-site encryption, 41VPNs, 39
endpoints, defining, 40–41
engine-specific parameters, signatures, 630enhancements
Cisco Secure IDSversion 3.0, 614–620version 4.0, 620–625
sensors, 625–628version 3.0
configuration, 614–615installation, 614–615shunning, 618, 620signatures, 616–618
version 4.0blocking, 624configuration, 620–622installation, 620–623signatures, 623–624
entry points (networks)IP blocking, 467protecting with master blocking sensors, 470sensors, 98–99
environment variables, adding ORACLE_HOME to LD_LIBRARY_PATH, 730
error log files, viewing, 756–757errors
ICMP messages, 262sensors, checking for, 168–169, 421
/etc directory, 698evaluating
sensors, placement of, 46professional security, 44
Event Batching value (Event Viewer), configuring, 213
event horizons, misuse detection, 60Event Severity Indicator group box (Event Viewer
Preferences window), 213Event Viewer
alarmscollapsing columns, 203–204deleting, 197–198expanding collapsed columns, 201–202
blocked addresses, viewing, 480–481columns
deleting, 205moving, 205selecting for display, 207
Connection Status pane, 214Connection Status Window, 215–216
displaying
CSIDS.book Page 852 Tuesday, September 18, 2001 11:06 AM
853
Reset Statistics Window, 220Sensor Statistics Window, 219Service Status Window, 216–218Service Versions Window, 218
Delete Selected Rows button, 199field expansion boundaries, modifying,
204–205log files, viewing, 179opening, 178Preferences window
Actions group box, 208–209Boundaries group box, 212Cells group box, 209–210Event Severity Indicator group box, 213Severity Mapping group box, 213Status Events group box, 211
resuming alarm display, 199–200Shunning Hosts window, 483suspending alarm display, 199–200
eventsdestinations, configuring, 716–717detection, verifying, 752log files, 740–746record fields
alarm event record fields, 741–744command event record fields, 744–746
EVS (Event Viewing System), 691Exclude mechanisms, 760excluding
false-positive alarms, 759–762signatures, 591–592
exclusion stance, security policies, 38exiting sysconfig-sensor script, 158expanding collapsed columns
all columns, 202single column, 201
expansion boundaries, modifying, 204–205Exploit Links field (NSDB Related Vulnerability
page), 197Exploit Signature page (NSDB), 190–191
benign triggers, 192implementation, 192recommended alarm level, 192signature description, 192signature ID, 191signature name, 190signature structure, 192
signature type, 192subsignature ID, 191user notes, 193vulnerability, 193
Exploit Type field (NSDB Related Vulnerability page), 196
exploitation tools, 20application holes, 23authentication compromises, 21–22back doors, 24compromised trust relationships, 23poorly configured services, 22protocol weaknesses, 22
EXPN sendmail command, 233extended ACLs, 464external interfaces, applying ACLs, 473external threats, 9extranets, sensor placement, 104
Ffalse negatives, 58, 394false positives, 182, 394
benign triggers, 192eliminating from vulnerability scanner alarms,
645–647excluding, 759–762IDSs (Intrusion Detection Systems), 55
FAT (File Allocation Table), 121fault management, related tokens, 712–714fault tolerance, assigning multiple IP addresses per
host, 715–716features of Catalyst 6000 IDSM, comparing to
traditional platforms, 491fields
Cisco Secure IDS alarm recordscollapsing, 203–204Count field, 181destination information fields, 183expansion boundaries, modifying,
204–205general information fields, 181–182signature information fields, 183–184source information fields, 182viewing, 180
event record fields, 740–746
fields
CSIDS.book Page 853 Tuesday, September 18, 2001 11:06 AM
854
alarm event record fields, 741–744command event record fields, 744–746
File Allocation Table (FAT), 121FilenameOfIPLog token, 711FilenameOfLog token, 711files, core dumps, 733Filtering Configuration Screen (CSPM), 400–403filtering signatures, 760
simple signature filtering, 444, 447advanced signature filtering, 447–449
finalization, CSPM installation, 134–136firewall sandwich configuration, sensors, 108firewalls, 37
IOS Firewall IDS signatures, 797–800Fix/Upgrade/Patch field (NSDB Related
Vulnerability page), 197FLOOD signature engines, 629, 633formats of IP session logs, 618forwarding alarms, related tokens, 710fragmentation, 391
IP signatures, 250–256FTP attacks, TCP signatures, 288–291FTP transfer, related tokens, 711functionality of nrConfigure, 556
Ggateways, entering sensors, 161–162general information fields (Cisco Secure IDS alarm
records), 181–182general signature token, 702general signatures, 780–790General tab (CSPM), signature template
configuration, 428–429GET command, 293gigabit IDSM, 627globally disabling signatures, 590–591, 761–762goal setting for attacks, 11–12grep command, 237, 751groups
common privilege groups, defining, 35–36users, 54
Hhacking tools
exploitation tools, 20application holes, 23authentication compromises, 21–22back doors, 24compromised trust relationships, 23–24poorly configured services, 22protocol weakneses, 22
reconnaissance tools, 19–20script kiddies, 7–8user attributes, 7
handlers, 27hardware
CSPM requirements, 123installing RUs (rack units), 146
hiding nrConfigure status line, 559hierarchical director design, 670
alarm delay limitations, 670general setup, 671–675network diagram, 670required equipment, 670troubleshooting tips, 675–678
high ports versus low ports, 274High-severity alarms, 779
signatures, 239hijack attacks, TCP signatures, 307–309host names
PostOffice protocol, 88resolving, 184–186
host sweeps, TCP signatures, 277–280Host Type window, Add Host Wizard, 545host-based IDSs, 61
benefits, 62–63drawbacks, 62–63
hosts/usr/nr/etc/hosts file entries, 714–715authorized, 717compromised trust relationships, 23CSPM, adding to topology, 164–165exluding from alarm reporting, 760inclusions, 618IP address configuration, 715–716manual blocking operations, 483population estimates, 98secondary Directors, adding, 561
fields
CSIDS.book Page 854 Tuesday, September 18, 2001 11:06 AM
855
Windows NT 4.0 hosts, building, 125–126host-to-host encryption, 40HP Open View Network Node Manager (NNM).
See NNM (Network Node Manager)HTML browser, configuring, 558HTTP/Web signatures, 321–349hubs, 101, 490hybrid IDSs, 66
IICMP (Internet Control Message Protocol), 13, 257
attacks, 266echo requests, 13error messages, 262ping sweeps, 264query messages, 258signatures, 257–268
Icon value (Event Viewer), configuring, 213ID analysis, IDSM configuration, 501–507
assigning command and control port, 502clearing unwanted VLAN traffic, 507–509
Ident protocol, attack signatures, 366–367identification parameters
CSIDD, configuring, 532–534sensors, 410–411verifying on Director, 652
identifiers, PostOffice protocol, 87–89identifying critical hosts, 467IDS Module (IDSM). See IDSM (IDS Module)IDS-4210 appliance, 4200 Series Sensors, 78,
148–149IDS-4230 appliance, 4200 Series Sensors, 78,
146–147ids-installer command, 518IDSM (IDS Module), 79, 489–490, 620
adding to CSPM, 513blades, configuring multiple per chassis, 678
general setup, 680–685limitations, 678–679network diagram, 680VACL definition, 680
blocking with, 620clearing unwanted VLAN traffic, 507
Diagnostic modecommands, 521–523enabling, 513
disk structureactive partition, 514application partition, 515maintenance partition, 515
images, updating, 515–516initializing, 499–501monitoring port, configuring as destination port,
503–505oversubscription, preventing, 682partitions, updating, 518ports, 493–494removing configuration, 513requirements, 492software files, 516
updating, 517–518status LEDs, troubleshooting, 519traffic, capturing, 490, 494–495
SPAN, 496VACLs, 497–498
verifying configuration, 509–513IDSM Sensing Configuration Screen (CSPM),
392–397IDSM Setup utility, 499–501IDSs (Intrusion Detection Systems), 53
Cisco Secure IDSconfiguring, 72–76functions and features, 72–76
false negatives, 58host-based IDSs, 61
benefits, 62–63drawbacks, 62–63
hybrid IDSs, 66locations, monitoring, 61–66network-based IDSs, 63–65
benefits, 65drawbacks, 65–66
training preparation, 57triggers, 54
anomaly detection, 54–58misuse detection, 58–60
implementingIP blocking, 466signatures on Cisco IOS Firewall IDS, 581
improving network security, 44–46
improving network security
CSIDS.book Page 855 Tuesday, September 18, 2001 11:06 AM
856
inclusion stance, security policies, 38inclusions, hosts, 618informational class signatures, 234infrastructure, topology analysis, 101initializing
Cisco IOS Firewall IDS, 583–589HP Open View NNM environment, 537–539IDSM, 499, 501
inserting comments in configuration files, 700install directory, 696installation
CSIDD, 531–535configuration files, 535Director script, running, 532identification parameters, 532–534install script, 532netrangr password, 532–533rebooting, 535
CSPM4200 Series Sensors, 145account information, 129basic settings, 129Cisco Secure VPN Client, 125configuring, 119–121finalization, 134–136license acceptance, 126–127modes, 127–130PostOffice protocol, 132–135requirements, 121–124settings, 124–136TechSmith Screen Capture Codec, 131
RUs (rack units), 146sensors, 103–111version 3.0 enhancements, 614–615version 4.0 enhancements, 620–622
installed sensors, adding to Director configuration, 560
integrity of data, 11interesting traffic, defining, 498interfaces
ACL placement, 472–473external, applying ACLs, 473internal, applying ACLs, 473Promiscuous mode, enabling, 752sensors, 97
internal networkssensors, configuring, 412–413token, 701
internal threats, 9–10Internet Control Message Protocol (ICMP).
See ICMPInternet
usage estimates, 98entry points, sensors, 98–99
Internet Protocol Security Architecture (IPSec), IP layer security, 110
intranets, sensorsentry points, 99placement, 105
intrusion detection, configuration files, 700Intrusion Detection Systems (IDSs). See IDSs
(Intrusion Detection Systems)IOS Firewall IDS signatures, 797–800IP addressing. See also IP blocking
ARP, 19DNS, 13Never Block Addresses, specifying, 478–479
ip audit name command, 595ip audit po protected command, 587ip audit po remote command, 585ip audit signature command, 591IP blocking, 76, 463–464
anti-spoofing mechanisms, 466at the router, 468–469configuring, 474–476critical hosts, 467default block time, 470disabling, 477–479duration of, 468entry points, 467implementing, 466manual blocking operations, 482–483removing blocked hosts/networks, 483–484signature selection, 467viewing blocked addresses, 480–481
IP fragments, configuring reassembly, 416–417IP layer security (IPSec), 110IP log files
formats, 618naming conventions, 738response actions, 76, 433
inclusion stance, security policies
CSIDS.book Page 856 Tuesday, September 18, 2001 11:06 AM
857
IP signatures (1000 Series signatures), 245bad IP packets, 256–257IP fragmentation, 250–256IP options, 246–250
IPSec (Internet Protocol Security Architecture), IP layer security, 110
ISDM, gigabit ISDM, 627
J-LJava Server Pages (JPSs), 339
laptops, connecting to sensors, 757–759Last Modified column (nrConfigure screen
display), 558LD_LIBRARY_PATH environment variable, adding
ORACLE_HOME/lib, 730LD_LIBRARY_PATH variable,
troubleshooting, 724Legacy Cisco Secure IDS Web attacks, TCP
signatures, 291–303Level field (Cisco Secure IDS alarm records), 184levels, logging, 737–738licensing CSPM, 123–124
acceptance, 126–127limitations
of SPAN, 497of VACLs, 498
limiting access, 36line cards
Catalyst 6000 IDSM, comparing to appliance, 491
IDSM, 489–490adding to CSPM, 513blades, configuring multiple per chassis,
678–685capturing traffic, 490Diagnostic mode, enabling, 513disk structure, 514–515ID analysis configuration, 501–509images, updating, 515–516initializing, 499, 501monitoring port, configuring as
destination port, 503–505partitions, updating, 518ports, 493–494
removing configuration, 513requirements, 492software files, 516–518traffic flow, 494verifying configuration, 509–513
links. defining untrusted, 39Lite Licensing, CSPM, 124Local Date field (Cisco Secure IDS alarm
records), 181Local Time field (Cisco Secure IDS alarm
records), 181location of HTML browser, selecting, 558log files, 737
active log files, closing, 740archived log files, 740automatic FTP transfers, configuring, 415Cisco Secure IDS log files, naming
conventions, 739error log files, viewing, 756–757event detection, verifying, 752event record fields, 740–746
alarm event fields, 741–744command event fields, 744–746
IP log files, formats, 618naming conventions, 738
locations, 740logging levels, 737–738naming conventions, 738–739sensors
configuring, 414–416generating, 414
Service Error log files, naming conventions, 739
viewing, 179loggerd.conf file, tokens, 711logging
levels, 737–738policy violations on ACLs, 653related tokens, 710troubleshooting, 726
Logging Configuration Screen (CSPM), 402–406logons
4200 Series Sensors, 149–151access attacks, 17CSPM, 136sensors, 757–759
logons
CSIDS.book Page 857 Tuesday, September 18, 2001 11:06 AM
858
Loki attack signatures, 370low ports, versus high ports, 274low-severity alarms, 779low-severity signatures, 238
Mmail attacks, TCP signatures, 284–288mail server, configuring, 732mailing lists, security, 45mailx command, 732maintentance partition, 515managed network devices, viewing, 482managed.conf file
DupDestination token, 709MinutesOfAutoShun token, 709NetDevice token, 708NeverShunAddress token, 709ShunInterfaceCisco token, 709
management access, 4200 Series Sensors, 149managing routers, 657
general setup, 658–666limitations, 657network diagram, 658required equipment, 658troubleshooting tips, 666–669
man-in-the-middle attacks, 18manual IP blocking operations, 482–483manual monitoring, network security, 42MAPI (Messaging API), 122master blocking sensor, 470, 709Master Blocking Sensor Configuration Screen
(CSPM), 400, 479master Director, adding additional secondary
Directors, 561master signature parameters, 630maximum allowable alarms, 726Maximum Events Per Grid value (Event Viewer),
configuring, 212maximum transmission units, 250, 391MaxInspectLength master signature parameter, 630MCI (Media Control Interface), 122Media Control Interface (MCI), 122Medium severity alarms, 779medium-severity signatures, 239
messages, propagating through tiered Director hierarchy, 670–675
Messaging API (MAPI), 122methodologies for attacks
ad hoc attacks, 15methodical attacks, 15patient attacks, 16surgical strikes, 15
Microsoft Active Scripting Pages (ASPs), 339Microsoft Internet Explorer 5.x, CSPM, 122MinHits master signature parameter, 630minimizing trust relationships, 36MinutesOfAutoLog token, 711MinutesOfAutoShun token, 709misuse detection, IDSs (Intrusion Detection
Systems), 58–60benefits, 59drawbacks, 59–60event horizons, 60
modifyingconnection signatures, 436database instance name, 730field expansion boundaries, 204–205Port Mapping configuration, 454–455
modules, platforms, 77–80monitoring
locations, IDSs (Intrusion Detection Systems), 61–66
security, 42–45monitoring port, Catalyst 6000 IDSM, 494
configuring as destination port, 503–505VACLs, building, 504–505
more command, 754–757MSFC, comparing to standalone routers, 492MTUs (maximum transmission units), 250, 391
NName field (Cisco Secure IDS alarm records), 181NameOfPacketDevice token, 701naming conventions
hosts, 714–715log files, 738–739organizations, 714–715
navigation buttons, HP OpenView NNM, 539–540NetBIOS attacks, TCP signatures, 303–307
Loki attack signatures
CSIDS.book Page 858 Tuesday, September 18, 2001 11:06 AM
859
NetDevice token, 708netrangr account, 150, 532–533network function-based placement, sensors,
104–105Network Interface Name, verifying, 751Network Node Manager (NNM). See NNM
(Network Node Manager)Network Topology tree (NTT), 82network-based IDSs, 63–65
benefits, 65drawbacks, 65–66
networksattack points, 16
protocols, 18–19resources, 16–17
resourcesstarvation attacks, 26unsecured, 24
securitymonitoring, 42Security Wheel, 34–42testing, 43–44
topology analysis, 97critical components, 100–101entry points, 98–100remote networks, 102security policy restrictions, 102–103size and complexity issues, 102
neutral networks, anomaly detection, 56Never Block Addresses, specifying, 478–479NeverShunAddress token, 709newly installed sensors, adding to Director
configuration, 560NNM (Network Node Manager), 531
environment initialization, 537–539navigation buttons, 539–540starting, 537
non-sniffing sensors, troubleshooting, 749–757nr.fileXferd.conf, 690nr.loggerd.conf, 689nr.managed.conf, 689nr.packetd.conf, 689nr.postofficed.conf, 689nr.postofficed service (CSPM Director), 691nr.postofficed.conf, fault management, 712–714nr.sapd.conf, 689nr.smid service (CSPM Director), 691
nrConfigureAdd Host Wizard, 561Add Host Wizard Finished window, 564configured sensors, adding to Director,
561–564functionality, 556HP-UX performance, troubleshooting, 733HTML browser
configuring, 558selecting location, 558
screen display, 556columns, 558hiding status line, 559
sensorsremoving, 566verifying installation, 565
starting, 556troubleshooting, 733
nrconns command, 522, 694, 753nrstart command, 693, 727nrstatus command, 536, 695, 750–751, 756nrstop command, 694, 727NSDB (Network Security Database)
Exploit Signature page, 190–191benign triggers, 192implementation, 192recommended alarm level, 192signature description, 192signature ID, 191signature name, 190signature structure, 192signature type, 192subsignature ID, 191user notes, 193vulnerability, 193
HTML browser configuration, 733opening, 189Related Vulnerability page, 194
Advisory/Related Information Links field, 197
Affected Programs field, 196Affected Systems field, 196Alias field, 195Consequences field, 196Countermeasures field, 197Exploit Links field, 197Exploit Type field, 196
NSDB (Network Security Database)
CSIDS.book Page 859 Tuesday, September 18, 2001 11:06 AM
860
Fix/Upgrade/Patch Links field, 197Severity Level field, 196User Notes field, 197Vulnerability Description field, 196Vulnerability ID field, 195Vulnerability Name field, 195Vulnerability Type field, 196
NTT (Network Topology tree), 82numbering configuration versions, 570NumberOfSwitchBytes token, 711NumberOfSwitchMinutes token, 711nvers command, 696NXT resource record, 354
Oobtaining CSPM service versions, 218one-time passwords, 36online help, browser configuration, 733opening
Configuration Library, 568Event Viewer, 178NSDB, 189
operating system requirements for CSPM, 121options, IP signatures, 246, 248–250Oracle database
instance name, modifying, 730troubleshooting, 728
authorization, 731installation, 728–729JDBC-related error messages, 732SQLPlus, 729TNS error message, 731
USER/PASSWORD error message, troubleshooting, 731
Organization Name field (Cisco Secure IDS alarm records), 182
organization namesnaming conventions, 714–715PostOffice protocol, 88–89
Organization/Host column (nrConfigure screen display), 558
organizations file, 714orphaned FIN packets, 282out-of-bounds attacks, 26
output fieldsshow config command, searching, 510show span command, 511
overflowing socket buffer, troubleshooting, 722oversubscription, preventing on IDSMs, 682
Ppacket auditing process, 593–594packet capture device, sensor configuration,
413–414packet payload, 232packetd process, verifying, 750–751packetd.conf file
MinutesOfAutoLog token, 711NameOfPacketDevice token, 701RecordOfDataSource token, 707RecordOfExcludedNetAddress token, 707–708RecordOfFilterNameName token, 706–707RecordOfInternalAddress token, 702RecordOfStringName token, 704–705SigOfFilterNameName token, 706SigOfGeneral token, 702SigOfStringName token, 704–705SigOfTcpPacket token, 703SigOfUdpPacket token, 703–704
packetsbad IP packet signatures, 256–257ICMP echo requests, 13orphaned FIN packets, 282packet payload, 232sniffing, 64, 97spoofing, 19state information, 233switch-forwarding path, 490–491TTL value, 62
parametersapply command, 517cvtnrlog command, 692IDSM-specific, 501ip audit name command, 597PostOffice, 584–586report systemstatus command (ISDM), 522reset command (Catalyst), 520–521set security acl ip command, 505set trunk command, 508
NSDB (Network Security Database)
CSIDS.book Page 860 Tuesday, September 18, 2001 11:06 AM
861
show errorfile command (ISDM), 523show module command (Catalyst), 520show port command (Catalyst), 520show security acl command, 512show span command, 510–511signatures
engine-specific parameters, 630master signature parameters, 630
tokens, 699partitions (IDSM), updating, 518passwords
crackers, 21netrangr password, setting, 532–533one-time, 36Oracle database, troubleshooting, 731telnetting to sensor COM port, 758
patient attacks, 16patterns of traffic, determining, 37PCs, connecting to sensors, 757–759PDP (policy distribution point), 409
sensor selection, 166PEPs (policy enforcement points), 167–168perimeter protection, sensor placement, 104perimeter routers, 98permissions, troubleshooting, 722–723ping command, 750Ping of Death attack, 26ping sweeps, 13
ICMP, 264ping-R command, 248pings, 13PIX, blocking with, 619placement
of sensorsevaluating, 46extranets, 104intranets, 105network function-based placement,
104–105perimeter protection, 104remote access servers, 105
of ACLs, 471–473platforms
modules, 77–80sensors, 77–80
policies (security). See security policiespolicy distribution point (PDP), 166, 409
policy enforcement points (PEPs), 167–168policy violation signatures, 388
(10000 Series), 378policy violations, logging on ACLs, 653poorly configured services, 22port mapper, 355Port Mapping, 453, 455Port Mapping Configuration screen (CSPM), 396Port parameter (connection signatures), 434–435port scans
TCP signatures, 271–277UDP signatures, 317
portsattacks on, 22Catalyst 6000 IDSM, 493–494high ports, 274low ports, 274switch-forwarding path, 490–491
PostOfficeCommand Timeout value, 209connection status, verifying, 753
PostOffice protocol, 84addressing scheme, 89benefits, 87CSPM, installing, 132–135fault tolerance, 86features, 85identifiers, 87–89redundancy, 85reliability, 85sensor identification parameters, entering,
159–161postoffice.conf file
WatchDogInterval token, 713WatchDogNumProcessRestarts token, 713WatchDogProcDeadAlarmLevel token, 714WatchDogProcTimeoutAlarmLevel token, 714WatchDogResponseTimeout token, 713
previously configured sensors, adding as host, 561privilege escalation attacks, 17professional security evaluations, conducting, 44profile-based detection. See anomaly detectionPromiscuous mode, enabling on sniffing
interface, 752propagating messages through tiered Director
hierarchy, 670–675
propagating messages through tiered Director hierarchy
CSIDS.book Page 861 Tuesday, September 18, 2001 11:06 AM
862
properties (signatures), defining severity of, 430–431
protected networks, defining, 587–588protocols
ICMP (Internet Control Message Protocol), 257PostOffice protocol, 84weaknesses, 22
proxy sensors, master blocking sensors, 470public data sources, attacks on, 12publishing attacks publicly, 57
Q-Rquery messages (ICMP), 258
rack units (RUs), 146RDBMS (relational database management systems),
troubleshooting SQL queries, 732rebooting, 535recommended alarm level, 192reconnaisance for attacks, 12–13reconnaissance class signatures, 234reconnaissance tools, 19–20RecordOfDataSource token, 707RecordOfExcludedNetAddress token, 707–708RecordOfFilterName token, 706RecordOfStringName token, 704–705records (CSPM database)
fieldsCount field, 181Destination Information fields, 183General Information fields, 181–182Signature Information fields, 183–184Source Information fields, 182
viewing, 179–180recovering deleted sensor configuration
information, 567redirect command, 692reducing false-positive alarms, 759–762redundancy, multiple hosts per IP address
configuration, 715–716regular expressions, sensors, 236Related Vulnerability page (NSDB), 194
Advisory/Related Information Links field, 197Affected Programs field, 196Affected Systems field, 196
Alias field, 195Consequences field, 196Countermeasures field, 197Exploit Links field, 197Exploit Type field, 196Fix/Upgrade/Patch Links field, 197Severity Level field, 196User Notes field, 197Vulnerability Description field, 196Vulnerability ID field, 195Vulnerability Name field, 195Vulnerability Type field, 196
relationships (trust relationships), minimizing, 36remote access entry points, sensors, 99remote access servers, sensor placement, 105Remote Procedure Call (RPC), 355–366remote reconnaissance, 12–13remote sensor configuration, 110removing
alarms, 197–198blocked hosts/networks, 483–484columns in Event Viewer, 205IDSM line card configuration, 513saved configuration versions, 571–572sensor icon from Cisco Secure IDS Home
submap, 567sensors from nrConfigure Director, 566
reorganization of corporate networks, troubleshooting, 648–650
report system status command (ISDM), 522reporting SYSLOG files to sensor, 650
general setup, 651–655limitations, 650network diagram, 651required equipment, 650troubleshooting tips, 656–657
repositioning columns in Event Viewer, 205requirements
Catalyst 6000 IDSM line card, 492device management, 465
reset command (Catalyst), 520–521Reset Statistics window (Event Viewer), 220ResetAfterIdle master signature parameter, 630resolving host names, 184–186resource records, 354
properties (signatures), defining severity of
CSIDS.book Page 862 Tuesday, September 18, 2001 11:06 AM
863
resourcesunsecured, 24vulnerability to attacks, 16–17
responses to alarms, Director platforms, 81to signatures, CSIDD configuration,
665–666restricting access, 36resuming alarm display (Event Viewer), 199–200review questions, answers, 815–835reviewing configuration files periodically, 45root installation directory, 696routers
managing, 657general setup, 658–666limitations, 657network diagram, 658required equipment, 658troubleshooting tips, 666–669
perimeter routers, 98routes file, 715–716rows, deleting from CSPM database, 199RPC (Remote Procedure Call), attack signatures,
355–366rule-based approach, anomaly detection, 55RUs (rack units) installations, 146
SSAPD (Security Analysis Package Daemon), 689SAPI (Speech API), 122SATAN (Security Analysis Tool for Auditing
Networks), 349–350saved versions, deleting, 571–572saving
configuration versions, 571sensor configurations, 166–167, 421
scanners (security), 43–44screen display, nrConfigure, 556
Organization/Host column, 558status line, hiding, 559
script kiddies, 7–8scripts
start.sh, 729sysconfig-director, HTML browser
configuration, 558
sysconfig-sensor, 150, 410, 540exiting, 158
SDM (Sensor Device Manager), 628searching show config command output, 510secondary Directors, adding, 561Secure IDS
communications deployment worksheet, 803–805
submap, verifying sensor installation, 566security
authentication, improving, 35–36boundaries, establishing, 37–39confidentiality, VPNs, 39–41configuration, verifying, 46configuration files, reviewing, 45firewalls, 37improving, 44–46mailing lists, 45monitoring, 42news, monitoring, 44–45professional evaluations, conducting, 44security policies, 34, 38security scanners, 43–44security wheel, 34–42security zones, defining, 38sensors, placement of, 46testing, 43–44vunerability patching, 41–42Web sites, 45
Security Analysis Tool for Auditing Networks (SATAN), 349–350
security policies, 10–11, 33stances, 38
security scanners, 43–44Security Wheel, 34–42
improving security, 44–46monitoring security, 42testing security, 43–44
security zones, defining, 38selecting
columns for display (Event Viewer), 207HMTL browser location, 558multiple signatures for advanced filtering, 448
semaphore files, troubleshooting, 723–724Sensor Advanced Configuration Screen
(CSPM), 404sensor appliance, 625–628
sensor appliance
CSIDS.book Page 863 Tuesday, September 18, 2001 11:06 AM
864
Sensor CA (control agent), 691Sensor Command Configuration screen (CSPM),
406–409Sensor Device Manager (SDM), 628Sensor Identification dialog box, 159Sensor Internal Networks Configuration screen
(CSPM), 389Sensor Monitoring Configuration screen
(CSPM), 388Sensor Name field (Cisco Secure IDS
alarm records), 182Sensor Properties Configuration screen
(CSPM), 387Sensor Statistics window (Event Viewer), 219sensors
4200 Series Sensorsappliances, 145
IDS-4210, 148–149IDS-4230, 146–147
configuring, 151–158CSPM, 145logon accounts, 149–151management access, 149
ACL signatures, creating, 455–456adding, CSIDD, 541–542, 544–549adding to Director configuration, 560–561alarm logging, troubleshooting, 726blocking, 100Cisco Secure IDS, architecture, 687–690COM port settings, configuring, 759communication with Director, verifying,
753–754configuration files, pushing to, 167–168configuring
advanced changes, 416–420basic changes, 410–414checking, 168–169CSIDD, 540–549CSPM, 385–394, 396–421CSPM sensor configuration screens,
386–409error checks, 421identification parameters, 410–411internal networks, 412–413IP fragment reassembly, 416–417log files, 414–416packet capture device, 413–414
pushing new ones to, 420–421saving, 166–167, 421TCP session reassembly, 417–419updating, 166–167, 421
default gateway, entering, 161–162deploying, preparation for, 97–103destinations file, viewing, 754device management, 465
configuring, 661–666requirements, 465
enhancements, 625–628sensor appliance, 625–628
entry points, 98Internet entry points, 98–99intranet entry points, 99remote access entry points, 99
error log files, viewing, 756–757installing, 103–111interfaces, 97logging into, 757–759master blocking sensors, 470, 709maximum allowable alarms,
troubleshooting, 726non-sniffing, troubleshooting, 749–757packetd process, verifying, 750–751packet sniffing, 97PDP (policy distribution point), selecting, 166placement
evaluating, 46extranets, 104intranets, 105network function-based placement,
104–105perimeter protection, 104remote access servers, 105
platforms, 77–80PostOffice identification parameters, entering,
159–161previously configured, adding to Director, 561,
563–564regular expressions, 236remote configuration, Director platforms, 81removing from nrConfigure Director, 566removing icon from Cisco Secure IDS Home
submap, 567routing threshold, troubleshooting, 725SDM (Sensor Device Manager), 628
Sensor CA (control agent)
CSIDS.book Page 864 Tuesday, September 18, 2001 11:06 AM
865
Secure IDS submap installation, verifying, 566settings, verifying, 163severity status, troubleshooting, 725signature templates, 439
assigning, 442creating, 440entering, 162–163
signatures, 231advanced configuration, 451, 453, 455advanced filtering, 447–449applying actions, 433–434atomic signatures, 233classes, 234–235composite signatures, 233connection signatures, 434–435, 791–793content-based signatures, 232context-based signatures, 232enabling/disabling, 431–432filtering, 444, 447general signatures, 780–790globally disabling, 761–762implementations, 765–776implementing, 232–233policy violation signatures, 388severity, 237–239severity levels, viewing, 750string signatures, 437–438, 794structures, 233, 765–776types, 235–237
stateful sensors, 622statistics, resetting, 220transparent stateful sensors, 622verifying nrConfigure installation, 565
servers, topology analysis, 100Service Error log files, naming conventions, 739service packs (IDSM), updating, 517–518SERVICE signature engines, 629Service Status window (Event Viewer), 216–218Service Versions window (Event Viewer), 218services
application ID, 718–719Cisco Secure IDS, 688–689
starting, 693stopping, 694verifying operability, 695
configuration files, 699–700CSPM Director, 691–692
fault management, related tokens, 713–714session command, 499set boot device command, 514set security acl ip command, 504–505set span command, 503set trunk command, 508severity of signatures, 237
high-severity, 239low-severity, 238medium-severity, 239
Severity field (Cisco Secure IDS alarm records), 184Severity Level field (NSDB Related Vulnerability
page), 196Severity Mapping group box (Event Viewer
Preferences window), 213show config command, 509–510show configuration command, 513Show Current Events window (Director),
troubleshooting, 726show errorfile command (ISDM), 523show ip audit configuration command, 643show ip audit debug command, 600show ip audit interface command, 600, 644show ip audit statistics command, 599show module command (Catalyst), 520show port command (Catalyst), 520show security acl command, 511show span command, 510–511Show Status Events in Grid status event, 212ShunInterfaceCisco token, 708shunning, enhancements
version 3.0, 618–620version 4.0, 624
Shunning Hosts pop-up window (Event Viewer), 483Shunning Initialization window, Add Host
Wizard, 548SIG resource record, 354SIGID master signature parameter, 630signature engines, 628–629Signature ID field (Cisco Secure IDS alarm
records), 184signature information fields (Cisco Secure IDS
alarm records), 183–184Signature Parameter Editor, 453signature templates, 439
applying to sensor, 442assigning to sensors, 442
signature templates
CSIDS.book Page 865 Tuesday, September 18, 2001 11:06 AM
866
configuringGeneral tab (CSPM), 428–429Signatures tab (CSPM), 429
creating, 440sensors, entering, 162–163viewing, 428
Signature Tuning, 451–453Signature Tuning Parameters Screen (CSPM), 396signature-based detection, 58–60signatures, 231, 245, 268. See also ACLs
actions, configuring, 433–434advanced configuration, 451
Port Mapping, 453, 455Signature Tuning, 451, 453
advanced filtering, 447–449atomic, 233, 581audit rules, creating, 595, 597–598benign, 238classes, 234–235
access class signatures, 235denial of service class signatures, 235informational class signatures, 234reconnaissance class signatures, 234
composite, 233compound, 581configuring on Cisco IOS Firewall IDS,
589–592connection, 434–435, 617, 791–793
adding, 435–436modifying, 436
content-based, 232context-based, 232cross-protocol (6000 Series), 349
authentication failures, 367–369DDoS attacks, 371–374DNS attacks, 351–354Ident attacks, 366–367Loki, 370RPC attacks, 355–366SATAN attacks, 349–350
default actions, setting, 594definitions, 631disabling, 431–432excluding, 591–592Exploit Signature page (NSDB)
benign triggers, 192implementation, 192
opening, 191recommended alarm level, 192signature description, 192signature ID, 191signature name, 190signature structure, 192signature type, 192subsignature ID, 191user notes, 193vulnerability, 193
false positives, 182filtering
advanced, 447–449simple, 444, 447
flood signatures, 633general, 780–790globally disabling, 590–591, 761–762ICMP, 257–268implementations, 232–233, 581, 765–776IOS Firewall IDS signatures, 797–800IP signatures, 245
bad IP packets, 256–257IP fragmentation, 250–256IP options, 246–250
parametersengine-specific parameters, 630master signature parameters, 630
policy violation signatures, 378, 388severity, 237–239
defining, 430–431high-severity, 239low-severity, 238medium-severity, 239viewing, 750
signature engines, 628–629SPAM, configuring on Cisco IOS Firewall IDS,
589–590string, 632, 794
configuring, 437–438creating, 438
string-matching, 375–378structure, 192, 233, 765–776Sweep signatures, creating, 631TCP signatures
abnormal TCP packets, 281–283applications, 309–315FTP attacks, 288–291
signature templates
CSIDS.book Page 866 Tuesday, September 18, 2001 11:06 AM
867
hijack attacks, 307–309host sweeps, 277–280Legacy Cisco Secure IDS Web attacks,
291–303mail attacks, 284–288NetBIOS attacks, 303–307port scans, 271–277SYN flood attacks, 307–309traffic records, 269–271
thresholds, configuring, 616tuning, 760–762types, 235–237
ACLs (access control lists), 237connection signatures, 236general, 235–236string signatures, 236
UDP signatures (4000 Series), 316applications, 319–321attacks, 318–319port scans, 317traffic records, 316–317
user defined signatures, 617, 628–633version 3.0 enhancements, 616–618version 4.0 enhancements, 623–624Web/HTTP signatures (5000 Series), 321
Web attacks, 322–349Signatures tab (CSPM), signature template
configuration, 429SigOfFilterName token, 706SigOfStringMatch token, 704–705SigOfTcpPacket token, 703–704SigOfUdpPacket token, 703–704simple signature filtering, configuring, 444, 447site-to-site encryption, 41smid process, verifying on Director, 754, 756smid.conf file (DupDestination token), 710SMTP (Simple Mail Transfer Protocol) attacks,
284–288sniffing packets, 64, 97snoop command, 150
Solaris, 752software
CSPMfeature sets, 118–119requirements, 121
IDSM, 516–518
Solaris snoop command, 752sorting columns in Event Viewer, 207Source Address field (Cisco Secure IDS alarm
records), 182source information fields (Cisco Secure IDS alarm
records), 182Source Location field (Cisco Secure IDS alarm
records), 182Source Port field (Cisco Secure IDS alarm
records), 182SPAM signature, configuring on Cisco IOS Firewall
IDS, 589–590SPAN feature (Catalyst 6000 IDSM), 490
limitations, 497spanning ports, 496spanning VLANs, 496
specifying Never Block Addresses, 478–479Speech API (SAPI), 122spoofing attacks, 19SQL queries, troubleshooting, 732SQLPlus, troubleshooting, 729stances on security policies, 38standalone configurations
CSPM, 120sensors, 106
standalone routers versus MSFC, 492standard deviation, calculating, 55start.sh script, 729starting
Add Host Wizard, 543Cisco Secure IDS daemon, 727Cisco Secure IDS services, 693CSIDD, 536–538, 540HP OpenView NNM, 537nrConfigure, 556
state information, packets, 233stateful sensors, 622statistical sampling, anomaly detection, 55statistics, resetting for sensors, 220Status Events group box (Event Viewer Preferences
window), 211status LED (IDSM), troubleshooting, 519stopping
Cisco Secure IDS daemon, 727Cisco Secure IDS services, 694
STRING signature engine, 629
STRING signature engine
CSIDS.book Page 867 Tuesday, September 18, 2001 11:06 AM
868
string signatures, 236, 632, 794configuring, 437–438creating, 438
string-matching signatures(8000 Series), 375custom, 375TCP application signatures, 375–378
structured attacks, 9methodical, 15patient attacks, 16surgical strikes, 15
structure of signatures, 765–776submaps (Director), 538Subnet Mask value, configuring, 209SubSig master signature parameter, 630subsignature ID, 191subsignature indicators, 448SUID file permission bit, 723support applications, CSPM, 122surgical strike attacks, 15suspending alarm display (Event Viewer), 199–200sweep signature engines, 629sweep signatures, creating, 631switches, Catalyst 6000 IDSM, 489–490, 492
capturing traffic, 495–498commands, 509–512comparing to traditional platforms, 491ports, 493–494traffic flow, 494
switch-forwarding path, 490–491SYN flood attacks, 26
TCP signatures, 307–309sysconfig-director script, HTML browser
configuration, 558sysconfig-sensor command, 152–158sysconfig-sensor script, 150, 410, 540
exiting, 158SYSLOG files
defining for ACL signature administration, 456–457
reporting to sensors, 650general setup, 651–655limitations, 650network diagram, 651required equipment, 650troubleshootiong tips, 656–657
Ttail command, 81tail -f command, 753TAPI/MAPI (CSPM), 122TCP (Transmission Control Protocol), 73
application signatures, 375–378reassembly, configuring, 417–419reset action, 72–74, 433traffic records, 269
TCP signatures (3000 Series), 268abnormal TCP packets, 281–283applications, 309–315FTP attacks, 288–291hijack attacks, 307–309host sweeps, 277–280Legacy Cisco Secure IDS Web attacks,
291–303mail attacks, 284–288NetBIOS attacks, 303–307port scans, 271–277SYN flood attacks, 307–309traffic records, 269–271
tcpdump, 618TechSmith Screen Capture Codec, CSPM
installation, 131Telephony Application Programming Interface
(TAPI), 122Telnet
connecting to sensor COM port, 758enabling, 466
templates, 439assigning to sensors, 442configuring
General tab (CSPM), 428–429Signatures tab (CSPM), 429
creating, 440signatures, disabling/enabling, 431–432
temporary exclusions (alarms), 762testing network security, 43–44threats to security, 6–7
ad hoc attacks, 15attacker attributes, 7distributed attacks, 27, 29DoS attacks
out-of-bounds attacks, 26external, 9
string signatures
CSIDS.book Page 868 Tuesday, September 18, 2001 11:06 AM
869
goal setting, 11–12host resource starvation attacks, 26internal, 9–10methodical attacks, 15network attack points, 16
network protocols, 18–19network resources, 16–17
network resource overload, 25reconnaissance attacks, 12–13slow attacks, 16structured, 9surgical strike attacks, 15unstructured, 7–8
thresholds (signatures), tuning, 616ThrottleInterval master signature parameter, 630tiered director hierarchy, 670
alarm delay limitations, 670general setup, 671–675network diagram, 670required equipment, 670troubleshooting tips, 675–678
Time To Block value, configuring, 209toggling nrConfigure status line, 559tokens, 699
DupDestination, 710FilenameOfIPLog, 711FilenameOfLog, 711general signature, 702internal network, 701MinutesOfAutoLog, 711MinutesOfAutoShun, 709NameOfPacketDevice, 701NetDevice, 708NeverShunAddress, 709NumberOfSwitchBytes, 711NumberOfSwitchMinutes, 711RecordOfDataSource, 707RecordOfExcludedNetAddress, 707–708RecordOfFilterName, 706RecordOfStringName, 704–705ShunInterfaceCisco, 708SigOfFilterName, 706SigOfStringMatch, 704–705SigOfTcpPacket, 703–704SigOfUdpPacket, 703–704WatchDogInterval, 713WatchDogNumProcessRestart, 713
WatchDogProcDeadAlarmLevel, 714WatchDogProcTimeOutAlarmLevel, 714WatchDogResponseTimeout, 713
tools for hackingexploitation tools, 20
application holes, 23authentication compromises, 21–22back doors, 24compromised trust relationships, 23poorly configured services, 22protocol weaknesses, 22
reconnaissance tools, 19–20Tools menu (CSPM), View Sensor Events
command, 178topology
analysis, 97critical components, 100–101entry points, 98, 100remote networks, 102security policy restrictions, 102–103size and complexity issues, 102
CSPM, adding to, 164–165TRACEON command, 320traffic
capturing, 495SPAN feature (IDSM), 496VACLs, 497–498
capturing with IDSM, 490extended ACLs, applying to inbound
traffic, 464manual blocking, 482–483overloaded sensors, troubleshooting, 656–657packetd process, verifying, 750–751patterns, determining, 37records
TCP, 269TCP signatures, 269–271UDP signatures, 316–317
security policies, 10–11statistics, viewing, 219switch-forwarding path, 490–491to IDSM line card, 494transferring hubs, 101VLANs, clearing from IDSM, 507
transient configuration versions
CSIDS.book Page 869 Tuesday, September 18, 2001 11:06 AM
870
transient configuration versions, 569–570applying, 571numbering, 570saving, 571
Transmission Control Protocol (TCP). See TCP transparent stateful sensors, 622triggers, 248
benign, 192context buffer, viewing, 187, 189IDSs (Intrusion Detection Systems), 54
anomaly detection, 54–58misuse detection, 58–60
Trojan horse programs, 17troubleshooting
Cisco IOS Firewall IDS, debug commands, 601Director
inability to write to socket, 722LD_LIBRARY_PATH variable, 724maximum allowable alarms, 726overflowing socket buffer, 722permissions, 722–723semaphore files, 723–724sensor alarm logging, 726sensor routing threshold, 725sensor severity status, 725Show Current Events window, 726
duplicate alarms, 675IDSM, status LEDs, 519non-sniffing sensors, 749–754, 756–757nrConfigure, 733Oracle database, 728
authorization, 731installation, 728–729JDBC-related error messages, 732passwords, 731SQLPlus, 729
RDBMS, SQL queries, 732reorganization of corporate networks, 648–650sensors, Cisco Secure IDS daemon
services, 727trust relationships, 17
compromised, 23minimizing, 36
tuning signaturesreducing false-positive occurences,
759–762thresholds, 616
Type parameter (connection signatures), 434–435
UUDP signatures (4000 Series), 316
applications, 319–321attacks, 318–319port scans, 317traffic records, 316–317
UNIX, core dumps, 733Unlimited Licensing, CSPM, 124unsecured resources, 24unstructured attacks, ad hoc, 15unstructured threats, 7–8untrusted links, defining, 39updating
IDSM images, 515–516partitions, 514–515, 518software files, 517–518
sensor configurations, 166–167, 421usage estimates, Internet, 98user accounts, access attacks, 17user-defined signatures, 617, 628–633user groups, 54User Notes field (NSDB Related Vulnerability
page), 197utilities
cvtnrlog.exe, 692IDSM Setup, 499, 501
VVACL (VLAN ACL) feature
capturing traffic, 497Catalyst 6000 switches, 490
var directory, 698variable time-to-live attacks, 63
transient configuration versions
CSIDS.book Page 870 Tuesday, September 18, 2001 11:06 AM
871
verifyingCisco IOS Firewall IDS configuration,
598–601, 643–644event detection, 752identification parameters on Director, 652IDSM configuration, 509–513Network Interface Name, 751nrConfigure sensor installation, 565operability of Director/sensor link, 694Oracle database installation, 728–729packetd process, 750–751Secure IDS submap sensor installation, 566security configuration, 46sensor/Director communication, 753–754smid process on Director, 754, 756
version 3.0 (Cisco IDS), 614–620configuration enhancements, 614–615enhancements, shunning, 61–620installation enhancements, 614–615signatures enhancements, 616–618
version 4.0 (Cisco IDS), 620–625blocking enhancements, 624configuration enhancements, 620–622installation enhancements, 620–623signature enhancements, 623–624
versionsapplying, 571deleting, 571–572numbering, 570saving, 571
viewingACL contents, 511alarm fields, 180–184blocked IP addresses, 480–481collapsed fields in Event Viewer, 201–202context buffer, 187, 189CSPM database entries, 178error log files, 756–757log files, 179managed network devices, 482sensor destinations file, 754sensor statistics, 219signature severity levels, 750signature template, 428
Virtual Private Networks (VPNs). See VPNs
VPNsconfidentiality, providing, 39–41encryption, 39
host-to-host encryption, 40site-to-site encryption, 41
endpoints, defining, 40–41VRFY command, 233Vulnerability Description field (NSDB Related
Vulnerability page), 196Vulnerability ID field (NSDB Related Vulnerability
page), 195Vulnerability Name field (NSDB Related
Vulnerability page), 195vulnerability scanners, troubleshooting false
positives, 644–647vulnerability to attacks
network attack points, 16network protocols, 18–19network resources, 16–17
patching, 41–42Vulnerability Type field (NSDB Related
Vulnerability page), 196
W-Zwar-dialers, 105WatchDogInterval token, 713WatchDogNumProcessRestarts token, 713WatchDogProcDeadAlarmLevel token, 714WatchDogProcTimeOutAlarmLevel token, 714WatchDogResponseTimeout token, 713Web sites, security, 45Web/HTTP signatures (5000 Series), 321
Web attacks, 322–349well-known ports, attacks on, 22Whack-a-Mole, 24Windows NT hosts, building, 125–126wizards
Add Host Wizard, 541–549Add Sensor Wizard, 159–160
write memory command, 653
write memory command
CSIDS.book Page 871 Tuesday, September 18, 2001 11:06 AM