csids.book page 836 tuesday, september 18, 2001 11:06 am

CSIDS.book Page 836 Tuesday, September 18, 2001 11:06 AM

I N D E X

Symbols & Numerics/usr/nr/etc/hosts file entries, 714–715

1000 Bad Option List signatures, 2481000 Series signatures. See IP signatures10000 Series policy-violation signatures, 378, 3881001 IP Options-Record Packet Route

signatures, 2481002 IP Options-Timestamp signatures, 2481003 IP Options-Provide s, c, h, tcc signatures, 2491004 IP Options-Loose Source Route

signatures, 2491005 IP Options-SATNET ID signatures, 2501006 IP Options-Strict Source Route, 2501100 IP Fragment Attack signatures, 2521101 Unknown IP Protocol signatures, 2561102 Impossible IP Packet signatures, 2571103 IP Fragments Overlap signatures, 2521104 IP Localhost Source Spoof signatures, 2571200 IP Fragmentation Buffer List signatures, 2521201 IP Fragment Overlap signatures, 2531202 IP Fragment Overrun-Datagram Too Long

signatures, 2531203 IP Fragment Overwrite-Data Is Overwritten

signatures, 2541204 IP Fragment Missing Initial Fragment

signatures, 2541205 IP Fragment Too Many Datagrams, 2541206 IP Fragment Too Small signatures, 2551207 IP Fragment Too Many Frags signatures, 2551208 IP Fragment Incomplete Datagram

signatures, 2551220 Jolt2 Fragment Reassembly DoS Attack

signatures, 2562000 ICMP Echo Reply signatures, 2582000 Series ICMP signatures. See ICMP

signatures2001 ICMP Host Unreachable signatures, 2622002 ICMP Source Quench signatures, 2632003 ICMP Redirect signatures, 2632004 ICMP Echo Request signatures, 2592005 ICMP Time Exceeded for a Datagram

signatures, 264

2006 ICMP Parameter Problem on a Datagram signatures, 264

2007 ICMP Timestamp Request signatures, 2592008 ICMP Timestamp Reply signatures, 2602009 ICMP Information Request signatures, 2602010 ICMP Information Reply signatures, 2612011 ICMP Address Mask Request signatures, 2612012 ICMP Address Mask Reply signatures, 2612100 ICMP Network Sweep with Echo

signatures, 2652101 FTP RETR passwd signature, 3762101 ICMP Network Sweep with Timestamp

signatures, 2652102 ICMP Network Sweep with Address Mask

signatures, 2662150 Fragmented ICMP Packet signatures, 2662151 Large ICMP Packet signatures, 2672152 ICMP Flood signatures, 2672153 ICMP Smurf Attack signatures, 2682154 Ping of Death Attack signatures, 2682301 Telnet IFS=/ signature, 3762302 Telnet /etc/shadow signatures, 3772303 Telnet + + signatures, 3773000 Series TCP signatures. See TCP signatures3001 TCP Port Sweep signatures, 2723002 TCP SYN Port Sweep signatures, 2723003 Fragmented TCP SYN Port Sweep

signatures, 2733005 TCP FIN Port Sweep signatures, 2733006 Fragmented TCP FIN Port Sweep

signatures, 2733010 TCP High Port Sweep signatures, 2743011 TCP FIN High Port Sweep signatures, 2753012 Fragmented TCP FIN High Port Sweep

signatures, 2753015 TCP Null Port Sweep signatures, 2753016 Fragmented TCP Null Port Sweep

signatures, 2763020 TCP SYN-FIN Port Sweep signatures, 2763021 Fragmented TCP SYN-FIN Port

Sweep signatures, 2773030 TCP SYN Host Sweep signatures, 2783031 Fragmented TCP SYN Host Sweep

signatures, 2783032 TCP FIN Host Sweep signatures, 279


838

3033 Fragmented TCP FIN Host Sweep signatures, 279

3034 TCP NULL Host Sweep signatures, 2793035 Fragmented TCP NULL Host Sweep

signatures, 2803037 Fragmented TCP SYN-FIN Host Sweep

signatures, 2803038 Fragmented NULL TCP Packet

signatures, 2813039 Fragmented Orphaned FIN Packet

signatures, 2823040 NULL TCP Packet signatures, 2823041 SYN/FIN Packet signatures, 2833042 Orphaned FIN Packet signatures, 2833043 Fragmented SYN/FIN Packet signatures, 2833045 Queso Sweep signatures, 2773050 Half-Open SYN Attack signatures, 3083100 Small Attack signatures, 2843101 Sendmail Invalid Recipient signatures, 2853102 Sendmail Invalid Sender signatures, 2853103 Sendmail Reconnaissance signatures, 2853104 Archaic Sendmail Attacks signatures, 2863105 Sendmail Decode Alias signatures, 2863106 Sendmail SPAM Attack signatures, 2863107 Majordomo Exec Bug signatures, 2873108 MIME Overflow Bug signatures, 2873109 Qmail Length Crash signatures, 2883150 FTP Remote Command Execution

signatures, 2883151 FTP SYST Command Attempt signatures, 2893152 FTP CWD ~root Command signatures, 2893153 FTP Improper Address Specified

signatures, 2893154 FTP Improper Port Specified signatures, 2903155 FTP RETR Pipe Filename Command

Execution signatures, 2903156 FTP STOR Pipe Filename Command

Execution signatures, 2903157 FTP PASV Port Spoof signatures, 2913200 WWW Phf Attack signatures, 2923201 WWW General cgi-bin Attack signatures, 2923202 WWW .url File Request signatures, 2933203 WWW .lnk File Requested signatures, 2933204 WWW .bat File Requested signatures, 2943205 HTML File Has .url Link signatures, 2943206 HTML File Has .lnk Link signatures, 2943207 HTML File Has .bat Link signatures, 295

3208 WWW campas Attack signatures, 2953209 WWW Glimpse Server Attack signatures, 2953210 WWW IIS View Source Attack signatures, 2963211 WWW IIS Hex View Source Attack

signatures, 2963212 WWW NPH-TEST-CGI Attack signatures, 2963213 WWW TEST-CGI Attack signatures, 2973214 IIS DOT DOT VIEW Attack signatures, 2973215 IIS DOT DOT EXECUTE Bug signatures, 2973216 IIS Dot Dot Crash Attack signatures, 2983217 WWW php View File Attack signatures, 2983218 WWW SGI Wrap Attack signatures, 2983219 WWW PHP Buffer Overflow signatures, 2993220 IIS Long URL Crash Bug signatures, 2993221 WWW cgi-viewsource Attack signatures, 2993222 WWW PHP Log Scripts Read Attack

signatures, 2993223 WWW IRIX cgi-handler Attack

signatures, 3003224 HTTP WebGais signatures, 3003225 HTTP Gais Websendmail signatures, 3003226 WWW Webdist Bug signatures, 3013227 WWW Htmlscript Bug signatures, 3013228 WWW Performer Bug signatures, 3013229 Website Win-C Sample Buffer Overflow

signatures, 3013230 Website Uploader signatures, 3023231 Novell Convert Bug signatures, 3023232 Finger Attempt signatures, 3023233 WWW count-cgi Overflow signatures, 3033250 TCP Hijacking signatures, 3083251 TCP Hijacking Simplex Mode signatures, 3083300 NETBIOS OOB Data signatures, 3033301 NETBIOS Stat signatures, 3043302 NETBIOS Session Setup Failure

signatures, 3043303 Windows Guest Login signatures, 3053304 Windows Null Account Name signatures, 3053305 Windows Password File Access signatures, 3053306 Windows Registry Access signatures, 3063307 Windows Redbutton Attack signatures, 3063308 Windows LSARPC Access signatures, 3073309 Windows SRVSVC Access signatures, 3073400 Sun Kill Telnet DoS signatures, 3103401 Telnet-IFS Match signatures, 3103405 Finger Bomb signatures, 3103500 rlogin-froot signatures, 311

3033 Fragmented TCP FIN Host Sweep signatures


839

3525 IMAP Authenticate Overflow signatures, 3113526 IMAP Login Buffer Overflow signatures, 3113530 Cisco Secure ACS Oversized TACACS+

Attack signatures, 3123540 Cisco Secure ACS CSAdmin Attack

signatures, 3123550 Pop Buffer Overflow signatures, 3123575 INN Buffer Overflow signatures, 3123576 INN Control Message Exploit signatures, 3133600 IOS Telnet Buffer Overflow signatures, 3133601 IOS Command History Exploit signatures, 3133602 Cisco IOS Identity signatures, 3143603 IOS Enable Bypass signatures, 3143650 SSH RSAREF Buffer Overflow

signatures, 3143990 BackOffice BO2K TCP Non Stealth

signatures, 3153991 BackOffice BO2K TCP Stealth 1

signatures, 3153992 BackOrifice BO2K TCP Stealth 2

signatures, 3154000 Series UDP signatures. See UDP

signatures4002 UDP Flood signaturess, 3184050 UDP Bomb signatures, 3184051 Snork signatures, 3194052 Chargen DoS signatures, 3194053 Back Orifice signatures, 3204054 RIP Trace signatures, 3204055 BackOrifice BO2K UDP signatures, 3204100 TFTP Passwd signatures, 3214150 Ascend Denial of Service signatures, 3214200 Series Sensing Configuration Screen (CSPM),

389–3924200 Series sensors, 77

appliances, 145IDS-4210, 148–149IDS-4230, 146–147

bootstrap, configuring, 151–158checking, 168–169configuration files, pushing to, 167–168configuring

4200 Series Sensing Configuration Screen (CSPM), 389–392

saving, 166–167sysconfig-sensor command, 152–158updating, 166–167

CSPM Directoradding to, 158–169installing within, 145

default gateway, entering, 161–162logon accounts, 149–151management access, 149PDP (policy distribution point), selecting, 166PostOffice identification parameters, entering,

159–161settings, verifying, 163signature templates, entering, 162–163

4600 IOS UDP Bomb signature, 3215000 Series Web/HTTP signatures, 321–3495034 WWW IIS newdsn Attack signature, 3245035 HTTP cgi HylaFAX Faxsurvey signature, 3255036 WWW Windows Password File Access

Attempt signature, 3255037 WWW SGI MachineInfo Attack signature, 3255038 WWW wwwsql File Read Bug signature, 3265039 WWW Finger Attempt signature, 3265040 WWW Perl Interpreter Attack signature, 3265041 WWW anyform Attack signature, 3275042 WWW CGI Valid Shell Access signature, 3275043 WWW Cold Fusion Attack signature, 3275044 WWW Webcom.se Guestbook Attacks

signature, 3285045 WWW xterm Display Attack signature, 3285046 WWW dumpenv.pl Recon signature, 3295047 WWW Server Side Include POST Attack

signature, 3295048 WWW IIS BAT EXE Attack signature, 3295049 WWW IIS Showcode .asp Attack

signature, 3305050 WWW IIS .htr Overflow signature, 3305051 IIS Double Byte Code Page signature, 3305052 FrontPage Extensions PWD Open Attempt

signature, 3315053 FrontPage_vti_bin Directory List Attempt

signature, 3315054 WWWBoard Password signature, 3315055 HTTP Basic Authentication Overflow

signature, 3315056 WWW Cisco IOS % % DoS signature, 3325057 WWW Sambar Samples signature, 3325058 WWW info2www Attack signature, 3325059 WWW Alibaba Attack signature, 333

5059 WWW Alibaba Attack signature


840

5060 WWW Excite AT-generate.cgi Access signature, 333

5061 WWW catalog_type.asp Access signature, 3335062 WWW classifieds.cgi Attack signature, 3345063 WWW dmblparser.exe Access signature, 3345064 WWW imagemap.cgi Attack signature, 3345065 WWW IRIX Infosrch.cgi Attack signature, 3345066 WWW man.sh Access signature, 3355067 WWW plusmail Attack signature, 3355068 WWW formmail.pl Access signature, 3355069 WWW whois_raw.cgi Attack signature, 3365070 WWW msacds.dll Access signature, 3365071 WWW msacds.dll Attack signature, 3365072 WWW bizdb 1-search Attack signature, 3375073 WWW EZshopper loadpage.cgi Attack

signature, 3375074 WWW EZshopper search.cgi Attack

signature, 3375075 WWW IIS Virtualized UNC Bug

signature, 3375076 WWW webplus Bug signature, 3385077 WWW Excite AT-admin.cgi Access

signature, 3385078 WWW Pirahna Password Attack

signature, 3395079 WWW PCCS MySQL Admin Access

signature, 3395080 WWW IBM WebSphere Access signature, 3395081 WWW WinNT cmd.exe Access signature, 3405083 WWW Virtual Vision FTP Browser Access

signature, 3405084 WWW Alibaba Attack 2 signature, 3405085 WWW IIS Source Fragment Access

signature, 3415086 WWW WEBactive Logfile Access

signature, 3415087 WWW Sun Java signature, 3415088 WWW Akopia MiniVend Access

signature, 3415089 WWW Big Brother Directory Access

signature, 3425090 WWW FrontPage htimage.exe Access

signature, 3425091 WWW Cart32 Remote Admin Access

signature, 3425092 WWW CGI-World Poll It Access

signature, 343

5093 WWW PHP-Nuke admin.php3 Access signature, 343

5095 WWW CGI Script Center Account Manager Attack signature, 343

5096 WWW CGI Script Center Subscribe Me Attack signature, 344

5097 WWW FrontPage MS-DOS Device Attack signature, 344

5099 WWW GWScripts News Publisher Access signature, 344

5100 WWW CGI Center Auction Weaver File Access signature, 344

5101 WWW CGI Center Auction Weaver Attack signature, 345

5102 WWW phpPhotoAlbum explorer.php Access signature, 345

5103 WWW SuSE Apache CGI Source Attack signature, 345

5104 WWW YaBB File Access signature, 3465105 WWW Ranson Johnson mailto.cgi Attack

signature, 3465106 WWW Ranson Johnson multiform.pl Access

signature, 3465107 WWW Mandrake Linux/Perl Access

signature, 3475108 WWW Netgrity Site Minder Access

signature, 3475109 WWW Sambar Beta search.dll Access

signature, 3475110 WWW SuSE Installed Packages Access

signature, 3485111 WWW Solaris Anwerbook2 Access

signature, 3485112 WWW Solaris Answerbook 2 Attack

signature, 3485113 WWW CommuniGate Pro Access

signature, 3495114 WWW IIS Unicode Attack signature, 34951301 Rlogin IFS=/ signature, 37651302 Rlogin /etc/shadow signature, 37751303 Rlogin + + signature, 3776000 Series cross-protocol signature.

See cross-protocol signature6001 Normal SATAN Probe signature, 3506002 Heavy SATAN Probe signature, 3506050 DNS HINFO Request signature, 3516051 DNS Zone Transfer Request signature, 352

5060 WWW Excite AT-generate.cgi Access signature


841

6052 DNS Zone Transfer from High Point signature, 352

6053 DNS Request for All Records signature, 3536054 DNS Version Request signature, 3536055 DNS Inverse Query Buffer Overflow

signature, 3536056 BIND NXT Buffer Overflow signature, 3546057 BIND SIG Buffer Overflow signature, 3546100 RPC Port Registration signature, 3566101 RPC Port Unregistration signature, 3566102 RPC Dump signature, 3576103 Proxied RPC Request signature, 3576104 RPC Set Spoof signature, 3576105 RPC Unset Spoof signature, 3586110 RPC RSTATD Sweep signature, 3586111 RPC RUSERSD Sweep signature, 3586112 RPC NFS Sweep signature, 3596113 RPC MOUNTD Sweep signature, 3596114 RPC YPPASSWDD Sweep signature, 3596115 RPC SELECTION_SVC Sweep signature, 3596116 RPC REXD Sweep signature, 3606117 RPC STATUS Sweep signature, 3606118 RPC ttdb Sweep signature, 3606150 ypserv Portmap Request signature, 3616151 ypbind Portmap Request signature, 3616152 yppasswdd Portmap Request signature, 3616153 ypupdated Portmap Request signature, 3626154 ypxfrd Portmap Request signature, 3626155 mountd Portmap Request signature, 3636175 rexd Portmap Request signature, 3636180 rexd Attempt signature, 3636190 statd Buffer Overflow signature, 3646191 RPC.tooltalk Buffer overflow signature, 3646192 RPC mountd Buffer Overflow signature, 3646193 RPC CMSD Buffer Overflow signature, 3646194 sadmind RPC Buffer Overview signature, 3656195 RPC and Buffer Overflow signature, 3656200 Ident Buffer Overflow signature, 3666201 Ident Newline signature, 3676202 Ident Improper Request signature, 3676250 FTP Authorization Failure signature, 3686251 Telnet Authorization Failure signature, 3686252 Rlogin Authorization Failure signature, 3696253 POP3 Authorization Failure signature, 3696255 SMB Authorization Failure signature, 3696300 Loki ICMP Tunneling signature, 3706302 General Loki ICMP Tunneling signature, 370

6500 RingZero Trojan signature, 3666501 TFN Client signature, 3716502 TFN Server Reply signature, 3716504 Stacheldraht Server Reply signature, 3726505 Trinoo Client Request signature, 3736506 Trinoo Server Reply signature, 3736507 TFN2K Control Traffic signature, 3736508 mstream Control Traffic signature, 3748000 Series string-matching signature, 375–378

Aabnormal TCP packets, TCP signatures, 281–283access

administrative access, limiting, 36anonymous access, reducing, 36management access, 4200 Series Sensors, 149

access class signature, 235access control lists (ACLs). See ACLs (access

control lists)accessing

sensors, 757–759user accounts, 17

accountsaccess attacks, 17logon accounts, 4200 Series Sensors, 149–151netrangr account, 150

ACLs (access control lists), 237, 464. See also IP blocking

applying to E1 interface, 660applying to external interfaces, 473applying to inbound traffic, 464applying to internal interfaces, 473blocking

enhancements, 619related tokens, 708–709

contents, displaying, 511denied hosts, adding, 656IP blocking

anti-spoofing mechanisms, 466at the router, 468–469configuring, 474–476critical hosts, 467default block time, 470disabling, 477, 479duration of, 468

ACLs (access control lists)


842

entry points, 467signature selection, 467

IP blocking, implementing, 466logging policy violations, 653placement, 471–473signatures, 237

creating, 455–456SYSLOG sources, defining, 456–457tokens, 706

actionsallowed by authorized hosts, 717applying to signatures, 433–434default, setting, 594defining for Cisco IOS Firewall IDS, 582

Actions group box (Event Viewer Preferences window)

Command Timeout, 208–209Subnet Mask, 209Time To Block, 209

active Cisco Secure IDS version, displaying, 696active partition, 514Active Scripting Pages (ASPs), 339ad hoc attacks, 15Add Host Wizard

Host Type window, 545sensors, adding, 541–549Shunning Initialization window, 548starting, 543

Add Host Wizard (nrConfigure), 561Add Host Wizard Finished window

(nrConfigure), 564Add Sensor Wizard, 159–160adding

Cisco IOS Firewall to Director configuration, 601–602, 604

comments to configuration files, 700communication parameters to Cisco IOS

Firewall IDS, 642–643configured sensors to Director, 561

host type selection, 564parameters, 563

connection signatures, 435–436denied hosts to ACLs, 656hosts to Director configuration, 560–561IDSM to CSPM, 513secondary Directors, 561

Additional Destinations Configuration Screen (CSPM), 406

address mask requests, 258addressing, PostOffice protocol, 89administrative access, limiting, 36advanced signature configuration, 451

Port Mapping, 453, 455Signature Tuning, 451–453

advanced signature filtering, 447–449Advisory/Related Information Links field (NSDB

Related Vulnerability page), 197Affected Programs field (NSDB Related

Vulnerability page), 196Affected Systems field (NSDB Related Vulnerability

page), 196agents, 27alarm event record fields, log files, 741–744alarms, 468

benign triggers, 192context buffer, viewing, 187, 189deleting, 197–198destinations, configuring, 716–717Director platforms

displays, 80responses, 81

expansion boundaries, modifying, 204–205false positives, 182

reducing, 759–762fields, 180

Count field, 181Destination Information fields, 183General Information fields, 181–182Signature Information fields, 183–184Source Information fields, 182

forwarding related tokens, 710high-severity, 779host names, resolving, 184–186low-severity, 779medium-severity, 779notification queue, setting, 588–589resuming display (Event Viewer), 199–200Severity values, 184

configuring, 214suspending display (Event Viewer), 199–200temporary exclusions, 762

AlarmThrottle master signature parameter, 630Alias field (NSDB Related Vulnerability page), 195

ACLs (access control lists)


843

analyzing network topology, 97critical components, 100–101entry points, 98–100remote networks, 102security policy retrictions, 102–103size and complexity issues, 102

anomaly detection, IDSs (Intrusion Detection Systems), 54–58

benefits, 56–58drawbacks, 57–58issues, 56neutral networks, 56rule-based approach, 55statistical sampling, 55

anonymous access, reducing, 36answers to review questions, 815–835anti-spoofing mechanisms, 466appliances, 4200 Series Sensors, 145

IDS-4210, 148–149IDS-4230, 146–147

application holes, 23Application Name field (Cisco Secure IDS alarm

records), 182application partition, 515applications

TCP signatures, 309–315UDP signatures, 319–321

apply command, 517applying

ACLsinterface selection, 471–472specifying traffic direction, 473to E1 interfaces, 660to external interfaces, 473to inbound traffic, 464to internal interfaces, 473

actions to signatures, 433–434audit rules, 595, 597–598initial configuration to IDSM, 499saved configuration versions, 571signature templates to sensors, 442signature updates to IDSM, 517transient configuration versions, 571

architectureCisco Secure IDS sensors, 687

nr.fileXferd, 690nr.loggerd, 689

nr.managed, 689nr.packetd, 689nr.postofficed, 689nr.sapd, 689

CSPM Director, 690services, 691–692

archived log files, 740ARP (Address Resolution Protocol), 19ASPs (Active Scripting Pages), 339assigned port numbers, 435assigning

command and control port on ISDM, 502signature templates to sensors, 442

atomic signatures, 192, 233, 581ATOMIC.ICMP signature engine, 628ATOMIC.IPOPTIONS signature engine, 628ATOMIC.L3.IP signature engine, 628ATOMIC.TCP signature engine, 628ATOMIC.UDP signature engine, 629attacks, 6–7

ad hoc, 15attributes, 7common points of, 16

network protocols, 18–19network resources, 16–17

DoSdistributed attacks, 27, 29host resource starvation, 26network resource overload, 24–25out-of-bounds, 26

exploitation tools, 20authentication compromises, 21–22compromised trust relationships, 23–24poorly configured services, 22protocol weaknesses, 22

external threats, 9goal setting, 11–12ICMP, 266internal threats, 9–10Internet, usage estimates, 98man-in-the-middle, 18methodical, 15patient, 16publishing publicly, 57reconnaissance, 12–13reconnaissance tools, 19–20script kiddies, 7–8

attacks

CSIDS.book 43 Tuesday, September 18, 2001 11:06 AM

844

spoofing, 19structured threats, 9surgical strikes, 15Trojan horses, 17UDP signatures, 318–319unstructured threats, 7–8variable time-to-live attacks, 63

attributes of attackers, 7audit rules

configuring on Cisco IOS Firewall IDS, 593–598

creating, 595–598packet auditing process, 593–594

authenticationadministrative access. limiting, 36anonymous access, reducing, 36common privilege groups, defining, 35–36compromising, 21–22failures, signatures, 367–369improving, 35–36one-time passwords, 36trust relationships, minimizing, 36

authorization, troubleshooting Oracle database, 731authorized hosts, 717automatic monitoring, network security, 43availability, 11

Bback doors, 24bandwidth consumption attacks, 24–25benign signatures, 238benign triggers, 192bin directory, 697blades

configuring multiple per chassis, 678general setup, 680–685limitations per IDSM, 678–679network diagram, 680VACL definition, 680

Blank Left value (Event Viewer), configuring, 209–210

Blank Right value (Event Viewer), configuring, 210blocking, 661

ACL enhancements, 619Catalyst 5000 RSM, 619

IDSM, 620master blocking sensor, 709PIX, 619related tokens, 708–709sensors, 100

Blocking Configuration Screen (CSPM), 397–400bootstraps, configuring on 4200 Series

sensors, 151–158boundaries, establishing, 37–39Boundaries group box (Event Viewer Preferences

window), 212brute-force attacks, 21

Ccable requirements, laptop-to-COM port

connections, 758Cannot write message to Director error,

troubleshooting, 722capturing traffic, 495

SPAN feature (IDSM), 496limitations, 497spanning ports, 496spanning VLANs, 496

VACLs, 497interesting traffic, 498limitations, 498

with IDSM, 490case studies

Cisco IOS Firewall IDSgeneral setup, 641–644limitations, 639–640network diagram, 640required equipment, 640troubleshooting tips, 644–650

configuring multiple blades per chassis, 678general setup, 680–685limitations per IDSM, 678network diagram, 679required equipment, 679VACL definition, 680

router management, 657general setup, 658–666limitations, 657network diagram, 658required equipment, 658

attacks


845

troubleshooting tips, 666–669SYSLOG files, reporting to sensors, 650

general setup, 651–655limitations, 650network diagram, 651required equipment, 650troubleshooting tips, 656–657

tiered director hierarchy, 670alarm delay limitations, 670general setup, 671–675network diagram, 670required equipment, 670troubleshooting tips, 675–678

Catalyst 5000 RSM, blocking with, 619Catalyst 6000 IDSM, 489–490

blocking with, 620commands, 509–512comparing to traditional platforms, 491disk structure

active partition, 514application partition, 515maintenance partition, 515

ID analysis, configuring, 501–507assign command and control port, 502clearing unwanted VLAN traffic, 507–509

images, updating, 515–516initialization, 499–501ports, 493–494requirements, 492software files, 516

updating, 517–518traffic flow, 494traffic, capturing, 495

SPAN, 496VACLs, 497–498

verifying configuration, 509–513Cells group box (Event Viewer Preferences

window), 209–210checking

configurations, sensors, 168–169sensor errors, 421

Cisco IOS Firewall IDSactions,

defining, 582configurable, 641

adding to Director configuration, 601–604alarm notification queue, setting, 588–589

audit rules, configuring, 593–598configuring

general setup, 641–644limitations, 639–640network diagram, 640required equipment, 640troubleshooting tips, 644–650

impact on network performance, 580initialization, 583–589PostOffice parameters, configuring, 584–585prospective customers, 578protected networks, defining, 587–588signatures, 797–800

configuring, 589–592excluding, 591–592implementing, 581response options, 581

verifying configuration, 598–601Cisco Secure Communications Deployment

worksheet (CSPM), 124Cisco Secure IDS, 71

active version, displaying, 696communications deployment worksheet,

803–805configuration GUI, 691–692configuring, 72–76daemon, starting and stopping, 727Director platforms, 80–83directory structure, 696

bin directory, 697etc directory, 698install directory, 696var directory, 698

functions and features, 72–76Home submap, removing sensor icon, 567IP blocking configuration, 474–476log files, naming conventions, 739modules, 77–80PostOffice protocol, 84sensors

architecture, 687blocked addresses, viewing, 480–481master blocking sensors, configuring, 479Never Block Addresses, configuring,

478–479nr.fileXferd, 690nr.loggerd, 689

Cisco Secure IDS


846

nr.managed, 689nr.packetd, 689nr.postofficed, 689nr.sapd, 689platforms, 77–80

servicesstopping, 694verifying operability, 695

Signature Engine Supplement, 630user-defined signatures, 628–633User Guide, 148–149version 3.0, 614–620

configuration enhancements, 614–615installation enhancements, 614–615shunning enhancements, 618–620signatures enhancements, 616–618

version 4.0, 620–625blocking, 624configuration, 620–622installation, 620–623signatures, 623–624

Cisco Secure Intrusion Detection Director (CSIDD). See CSIDD (Cisco Secure Intrusion Detection Director)

Cisco Secure Policy Manager (CSPM). See CSPM Cisco Secure VPN Client, installing CSPM, 125Cisco Security Wheel, 34–42classes, signatures, 234–235

access class signatures, 235denial of service class signatures, 235informational class signatures, 234reconnaissance class signatures, 234

clear config command, 513clear ip audit configuration command, 600clear ip audit statistics command, 600clear trunk command, 509clearing unwanted VLAN traffic from IDSM, 507CLI (command-line interface), Catalyst 6000 switch

commands, 509–512client-server configurations, CSPM, 120closing

active log files, 740Configuration Library, 572

collapsing columns (Event Viewer), 203–204viewing fields, 201–202

Color value (Event Viewer), configuring, 213

columnsdeleting, 205expansion boundaries, modifying, 204–205moving, 205nrConfigure screen display, 558selecting for display (Event Viewer), 207

COM port (sensors)configuring, 759connecting to, 757–759

command and control networks, Cisco Secure IDS deployment, 107

command and control port, Catalyst 6000 IDSM, 494

command event record fields, log files, 744–746Command Timeout value, configuring, 208–209commands

apply, 517Catalyst

reset, 520–521show module, 520show port, 520

clear config, 513clear ip audit configuration, 600clear ip audit statistics, 600clear trunk, 509commit security acl, 506cvtnrlog, 692diag, 513EXPN sendmail command, 233GET command, 293grep, 237, 751ids-installer, 518IDSM, 521

diag bootresults, 522nrconns, 522report systemstatus, 522show errorfile, 523

ip audit name, 595ip audit po protected, 587ip audit po remote, 585ip audit signature, 591mailx, 732more, 754, 756–757nrconns, 694, 753nrstart, 693, 727nrstatus, 695, 750–751, 756nrstatus command, 536

Cisco Secure IDS


847

nrstop, 694, 727nvers, 696ping, 750ping-R, 248redirect, 692session, 499session (Catalyst switch), 499set boot device, 514set security acl ip, 504–505set span, 503set trunk, 508show config, 509–510show configuration, 513show ip audit configuration, 643show ip audit debug, 600show ip audit interface, 644show ip audit statistics, 599show security acl, 511show span, 510–511snoop, 150Solaris, snoop, 752sysconfig-sensor, 152–158, 410sysconfig-sensor command, 540

exiting, 158tail command, 81tail -f, 753TRACEON, 320VRFY, 233write memory, 653

comments, inserting in configuration files, 700commit security acl command, 506common privilege groups, defining, 35–36communication link (Director/sensor), verifying

operability, 694, 753–754communication parameters, adding to Cisco IOS

Firewall IDS, 642–643communications deployment worksheet, Cisco

Secure IDS, 803–805comparing

Catalyst 6000 IDSM and traditional platforms, 491

MSFC and standalone routers, 492composite signatures, 192, 233compound signatures, 581confidentiality, 11, 39–41

Configuration File Management Utilityremoving sensors from nrConfigure

Director, 566starting, 542

configuration files, 699–700auths, 717comments, inserting, 700CSIDD, creating, 535daemons, 718destinations, 716–717hosts, naming convention, 714–715intrusion detection, 700loggerd.conf, tokens, 710nr.postofficed.conf, fault management,

712–714reviewing periodically, 45routes file, 715–716sensors, pushing to, 167–168tokens, 699

DupDestination, 710FilenameOfIPLog, 711FilenameOfLog, 711general signature, 702internal network, 701MinutesOfAutoLog, 711MinutesOfAutoShun, 709NameOfPacketDevice, 701NetDevice, 708NeverShunAddress, 709NumberOfSwitchBytes, 711NumberOfSwitchMinutes, 711RecordOfDataSource, 707RecordOfExcludedNetAddress, 707–708RecordOfFilterName, 706RecordOfStringName, 704–705ShunInterfaceCisco, 708SigOfFilterName, 706SigOfStringMatch, 704–705SigOfTcpPacket, 703–704SigOfUdpPacket, 703–704WatchDogInterval, 713WatchDogNumProcessRestarts, 713WatchDogProcDeadAlarmLevel, 714WatchDogProcTimeOutAlarmLevel, 714WatchDogResponseTimeout, 713

configuration files


848

Configuration Libraryclosing, 572opening, 568saved versions, applying, 571transient versions, 569–571versions

deleting, 571–572numbering, 570saving, 571

Configuration Management Utilities (nrConfigure), troubleshooting, 733

configuring4200 Series Sensors

bootstrap, 151–158sysconfig-sensor command, 152–158

Catalyst 6000 IDSMinitialization, 499, 501

Cisco IOS Firewall IDSaudit rules, 593–595, 597–598general setup, 641–644initialization, 583–589limitations, 639–640network diagram, 640PostOffice parameters, 584–585required equipment, 640signatures, 589–592SPAM signatures, 589–590troubleshooting tips, 644, 646–650verification, 598–601

CSIDDconfiguration files, 535identification parameters, 532–534signature responses, 665–666

CSPM, 119–136domain name, 732dual-homed Director, 666–669Event Viewer

Blank Left value, 209–210Blank Right value, 210Color value, 213Command Timeout value, 208–209Default Expansion value, 212Event Batching value, 213Icon value, 213Maximum Events Per Grid value, 212Subnet Mask value, 209Time To Block value, 209

events, destinations, 716–717HTML browser, location, 558IDSM

ID analysis, 501–509verification, 509–513

IP blocking, 474Never Block Addresses, 478–479setting blocking device properties,

475–476mail server, 732master blocking sensors, 479multiple blades per chassis, 678

general setup, 680–685limitations per IDSM, 678network diagram, 679required equipment, 679VACL definition, 680

nrConfigure, HTML browser, 558sensors

advanced changes, 416–420basic changes, 410–414checking, 168–169CSIDD, 540–549COM port settings, 759CSPM sensor configuration screens,

386–409Director platforms, 81error checks, 421identification parameters, 410–411installing, 105–111internal networks, 412–413IP fragment reassembly, 416–417log files, 414–416packet capture devices, 413–414pushing new ones to, 420–421saving, 166–167, 421TCP session reassembly, 417–419updating, 166–167, 421

signaturesactions, 433–434advanced settings, 451–455CSPM templates, 428–429filtering, 444simple signature filtering, 444, 447string signatures, 437–438

TCP reset response, 72–74

Configuration Library


849

connecting laptops/PCs to sensor COM port, 757–759

connection signatures, 236, 434–435, 617, 791–793adding, 435–436modifying, 436

Connection Status pane (Event Viewer), 214Connection Status window, 215–216Reset Statistics window, 220Sensor Statistics window, 219Service Status window, 216–218Service Versions window, 218

Connection Status window, 215–216Consequences field (NSDB Related Vulnerability

page), 196content-based signatures, 192, 232context buffer, viewing, 187–189context signatures, 192, 232core dumps, 733corporate network reorganization, troubleshooting,

648–650Count field (Cisco Secure IDS alarm records), 181Countermeasures field (NSDB Related Vulnerability

page), 197creating

ACL signatures, 455–456advanced filters, 449audit rules, 595, 597–598signature templates, 440string signatures, 438VACLs, 504–505

critical hosts, identifying, 467cross-protocol signatures (6000 Series), 349

authentication failures, 367–369DDoS attacks, 371–374DNS attacks, 351–354Ident attacks, 366–367Loki attacks, 370RPC attacks, 355–366SATAN attacks, 349–350

CSIDD (Cisco Secure Intrusion Detection Director), 531

daemons, run verification, 536–537Exclude mechanism, 760HP Open View NNM

environment initialization, 537–539starting, 537

installing, 531–535

configuration files, 535identification parameters, 532–534install script, 532netrangr password, 532–533rebooting, 535

NNM, navigation buttons, 539–540sensors

adding, 541–549configuring, 540–549

signatures responses, configuring, 665–666, 760–762

starting, 536–540submaps, 538verifying smid process, 756

CSPM (Cisco Secure Policy Manager), 81, 1174200 Series Sensors

adding to Director, 158–169installing, 145

Cisco Secure Communications Deployment worksheet, 124

Cisco Secure VPN Client, installing on, 125database

alarms, removing, 197–198rows, deleting, 199entries, viewing, 178

Director platformadding sensors to, 158–169architecture, 690operating as, 81–82services, 691–692smid process, verifying, 755

General tab, signature configuration, 428–429hosts

adding to topology, 164–165resolving names, 186

identification parameters, verifying, 659installing

account information, 129basic settings, 129configuring, 119–121finalization, 134–136license acceptance, 126–127modes, 127–130PostOffice protocol, 132–135requirements, 121–124settings, 124–136

licensing options, 123–124

CSPM (Cisco Secure Policy Manager)


850

logging on, 136manual blocking operations, 482–483sensor configuration screens, 386–409

4200 Series Sensing Configuration Screen, 389–392

Blocking Configuration Screen, 397–400Filtering Configuration Screen, 400–403IDSM Sensing Configuration Screen,

392–397Logging Configuration Screen, 402–406Sensor Command Configuration

Screen, 406–409Sensor Internal Networks Configuration

Screen, 389Sensor Monitoring Configuration

Screen, 388Sensor Properties Configuration

Screen, 387sensors, configuring within, 385–421service versions, obtaining, 218signatures

filtering, 760templates, creating, 440viewing properties, 430–431

Signatures tab, 429software feature sets, 118–119starter videos, 137–139starting, 136–139string signatures, creating, 438support applications, 122TechSmith Screen Capture Codec,

installing, 131Tools menu, View Sensor Events

command, 178Windows NT 4.0 hosts, building, 125–126

CSPM Event Viewer. See Event Viewercustomizing Event Viewer, view settings, 207cvtnrlog.exe, 692

DDaemon Versions window (Event Viewer), 218daemons

application ID, 718–719configuration files, 699–700fault management, related tokens, 713–714operability, verifying, 536–537

data integrity, 11data sources, public, 12databases

Cisco Secure IDS alarm records, fields, 181CSPM, removing alarms, 197–198NSDB

Exploit Signature page, 190–193opening, 189Related Vulnerability page, 194–197

Oracle database instance name, changing, 730troubleshooting, 728–729

DDoS (distributed denial-of-service) attacks, 27signatures, 371–374

default actions, signature configuration, 594default block time, 470Default Expansion value (Event Viewer),

configuring, 212Default signature template, 428defining

common privilege groups, 35–36endpoints, 40–41interesting traffic, 498protected networks, 587–588security zones, 38signature severity, 430–431SYSLOG sources for ACL signature

monitoring, 456–457untrusted links, 39

Delete Selected Rows button (Event Viewer), 199deleting

alarms, 197–198columns in Event Viewer, 205saved configuration versions, 571–572sensors from nrConfigure Director, 566

denial-of-service attacksanti-spoofing mechanisms, 466class signatures, 235

CSPM (Cisco Secure Policy Manager)


851

denied hosts, adding to ACLs, 656deploying sensors

installation, 103–111preparation, 97–103

Description column (nrConfigure screen display), 558

Destination Address field (Cisco Secure IDS alarm records), 183

Destination Information fields (Cisco Secure IDS alarm records), 183

Destination Location field (Cisco Secure IDS alarm records), 183

Destination Port field (Cisco Secure IDS alarm records), 183

destinations file, 716–717viewing, 754

Details field (Cisco Secure IDS alarm records), 184device management

requirements, 465sensors, 100, 107

devicesblocking devices, configuring identification

parameters, 475hosts

/usr/nr/etc/hosts file entries, 714–715IP address configuration, 715–716names, resolving, 184–186

managed network devices, viewing, 482MSFC versus standalone router, 492

diag bootresults command (ISDM), 522diag command, 513Diagnostics mode (IDSM)

commands, 521diag bootresults, 522nrconns, 522report system status, 522show errorfile, 523

enabling on IDSM, 513dialog boxes, Sensor Identification, 159dictionary password crackers, 21Director platforms, 80–83

alarmsdisplays, 80responses, 81

Cisco Secure IDS Director for UNIX, 82communication with sensors, verifying,

753–754

compared, 83CSIDD. See CSIDDCSPM, 159

adding sensors to, 158–169architecture, 690operating as, 81–82services, 691–692smid process, verifying, 755

error log files, viewing, 756–757features, 80forwarding alarms, related tokens, 710hosts, adding to configuration, 560–561inability to write to socket, troubleshooting, 722LD_LIBRARY_PATH variable,

troubleshooting, 724overflowing socket buffer, troubleshooting, 722permissions, troubleshooting, 722–723secondary, adding, 561semaphore files, troubleshooting, 723–724sensors

4200 Series Sensors, adding to, 158–169logging, 726maximum allowable alarms, 726remote configuration, 81routing threshold, 725severity status, 725

Show Current Events window, troubleshooting, 726

directory structure (Cisco Secure IDS)bin directory, 697etc directory, 698install directory, 696var directory, 698

Disable alarm level, 779disabling

debugging commands, 601IP blocking, 477–479signatures, 431–432, 761–762

disk structure (IDSM)active partition, 514application partition, 515maintenance partition, 515

Display Popup Window status event, 212displaying

ACL contents, 511active Cisco Secure IDS version, 696blocked IP addresses, 480–481

displaying


852

context buffer, 187–189log files, 179managed network devices, 482selected columns (Event Viewer), 207signature template, 428

distributed attacks, 27, 29distributed configurations, CSPM, 120distributed denial-of-service (DDoS) attacks, 27,

371–374DNS (Domain Name System), 13

attack signatures, 351–354cache poisoning, 23host name resolution, 186

documentation, security policies, 10–11domain name, configuring, 732Domain Name System (DNS). See DNS DOS (Disk Operating System), FAT (File Allocation

Table), 121DoS (denial-of-service) attacks

distributed attacks, 27–29host resource starvation, 26network resource overload, 24–25out-of-bounds, 26

dual-homed Director, configuring, 666–669dual-tier signature response, 649–650DupDestination token, 710duplicate alarms, troubleshooting, 675duration of IP blocking time, selecting, 468

EE1 interface, applying ACLs, 660echo requests, 258EDI (Event Database Interface), 691eliminating false positives from vulnerability

scanner alarms, 645–647enabling

Diagnostic mode on IDSM, 513Promiscuous mode on sniffing interface, 752signatures, 431–432Telnet, 466

encryptionhost-to-host encryption, 40site-to-site encryption, 41VPNs, 39

endpoints, defining, 40–41

engine-specific parameters, signatures, 630enhancements

Cisco Secure IDSversion 3.0, 614–620version 4.0, 620–625

sensors, 625–628version 3.0

configuration, 614–615installation, 614–615shunning, 618, 620signatures, 616–618

version 4.0blocking, 624configuration, 620–622installation, 620–623signatures, 623–624

entry points (networks)IP blocking, 467protecting with master blocking sensors, 470sensors, 98–99

environment variables, adding ORACLE_HOME to LD_LIBRARY_PATH, 730

error log files, viewing, 756–757errors

ICMP messages, 262sensors, checking for, 168–169, 421

/etc directory, 698evaluating

sensors, placement of, 46professional security, 44

Event Batching value (Event Viewer), configuring, 213

event horizons, misuse detection, 60Event Severity Indicator group box (Event Viewer

Preferences window), 213Event Viewer

alarmscollapsing columns, 203–204deleting, 197–198expanding collapsed columns, 201–202

blocked addresses, viewing, 480–481columns

deleting, 205moving, 205selecting for display, 207

Connection Status pane, 214Connection Status Window, 215–216

displaying


853

Reset Statistics Window, 220Sensor Statistics Window, 219Service Status Window, 216–218Service Versions Window, 218

Delete Selected Rows button, 199field expansion boundaries, modifying,

204–205log files, viewing, 179opening, 178Preferences window

Actions group box, 208–209Boundaries group box, 212Cells group box, 209–210Event Severity Indicator group box, 213Severity Mapping group box, 213Status Events group box, 211

resuming alarm display, 199–200Shunning Hosts window, 483suspending alarm display, 199–200

eventsdestinations, configuring, 716–717detection, verifying, 752log files, 740–746record fields

alarm event record fields, 741–744command event record fields, 744–746

EVS (Event Viewing System), 691Exclude mechanisms, 760excluding

false-positive alarms, 759–762signatures, 591–592

exclusion stance, security policies, 38exiting sysconfig-sensor script, 158expanding collapsed columns

all columns, 202single column, 201

expansion boundaries, modifying, 204–205Exploit Links field (NSDB Related Vulnerability

page), 197Exploit Signature page (NSDB), 190–191

benign triggers, 192implementation, 192recommended alarm level, 192signature description, 192signature ID, 191signature name, 190signature structure, 192

signature type, 192subsignature ID, 191user notes, 193vulnerability, 193

Exploit Type field (NSDB Related Vulnerability page), 196

exploitation tools, 20application holes, 23authentication compromises, 21–22back doors, 24compromised trust relationships, 23poorly configured services, 22protocol weaknesses, 22

EXPN sendmail command, 233extended ACLs, 464external interfaces, applying ACLs, 473external threats, 9extranets, sensor placement, 104

Ffalse negatives, 58, 394false positives, 182, 394

benign triggers, 192eliminating from vulnerability scanner alarms,

645–647excluding, 759–762IDSs (Intrusion Detection Systems), 55

FAT (File Allocation Table), 121fault management, related tokens, 712–714fault tolerance, assigning multiple IP addresses per

host, 715–716features of Catalyst 6000 IDSM, comparing to

traditional platforms, 491fields

Cisco Secure IDS alarm recordscollapsing, 203–204Count field, 181destination information fields, 183expansion boundaries, modifying,

204–205general information fields, 181–182signature information fields, 183–184source information fields, 182viewing, 180

event record fields, 740–746

fields


854

alarm event record fields, 741–744command event record fields, 744–746

File Allocation Table (FAT), 121FilenameOfIPLog token, 711FilenameOfLog token, 711files, core dumps, 733Filtering Configuration Screen (CSPM), 400–403filtering signatures, 760

simple signature filtering, 444, 447advanced signature filtering, 447–449

finalization, CSPM installation, 134–136firewall sandwich configuration, sensors, 108firewalls, 37

IOS Firewall IDS signatures, 797–800Fix/Upgrade/Patch field (NSDB Related

Vulnerability page), 197FLOOD signature engines, 629, 633formats of IP session logs, 618forwarding alarms, related tokens, 710fragmentation, 391

IP signatures, 250–256FTP attacks, TCP signatures, 288–291FTP transfer, related tokens, 711functionality of nrConfigure, 556

Ggateways, entering sensors, 161–162general information fields (Cisco Secure IDS alarm

records), 181–182general signature token, 702general signatures, 780–790General tab (CSPM), signature template

configuration, 428–429GET command, 293gigabit IDSM, 627globally disabling signatures, 590–591, 761–762goal setting for attacks, 11–12grep command, 237, 751groups

common privilege groups, defining, 35–36users, 54

Hhacking tools

exploitation tools, 20application holes, 23authentication compromises, 21–22back doors, 24compromised trust relationships, 23–24poorly configured services, 22protocol weakneses, 22

reconnaissance tools, 19–20script kiddies, 7–8user attributes, 7

handlers, 27hardware

CSPM requirements, 123installing RUs (rack units), 146

hiding nrConfigure status line, 559hierarchical director design, 670

alarm delay limitations, 670general setup, 671–675network diagram, 670required equipment, 670troubleshooting tips, 675–678

high ports versus low ports, 274High-severity alarms, 779

signatures, 239hijack attacks, TCP signatures, 307–309host names

PostOffice protocol, 88resolving, 184–186

host sweeps, TCP signatures, 277–280Host Type window, Add Host Wizard, 545host-based IDSs, 61

benefits, 62–63drawbacks, 62–63

hosts/usr/nr/etc/hosts file entries, 714–715authorized, 717compromised trust relationships, 23CSPM, adding to topology, 164–165exluding from alarm reporting, 760inclusions, 618IP address configuration, 715–716manual blocking operations, 483population estimates, 98secondary Directors, adding, 561

fields


855

Windows NT 4.0 hosts, building, 125–126host-to-host encryption, 40HP Open View Network Node Manager (NNM).

See NNM (Network Node Manager)HTML browser, configuring, 558HTTP/Web signatures, 321–349hubs, 101, 490hybrid IDSs, 66

IICMP (Internet Control Message Protocol), 13, 257

attacks, 266echo requests, 13error messages, 262ping sweeps, 264query messages, 258signatures, 257–268

Icon value (Event Viewer), configuring, 213ID analysis, IDSM configuration, 501–507

assigning command and control port, 502clearing unwanted VLAN traffic, 507–509

Ident protocol, attack signatures, 366–367identification parameters

CSIDD, configuring, 532–534sensors, 410–411verifying on Director, 652

identifiers, PostOffice protocol, 87–89identifying critical hosts, 467IDS Module (IDSM). See IDSM (IDS Module)IDS-4210 appliance, 4200 Series Sensors, 78,

148–149IDS-4230 appliance, 4200 Series Sensors, 78,

146–147ids-installer command, 518IDSM (IDS Module), 79, 489–490, 620

adding to CSPM, 513blades, configuring multiple per chassis, 678

general setup, 680–685limitations, 678–679network diagram, 680VACL definition, 680

blocking with, 620clearing unwanted VLAN traffic, 507

Diagnostic modecommands, 521–523enabling, 513

disk structureactive partition, 514application partition, 515maintenance partition, 515

images, updating, 515–516initializing, 499–501monitoring port, configuring as destination port,

503–505oversubscription, preventing, 682partitions, updating, 518ports, 493–494removing configuration, 513requirements, 492software files, 516

updating, 517–518status LEDs, troubleshooting, 519traffic, capturing, 490, 494–495

SPAN, 496VACLs, 497–498

verifying configuration, 509–513IDSM Sensing Configuration Screen (CSPM),

392–397IDSM Setup utility, 499–501IDSs (Intrusion Detection Systems), 53

Cisco Secure IDSconfiguring, 72–76functions and features, 72–76

false negatives, 58host-based IDSs, 61

benefits, 62–63drawbacks, 62–63

hybrid IDSs, 66locations, monitoring, 61–66network-based IDSs, 63–65

benefits, 65drawbacks, 65–66

training preparation, 57triggers, 54

anomaly detection, 54–58misuse detection, 58–60

implementingIP blocking, 466signatures on Cisco IOS Firewall IDS, 581

improving network security, 44–46

improving network security


856

inclusion stance, security policies, 38inclusions, hosts, 618informational class signatures, 234infrastructure, topology analysis, 101initializing

Cisco IOS Firewall IDS, 583–589HP Open View NNM environment, 537–539IDSM, 499, 501

inserting comments in configuration files, 700install directory, 696installation

CSIDD, 531–535configuration files, 535Director script, running, 532identification parameters, 532–534install script, 532netrangr password, 532–533rebooting, 535

CSPM4200 Series Sensors, 145account information, 129basic settings, 129Cisco Secure VPN Client, 125configuring, 119–121finalization, 134–136license acceptance, 126–127modes, 127–130PostOffice protocol, 132–135requirements, 121–124settings, 124–136TechSmith Screen Capture Codec, 131

RUs (rack units), 146sensors, 103–111version 3.0 enhancements, 614–615version 4.0 enhancements, 620–622

installed sensors, adding to Director configuration, 560

integrity of data, 11interesting traffic, defining, 498interfaces

ACL placement, 472–473external, applying ACLs, 473internal, applying ACLs, 473Promiscuous mode, enabling, 752sensors, 97

internal networkssensors, configuring, 412–413token, 701

internal threats, 9–10Internet Control Message Protocol (ICMP).

See ICMPInternet

usage estimates, 98entry points, sensors, 98–99

Internet Protocol Security Architecture (IPSec), IP layer security, 110

intranets, sensorsentry points, 99placement, 105

intrusion detection, configuration files, 700Intrusion Detection Systems (IDSs). See IDSs

(Intrusion Detection Systems)IOS Firewall IDS signatures, 797–800IP addressing. See also IP blocking

ARP, 19DNS, 13Never Block Addresses, specifying, 478–479

ip audit name command, 595ip audit po protected command, 587ip audit po remote command, 585ip audit signature command, 591IP blocking, 76, 463–464

anti-spoofing mechanisms, 466at the router, 468–469configuring, 474–476critical hosts, 467default block time, 470disabling, 477–479duration of, 468entry points, 467implementing, 466manual blocking operations, 482–483removing blocked hosts/networks, 483–484signature selection, 467viewing blocked addresses, 480–481

IP fragments, configuring reassembly, 416–417IP layer security (IPSec), 110IP log files

formats, 618naming conventions, 738response actions, 76, 433

inclusion stance, security policies


857

IP signatures (1000 Series signatures), 245bad IP packets, 256–257IP fragmentation, 250–256IP options, 246–250

IPSec (Internet Protocol Security Architecture), IP layer security, 110

ISDM, gigabit ISDM, 627

J-LJava Server Pages (JPSs), 339

laptops, connecting to sensors, 757–759Last Modified column (nrConfigure screen

display), 558LD_LIBRARY_PATH environment variable, adding

ORACLE_HOME/lib, 730LD_LIBRARY_PATH variable,

troubleshooting, 724Legacy Cisco Secure IDS Web attacks, TCP

signatures, 291–303Level field (Cisco Secure IDS alarm records), 184levels, logging, 737–738licensing CSPM, 123–124

acceptance, 126–127limitations

of SPAN, 497of VACLs, 498

limiting access, 36line cards

Catalyst 6000 IDSM, comparing to appliance, 491

IDSM, 489–490adding to CSPM, 513blades, configuring multiple per chassis,

678–685capturing traffic, 490Diagnostic mode, enabling, 513disk structure, 514–515ID analysis configuration, 501–509images, updating, 515–516initializing, 499, 501monitoring port, configuring as

destination port, 503–505partitions, updating, 518ports, 493–494

removing configuration, 513requirements, 492software files, 516–518traffic flow, 494verifying configuration, 509–513

links. defining untrusted, 39Lite Licensing, CSPM, 124Local Date field (Cisco Secure IDS alarm

records), 181Local Time field (Cisco Secure IDS alarm

records), 181location of HTML browser, selecting, 558log files, 737

active log files, closing, 740archived log files, 740automatic FTP transfers, configuring, 415Cisco Secure IDS log files, naming

conventions, 739error log files, viewing, 756–757event detection, verifying, 752event record fields, 740–746

alarm event fields, 741–744command event fields, 744–746

IP log files, formats, 618naming conventions, 738

locations, 740logging levels, 737–738naming conventions, 738–739sensors

configuring, 414–416generating, 414

Service Error log files, naming conventions, 739

viewing, 179loggerd.conf file, tokens, 711logging

levels, 737–738policy violations on ACLs, 653related tokens, 710troubleshooting, 726

Logging Configuration Screen (CSPM), 402–406logons

4200 Series Sensors, 149–151access attacks, 17CSPM, 136sensors, 757–759

logons


858

Loki attack signatures, 370low ports, versus high ports, 274low-severity alarms, 779low-severity signatures, 238

Mmail attacks, TCP signatures, 284–288mail server, configuring, 732mailing lists, security, 45mailx command, 732maintentance partition, 515managed network devices, viewing, 482managed.conf file

DupDestination token, 709MinutesOfAutoShun token, 709NetDevice token, 708NeverShunAddress token, 709ShunInterfaceCisco token, 709

management access, 4200 Series Sensors, 149managing routers, 657


man-in-the-middle attacks, 18manual IP blocking operations, 482–483manual monitoring, network security, 42MAPI (Messaging API), 122master blocking sensor, 470, 709Master Blocking Sensor Configuration Screen

(CSPM), 400, 479master Director, adding additional secondary

Directors, 561master signature parameters, 630maximum allowable alarms, 726Maximum Events Per Grid value (Event Viewer),

configuring, 212maximum transmission units, 250, 391MaxInspectLength master signature parameter, 630MCI (Media Control Interface), 122Media Control Interface (MCI), 122Medium severity alarms, 779medium-severity signatures, 239

messages, propagating through tiered Director hierarchy, 670–675

Messaging API (MAPI), 122methodologies for attacks

ad hoc attacks, 15methodical attacks, 15patient attacks, 16surgical strikes, 15

Microsoft Active Scripting Pages (ASPs), 339Microsoft Internet Explorer 5.x, CSPM, 122MinHits master signature parameter, 630minimizing trust relationships, 36MinutesOfAutoLog token, 711MinutesOfAutoShun token, 709misuse detection, IDSs (Intrusion Detection

Systems), 58–60benefits, 59drawbacks, 59–60event horizons, 60

modifyingconnection signatures, 436database instance name, 730field expansion boundaries, 204–205Port Mapping configuration, 454–455

modules, platforms, 77–80monitoring

locations, IDSs (Intrusion Detection Systems), 61–66

security, 42–45monitoring port, Catalyst 6000 IDSM, 494

configuring as destination port, 503–505VACLs, building, 504–505

more command, 754–757MSFC, comparing to standalone routers, 492MTUs (maximum transmission units), 250, 391

NName field (Cisco Secure IDS alarm records), 181NameOfPacketDevice token, 701naming conventions

hosts, 714–715log files, 738–739organizations, 714–715

navigation buttons, HP OpenView NNM, 539–540NetBIOS attacks, TCP signatures, 303–307

Loki attack signatures


859

NetDevice token, 708netrangr account, 150, 532–533network function-based placement, sensors,

104–105Network Interface Name, verifying, 751Network Node Manager (NNM). See NNM

(Network Node Manager)Network Topology tree (NTT), 82network-based IDSs, 63–65

benefits, 65drawbacks, 65–66

networksattack points, 16

protocols, 18–19resources, 16–17

resourcesstarvation attacks, 26unsecured, 24

securitymonitoring, 42Security Wheel, 34–42testing, 43–44

topology analysis, 97critical components, 100–101entry points, 98–100remote networks, 102security policy restrictions, 102–103size and complexity issues, 102

neutral networks, anomaly detection, 56Never Block Addresses, specifying, 478–479NeverShunAddress token, 709newly installed sensors, adding to Director

configuration, 560NNM (Network Node Manager), 531

environment initialization, 537–539navigation buttons, 539–540starting, 537

non-sniffing sensors, troubleshooting, 749–757nr.fileXferd.conf, 690nr.loggerd.conf, 689nr.managed.conf, 689nr.packetd.conf, 689nr.postofficed.conf, 689nr.postofficed service (CSPM Director), 691nr.postofficed.conf, fault management, 712–714nr.sapd.conf, 689nr.smid service (CSPM Director), 691

nrConfigureAdd Host Wizard, 561Add Host Wizard Finished window, 564configured sensors, adding to Director,

561–564functionality, 556HP-UX performance, troubleshooting, 733HTML browser

configuring, 558selecting location, 558

screen display, 556columns, 558hiding status line, 559

sensorsremoving, 566verifying installation, 565

starting, 556troubleshooting, 733

nrconns command, 522, 694, 753nrstart command, 693, 727nrstatus command, 536, 695, 750–751, 756nrstop command, 694, 727NSDB (Network Security Database)

Exploit Signature page, 190–191benign triggers, 192implementation, 192recommended alarm level, 192signature description, 192signature ID, 191signature name, 190signature structure, 192signature type, 192subsignature ID, 191user notes, 193vulnerability, 193

HTML browser configuration, 733opening, 189Related Vulnerability page, 194

Advisory/Related Information Links field, 197

Affected Programs field, 196Affected Systems field, 196Alias field, 195Consequences field, 196Countermeasures field, 197Exploit Links field, 197Exploit Type field, 196

NSDB (Network Security Database)


860

Fix/Upgrade/Patch Links field, 197Severity Level field, 196User Notes field, 197Vulnerability Description field, 196Vulnerability ID field, 195Vulnerability Name field, 195Vulnerability Type field, 196

NTT (Network Topology tree), 82numbering configuration versions, 570NumberOfSwitchBytes token, 711NumberOfSwitchMinutes token, 711nvers command, 696NXT resource record, 354

Oobtaining CSPM service versions, 218one-time passwords, 36online help, browser configuration, 733opening

Configuration Library, 568Event Viewer, 178NSDB, 189

operating system requirements for CSPM, 121options, IP signatures, 246, 248–250Oracle database

instance name, modifying, 730troubleshooting, 728

authorization, 731installation, 728–729JDBC-related error messages, 732SQLPlus, 729TNS error message, 731

USER/PASSWORD error message, troubleshooting, 731

Organization Name field (Cisco Secure IDS alarm records), 182

organization namesnaming conventions, 714–715PostOffice protocol, 88–89

Organization/Host column (nrConfigure screen display), 558

organizations file, 714orphaned FIN packets, 282out-of-bounds attacks, 26

output fieldsshow config command, searching, 510show span command, 511

overflowing socket buffer, troubleshooting, 722oversubscription, preventing on IDSMs, 682

Ppacket auditing process, 593–594packet capture device, sensor configuration,

413–414packet payload, 232packetd process, verifying, 750–751packetd.conf file

MinutesOfAutoLog token, 711NameOfPacketDevice token, 701RecordOfDataSource token, 707RecordOfExcludedNetAddress token, 707–708RecordOfFilterNameName token, 706–707RecordOfInternalAddress token, 702RecordOfStringName token, 704–705SigOfFilterNameName token, 706SigOfGeneral token, 702SigOfStringName token, 704–705SigOfTcpPacket token, 703SigOfUdpPacket token, 703–704

packetsbad IP packet signatures, 256–257ICMP echo requests, 13orphaned FIN packets, 282packet payload, 232sniffing, 64, 97spoofing, 19state information, 233switch-forwarding path, 490–491TTL value, 62

parametersapply command, 517cvtnrlog command, 692IDSM-specific, 501ip audit name command, 597PostOffice, 584–586report systemstatus command (ISDM), 522reset command (Catalyst), 520–521set security acl ip command, 505set trunk command, 508

NSDB (Network Security Database)


861

show errorfile command (ISDM), 523show module command (Catalyst), 520show port command (Catalyst), 520show security acl command, 512show span command, 510–511signatures

engine-specific parameters, 630master signature parameters, 630

tokens, 699partitions (IDSM), updating, 518passwords

crackers, 21netrangr password, setting, 532–533one-time, 36Oracle database, troubleshooting, 731telnetting to sensor COM port, 758

patient attacks, 16patterns of traffic, determining, 37PCs, connecting to sensors, 757–759PDP (policy distribution point), 409

sensor selection, 166PEPs (policy enforcement points), 167–168perimeter protection, sensor placement, 104perimeter routers, 98permissions, troubleshooting, 722–723ping command, 750Ping of Death attack, 26ping sweeps, 13

ICMP, 264ping-R command, 248pings, 13PIX, blocking with, 619placement

of sensorsevaluating, 46extranets, 104intranets, 105network function-based placement,

104–105perimeter protection, 104remote access servers, 105

of ACLs, 471–473platforms

modules, 77–80sensors, 77–80

policies (security). See security policiespolicy distribution point (PDP), 166, 409

policy enforcement points (PEPs), 167–168policy violation signatures, 388

(10000 Series), 378policy violations, logging on ACLs, 653poorly configured services, 22port mapper, 355Port Mapping, 453, 455Port Mapping Configuration screen (CSPM), 396Port parameter (connection signatures), 434–435port scans

TCP signatures, 271–277UDP signatures, 317

portsattacks on, 22Catalyst 6000 IDSM, 493–494high ports, 274low ports, 274switch-forwarding path, 490–491

PostOfficeCommand Timeout value, 209connection status, verifying, 753

PostOffice protocol, 84addressing scheme, 89benefits, 87CSPM, installing, 132–135fault tolerance, 86features, 85identifiers, 87–89redundancy, 85reliability, 85sensor identification parameters, entering,

159–161postoffice.conf file

WatchDogInterval token, 713WatchDogNumProcessRestarts token, 713WatchDogProcDeadAlarmLevel token, 714WatchDogProcTimeoutAlarmLevel token, 714WatchDogResponseTimeout token, 713

previously configured sensors, adding as host, 561privilege escalation attacks, 17professional security evaluations, conducting, 44profile-based detection. See anomaly detectionPromiscuous mode, enabling on sniffing

interface, 752propagating messages through tiered Director

hierarchy, 670–675

propagating messages through tiered Director hierarchy


862

properties (signatures), defining severity of, 430–431

protected networks, defining, 587–588protocols

ICMP (Internet Control Message Protocol), 257PostOffice protocol, 84weaknesses, 22

proxy sensors, master blocking sensors, 470public data sources, attacks on, 12publishing attacks publicly, 57

Q-Rquery messages (ICMP), 258

rack units (RUs), 146RDBMS (relational database management systems),

troubleshooting SQL queries, 732rebooting, 535recommended alarm level, 192reconnaisance for attacks, 12–13reconnaissance class signatures, 234reconnaissance tools, 19–20RecordOfDataSource token, 707RecordOfExcludedNetAddress token, 707–708RecordOfFilterName token, 706RecordOfStringName token, 704–705records (CSPM database)

fieldsCount field, 181Destination Information fields, 183General Information fields, 181–182Signature Information fields, 183–184Source Information fields, 182

viewing, 179–180recovering deleted sensor configuration

information, 567redirect command, 692reducing false-positive alarms, 759–762redundancy, multiple hosts per IP address

configuration, 715–716regular expressions, sensors, 236Related Vulnerability page (NSDB), 194

Advisory/Related Information Links field, 197Affected Programs field, 196Affected Systems field, 196

Alias field, 195Consequences field, 196Countermeasures field, 197Exploit Links field, 197Exploit Type field, 196Fix/Upgrade/Patch Links field, 197Severity Level field, 196User Notes field, 197Vulnerability Description field, 196Vulnerability ID field, 195Vulnerability Name field, 195Vulnerability Type field, 196

relationships (trust relationships), minimizing, 36remote access entry points, sensors, 99remote access servers, sensor placement, 105Remote Procedure Call (RPC), 355–366remote reconnaissance, 12–13remote sensor configuration, 110removing

alarms, 197–198blocked hosts/networks, 483–484columns in Event Viewer, 205IDSM line card configuration, 513saved configuration versions, 571–572sensor icon from Cisco Secure IDS Home

submap, 567sensors from nrConfigure Director, 566

reorganization of corporate networks, troubleshooting, 648–650

report system status command (ISDM), 522reporting SYSLOG files to sensor, 650


repositioning columns in Event Viewer, 205requirements

Catalyst 6000 IDSM line card, 492device management, 465

reset command (Catalyst), 520–521Reset Statistics window (Event Viewer), 220ResetAfterIdle master signature parameter, 630resolving host names, 184–186resource records, 354

properties (signatures), defining severity of


863

resourcesunsecured, 24vulnerability to attacks, 16–17

responses to alarms, Director platforms, 81to signatures, CSIDD configuration,

665–666restricting access, 36resuming alarm display (Event Viewer), 199–200review questions, answers, 815–835reviewing configuration files periodically, 45root installation directory, 696routers

managing, 657general setup, 658–666limitations, 657network diagram, 658required equipment, 658troubleshooting tips, 666–669

perimeter routers, 98routes file, 715–716rows, deleting from CSPM database, 199RPC (Remote Procedure Call), attack signatures,

355–366rule-based approach, anomaly detection, 55RUs (rack units) installations, 146

SSAPD (Security Analysis Package Daemon), 689SAPI (Speech API), 122SATAN (Security Analysis Tool for Auditing

Networks), 349–350saved versions, deleting, 571–572saving

configuration versions, 571sensor configurations, 166–167, 421

scanners (security), 43–44screen display, nrConfigure, 556

Organization/Host column, 558status line, hiding, 559

script kiddies, 7–8scripts

start.sh, 729sysconfig-director, HTML browser

configuration, 558

sysconfig-sensor, 150, 410, 540exiting, 158

SDM (Sensor Device Manager), 628searching show config command output, 510secondary Directors, adding, 561Secure IDS

communications deployment worksheet, 803–805

submap, verifying sensor installation, 566security

authentication, improving, 35–36boundaries, establishing, 37–39confidentiality, VPNs, 39–41configuration, verifying, 46configuration files, reviewing, 45firewalls, 37improving, 44–46mailing lists, 45monitoring, 42news, monitoring, 44–45professional evaluations, conducting, 44security policies, 34, 38security scanners, 43–44security wheel, 34–42security zones, defining, 38sensors, placement of, 46testing, 43–44vunerability patching, 41–42Web sites, 45

Security Analysis Tool for Auditing Networks (SATAN), 349–350

security policies, 10–11, 33stances, 38

security scanners, 43–44Security Wheel, 34–42

improving security, 44–46monitoring security, 42testing security, 43–44

security zones, defining, 38selecting

columns for display (Event Viewer), 207HMTL browser location, 558multiple signatures for advanced filtering, 448

semaphore files, troubleshooting, 723–724Sensor Advanced Configuration Screen

(CSPM), 404sensor appliance, 625–628

sensor appliance


864

Sensor CA (control agent), 691Sensor Command Configuration screen (CSPM),

406–409Sensor Device Manager (SDM), 628Sensor Identification dialog box, 159Sensor Internal Networks Configuration screen

(CSPM), 389Sensor Monitoring Configuration screen

(CSPM), 388Sensor Name field (Cisco Secure IDS

alarm records), 182Sensor Properties Configuration screen

(CSPM), 387Sensor Statistics window (Event Viewer), 219sensors

4200 Series Sensorsappliances, 145

IDS-4210, 148–149IDS-4230, 146–147

configuring, 151–158CSPM, 145logon accounts, 149–151management access, 149

ACL signatures, creating, 455–456adding, CSIDD, 541–542, 544–549adding to Director configuration, 560–561alarm logging, troubleshooting, 726blocking, 100Cisco Secure IDS, architecture, 687–690COM port settings, configuring, 759communication with Director, verifying,

753–754configuration files, pushing to, 167–168configuring

advanced changes, 416–420basic changes, 410–414checking, 168–169CSIDD, 540–549CSPM, 385–394, 396–421CSPM sensor configuration screens,

386–409error checks, 421identification parameters, 410–411internal networks, 412–413IP fragment reassembly, 416–417log files, 414–416packet capture device, 413–414

pushing new ones to, 420–421saving, 166–167, 421TCP session reassembly, 417–419updating, 166–167, 421

default gateway, entering, 161–162deploying, preparation for, 97–103destinations file, viewing, 754device management, 465

configuring, 661–666requirements, 465

enhancements, 625–628sensor appliance, 625–628

entry points, 98Internet entry points, 98–99intranet entry points, 99remote access entry points, 99

error log files, viewing, 756–757installing, 103–111interfaces, 97logging into, 757–759master blocking sensors, 470, 709maximum allowable alarms,

troubleshooting, 726non-sniffing, troubleshooting, 749–757packetd process, verifying, 750–751packet sniffing, 97PDP (policy distribution point), selecting, 166placement

evaluating, 46extranets, 104intranets, 105network function-based placement,

104–105perimeter protection, 104remote access servers, 105

platforms, 77–80PostOffice identification parameters, entering,

159–161previously configured, adding to Director, 561,

563–564regular expressions, 236remote configuration, Director platforms, 81removing from nrConfigure Director, 566removing icon from Cisco Secure IDS Home

submap, 567routing threshold, troubleshooting, 725SDM (Sensor Device Manager), 628

Sensor CA (control agent)


865

Secure IDS submap installation, verifying, 566settings, verifying, 163severity status, troubleshooting, 725signature templates, 439

assigning, 442creating, 440entering, 162–163

signatures, 231advanced configuration, 451, 453, 455advanced filtering, 447–449applying actions, 433–434atomic signatures, 233classes, 234–235composite signatures, 233connection signatures, 434–435, 791–793content-based signatures, 232context-based signatures, 232enabling/disabling, 431–432filtering, 444, 447general signatures, 780–790globally disabling, 761–762implementations, 765–776implementing, 232–233policy violation signatures, 388severity, 237–239severity levels, viewing, 750string signatures, 437–438, 794structures, 233, 765–776types, 235–237

stateful sensors, 622statistics, resetting, 220transparent stateful sensors, 622verifying nrConfigure installation, 565

servers, topology analysis, 100Service Error log files, naming conventions, 739service packs (IDSM), updating, 517–518SERVICE signature engines, 629Service Status window (Event Viewer), 216–218Service Versions window (Event Viewer), 218services

application ID, 718–719Cisco Secure IDS, 688–689

starting, 693stopping, 694verifying operability, 695

configuration files, 699–700CSPM Director, 691–692

fault management, related tokens, 713–714session command, 499set boot device command, 514set security acl ip command, 504–505set span command, 503set trunk command, 508severity of signatures, 237

high-severity, 239low-severity, 238medium-severity, 239

Severity field (Cisco Secure IDS alarm records), 184Severity Level field (NSDB Related Vulnerability

page), 196Severity Mapping group box (Event Viewer

Preferences window), 213show config command, 509–510show configuration command, 513Show Current Events window (Director),

troubleshooting, 726show errorfile command (ISDM), 523show ip audit configuration command, 643show ip audit debug command, 600show ip audit interface command, 600, 644show ip audit statistics command, 599show module command (Catalyst), 520show port command (Catalyst), 520show security acl command, 511show span command, 510–511Show Status Events in Grid status event, 212ShunInterfaceCisco token, 708shunning, enhancements

version 3.0, 618–620version 4.0, 624

Shunning Hosts pop-up window (Event Viewer), 483Shunning Initialization window, Add Host

Wizard, 548SIG resource record, 354SIGID master signature parameter, 630signature engines, 628–629Signature ID field (Cisco Secure IDS alarm

records), 184signature information fields (Cisco Secure IDS

alarm records), 183–184Signature Parameter Editor, 453signature templates, 439

applying to sensor, 442assigning to sensors, 442

signature templates


866

configuringGeneral tab (CSPM), 428–429Signatures tab (CSPM), 429

creating, 440sensors, entering, 162–163viewing, 428

Signature Tuning, 451–453Signature Tuning Parameters Screen (CSPM), 396signature-based detection, 58–60signatures, 231, 245, 268. See also ACLs

actions, configuring, 433–434advanced configuration, 451

Port Mapping, 453, 455Signature Tuning, 451, 453

advanced filtering, 447–449atomic, 233, 581audit rules, creating, 595, 597–598benign, 238classes, 234–235

access class signatures, 235denial of service class signatures, 235informational class signatures, 234reconnaissance class signatures, 234

composite, 233compound, 581configuring on Cisco IOS Firewall IDS,

589–592connection, 434–435, 617, 791–793

adding, 435–436modifying, 436

content-based, 232context-based, 232cross-protocol (6000 Series), 349

authentication failures, 367–369DDoS attacks, 371–374DNS attacks, 351–354Ident attacks, 366–367Loki, 370RPC attacks, 355–366SATAN attacks, 349–350

default actions, setting, 594definitions, 631disabling, 431–432excluding, 591–592Exploit Signature page (NSDB)

benign triggers, 192implementation, 192

opening, 191recommended alarm level, 192signature description, 192signature ID, 191signature name, 190signature structure, 192signature type, 192subsignature ID, 191user notes, 193vulnerability, 193

false positives, 182filtering

advanced, 447–449simple, 444, 447

flood signatures, 633general, 780–790globally disabling, 590–591, 761–762ICMP, 257–268implementations, 232–233, 581, 765–776IOS Firewall IDS signatures, 797–800IP signatures, 245

bad IP packets, 256–257IP fragmentation, 250–256IP options, 246–250

parametersengine-specific parameters, 630master signature parameters, 630

policy violation signatures, 378, 388severity, 237–239

defining, 430–431high-severity, 239low-severity, 238medium-severity, 239viewing, 750

signature engines, 628–629SPAM, configuring on Cisco IOS Firewall IDS,

589–590string, 632, 794

configuring, 437–438creating, 438

string-matching, 375–378structure, 192, 233, 765–776Sweep signatures, creating, 631TCP signatures

abnormal TCP packets, 281–283applications, 309–315FTP attacks, 288–291

signature templates


867

hijack attacks, 307–309host sweeps, 277–280Legacy Cisco Secure IDS Web attacks,

291–303mail attacks, 284–288NetBIOS attacks, 303–307port scans, 271–277SYN flood attacks, 307–309traffic records, 269–271

thresholds, configuring, 616tuning, 760–762types, 235–237

ACLs (access control lists), 237connection signatures, 236general, 235–236string signatures, 236

UDP signatures (4000 Series), 316applications, 319–321attacks, 318–319port scans, 317traffic records, 316–317

user defined signatures, 617, 628–633version 3.0 enhancements, 616–618version 4.0 enhancements, 623–624Web/HTTP signatures (5000 Series), 321

Web attacks, 322–349Signatures tab (CSPM), signature template

configuration, 429SigOfFilterName token, 706SigOfStringMatch token, 704–705SigOfTcpPacket token, 703–704SigOfUdpPacket token, 703–704simple signature filtering, configuring, 444, 447site-to-site encryption, 41smid process, verifying on Director, 754, 756smid.conf file (DupDestination token), 710SMTP (Simple Mail Transfer Protocol) attacks,

284–288sniffing packets, 64, 97snoop command, 150

Solaris, 752software

CSPMfeature sets, 118–119requirements, 121

IDSM, 516–518

Solaris snoop command, 752sorting columns in Event Viewer, 207Source Address field (Cisco Secure IDS alarm

records), 182source information fields (Cisco Secure IDS alarm

records), 182Source Location field (Cisco Secure IDS alarm

records), 182Source Port field (Cisco Secure IDS alarm

records), 182SPAM signature, configuring on Cisco IOS Firewall

IDS, 589–590SPAN feature (Catalyst 6000 IDSM), 490

limitations, 497spanning ports, 496spanning VLANs, 496

specifying Never Block Addresses, 478–479Speech API (SAPI), 122spoofing attacks, 19SQL queries, troubleshooting, 732SQLPlus, troubleshooting, 729stances on security policies, 38standalone configurations

CSPM, 120sensors, 106

standalone routers versus MSFC, 492standard deviation, calculating, 55start.sh script, 729starting

Add Host Wizard, 543Cisco Secure IDS daemon, 727Cisco Secure IDS services, 693CSIDD, 536–538, 540HP OpenView NNM, 537nrConfigure, 556

state information, packets, 233stateful sensors, 622statistical sampling, anomaly detection, 55statistics, resetting for sensors, 220Status Events group box (Event Viewer Preferences

window), 211status LED (IDSM), troubleshooting, 519stopping

Cisco Secure IDS daemon, 727Cisco Secure IDS services, 694

STRING signature engine, 629

STRING signature engine


868

string signatures, 236, 632, 794configuring, 437–438creating, 438

string-matching signatures(8000 Series), 375custom, 375TCP application signatures, 375–378

structured attacks, 9methodical, 15patient attacks, 16surgical strikes, 15

structure of signatures, 765–776submaps (Director), 538Subnet Mask value, configuring, 209SubSig master signature parameter, 630subsignature ID, 191subsignature indicators, 448SUID file permission bit, 723support applications, CSPM, 122surgical strike attacks, 15suspending alarm display (Event Viewer), 199–200sweep signature engines, 629sweep signatures, creating, 631switches, Catalyst 6000 IDSM, 489–490, 492

capturing traffic, 495–498commands, 509–512comparing to traditional platforms, 491ports, 493–494traffic flow, 494

switch-forwarding path, 490–491SYN flood attacks, 26

TCP signatures, 307–309sysconfig-director script, HTML browser

configuration, 558sysconfig-sensor command, 152–158sysconfig-sensor script, 150, 410, 540

exiting, 158SYSLOG files

defining for ACL signature administration, 456–457

reporting to sensors, 650general setup, 651–655limitations, 650network diagram, 651required equipment, 650troubleshootiong tips, 656–657

Ttail command, 81tail -f command, 753TAPI/MAPI (CSPM), 122TCP (Transmission Control Protocol), 73

application signatures, 375–378reassembly, configuring, 417–419reset action, 72–74, 433traffic records, 269

TCP signatures (3000 Series), 268abnormal TCP packets, 281–283applications, 309–315FTP attacks, 288–291hijack attacks, 307–309host sweeps, 277–280Legacy Cisco Secure IDS Web attacks,

291–303mail attacks, 284–288NetBIOS attacks, 303–307port scans, 271–277SYN flood attacks, 307–309traffic records, 269–271

tcpdump, 618TechSmith Screen Capture Codec, CSPM

installation, 131Telephony Application Programming Interface

(TAPI), 122Telnet

connecting to sensor COM port, 758enabling, 466

templates, 439assigning to sensors, 442configuring

General tab (CSPM), 428–429Signatures tab (CSPM), 429

creating, 440signatures, disabling/enabling, 431–432

temporary exclusions (alarms), 762testing network security, 43–44threats to security, 6–7

ad hoc attacks, 15attacker attributes, 7distributed attacks, 27, 29DoS attacks

out-of-bounds attacks, 26external, 9

string signatures


869

goal setting, 11–12host resource starvation attacks, 26internal, 9–10methodical attacks, 15network attack points, 16

network protocols, 18–19network resources, 16–17

network resource overload, 25reconnaissance attacks, 12–13slow attacks, 16structured, 9surgical strike attacks, 15unstructured, 7–8

thresholds (signatures), tuning, 616ThrottleInterval master signature parameter, 630tiered director hierarchy, 670

alarm delay limitations, 670general setup, 671–675network diagram, 670required equipment, 670troubleshooting tips, 675–678

Time To Block value, configuring, 209toggling nrConfigure status line, 559tokens, 699

DupDestination, 710FilenameOfIPLog, 711FilenameOfLog, 711general signature, 702internal network, 701MinutesOfAutoLog, 711MinutesOfAutoShun, 709NameOfPacketDevice, 701NetDevice, 708NeverShunAddress, 709NumberOfSwitchBytes, 711NumberOfSwitchMinutes, 711RecordOfDataSource, 707RecordOfExcludedNetAddress, 707–708RecordOfFilterName, 706RecordOfStringName, 704–705ShunInterfaceCisco, 708SigOfFilterName, 706SigOfStringMatch, 704–705SigOfTcpPacket, 703–704SigOfUdpPacket, 703–704WatchDogInterval, 713WatchDogNumProcessRestart, 713

WatchDogProcDeadAlarmLevel, 714WatchDogProcTimeOutAlarmLevel, 714WatchDogResponseTimeout, 713

tools for hackingexploitation tools, 20

application holes, 23authentication compromises, 21–22back doors, 24compromised trust relationships, 23poorly configured services, 22protocol weaknesses, 22

reconnaissance tools, 19–20Tools menu (CSPM), View Sensor Events

command, 178topology

analysis, 97critical components, 100–101entry points, 98, 100remote networks, 102security policy restrictions, 102–103size and complexity issues, 102

CSPM, adding to, 164–165TRACEON command, 320traffic

capturing, 495SPAN feature (IDSM), 496VACLs, 497–498

capturing with IDSM, 490extended ACLs, applying to inbound

traffic, 464manual blocking, 482–483overloaded sensors, troubleshooting, 656–657packetd process, verifying, 750–751patterns, determining, 37records

TCP, 269TCP signatures, 269–271UDP signatures, 316–317

security policies, 10–11statistics, viewing, 219switch-forwarding path, 490–491to IDSM line card, 494transferring hubs, 101VLANs, clearing from IDSM, 507

transient configuration versions


870

transient configuration versions, 569–570applying, 571numbering, 570saving, 571

Transmission Control Protocol (TCP). See TCP transparent stateful sensors, 622triggers, 248

benign, 192context buffer, viewing, 187, 189IDSs (Intrusion Detection Systems), 54

anomaly detection, 54–58misuse detection, 58–60

Trojan horse programs, 17troubleshooting

Cisco IOS Firewall IDS, debug commands, 601Director

inability to write to socket, 722LD_LIBRARY_PATH variable, 724maximum allowable alarms, 726overflowing socket buffer, 722permissions, 722–723semaphore files, 723–724sensor alarm logging, 726sensor routing threshold, 725sensor severity status, 725Show Current Events window, 726

duplicate alarms, 675IDSM, status LEDs, 519non-sniffing sensors, 749–754, 756–757nrConfigure, 733Oracle database, 728

authorization, 731installation, 728–729JDBC-related error messages, 732passwords, 731SQLPlus, 729

RDBMS, SQL queries, 732reorganization of corporate networks, 648–650sensors, Cisco Secure IDS daemon

services, 727trust relationships, 17

compromised, 23minimizing, 36

tuning signaturesreducing false-positive occurences,

759–762thresholds, 616

Type parameter (connection signatures), 434–435

UUDP signatures (4000 Series), 316

applications, 319–321attacks, 318–319port scans, 317traffic records, 316–317

UNIX, core dumps, 733Unlimited Licensing, CSPM, 124unsecured resources, 24unstructured attacks, ad hoc, 15unstructured threats, 7–8untrusted links, defining, 39updating

IDSM images, 515–516partitions, 514–515, 518software files, 517–518

sensor configurations, 166–167, 421usage estimates, Internet, 98user accounts, access attacks, 17user-defined signatures, 617, 628–633user groups, 54User Notes field (NSDB Related Vulnerability

page), 197utilities

cvtnrlog.exe, 692IDSM Setup, 499, 501

VVACL (VLAN ACL) feature

capturing traffic, 497Catalyst 6000 switches, 490

var directory, 698variable time-to-live attacks, 63

transient configuration versions


871

verifyingCisco IOS Firewall IDS configuration,

598–601, 643–644event detection, 752identification parameters on Director, 652IDSM configuration, 509–513Network Interface Name, 751nrConfigure sensor installation, 565operability of Director/sensor link, 694Oracle database installation, 728–729packetd process, 750–751Secure IDS submap sensor installation, 566security configuration, 46sensor/Director communication, 753–754smid process on Director, 754, 756

version 3.0 (Cisco IDS), 614–620configuration enhancements, 614–615enhancements, shunning, 61–620installation enhancements, 614–615signatures enhancements, 616–618

version 4.0 (Cisco IDS), 620–625blocking enhancements, 624configuration enhancements, 620–622installation enhancements, 620–623signature enhancements, 623–624

versionsapplying, 571deleting, 571–572numbering, 570saving, 571

viewingACL contents, 511alarm fields, 180–184blocked IP addresses, 480–481collapsed fields in Event Viewer, 201–202context buffer, 187, 189CSPM database entries, 178error log files, 756–757log files, 179managed network devices, 482sensor destinations file, 754sensor statistics, 219signature severity levels, 750signature template, 428

Virtual Private Networks (VPNs). See VPNs

VPNsconfidentiality, providing, 39–41encryption, 39

host-to-host encryption, 40site-to-site encryption, 41

endpoints, defining, 40–41VRFY command, 233Vulnerability Description field (NSDB Related

Vulnerability page), 196Vulnerability ID field (NSDB Related Vulnerability

page), 195Vulnerability Name field (NSDB Related

Vulnerability page), 195vulnerability scanners, troubleshooting false

positives, 644–647vulnerability to attacks

network attack points, 16network protocols, 18–19network resources, 16–17

patching, 41–42Vulnerability Type field (NSDB Related

Vulnerability page), 196

W-Zwar-dialers, 105WatchDogInterval token, 713WatchDogNumProcessRestarts token, 713WatchDogProcDeadAlarmLevel token, 714WatchDogProcTimeOutAlarmLevel token, 714WatchDogResponseTimeout token, 713Web sites, security, 45Web/HTTP signatures (5000 Series), 321

Web attacks, 322–349well-known ports, attacks on, 22Whack-a-Mole, 24Windows NT hosts, building, 125–126wizards

Add Host Wizard, 541–549Add Sensor Wizard, 159–160

write memory command, 653

write memory command


csids.book page 836 tuesday, september 18, 2001 11:06 am

Documents