Configuration Area

Adding Remote Hosts (Configuration | Communications | Remote Hosts)

By default, the CIDS sensors publish alarm and event data to the host on the host in which you installed IDS Device Manager. You can change or add additional hosts, allowing the sensor to send the event stream to multiple hosts. You must add the IDS Event Viewer as a remote host if alarms are to be sent to the Event Viewer. When adding a remote host, you can specify the level of alarm that should be sent to the remote host. The Remote Hosts panel is illustrated in Figure 25-11.

Figure 25-11: Remote Hosts panel

Event Destinations

Event Destinations enables you to configure the level of alarms to be sent to previously configured remote hosts. You can specify the level of alarm to be sent, the service to which the alarm should be sent, and the type of message to be sent.

Signature Configuration (Configuration | Sensing Engine | Signature Configuration)

As discussed in Chapter 23, the sensor uses signatures to detect network intrusions. A signature specifies the types of network attacks for which you want the sensor to detect and generate alarms. Signatures are arranged in two different ways. Signatures are arranged in six categories based on the type of traffic that’s analyzed. And signatures are also organized into signature groups, based on the signature engine type, as seen in Figure 25-12. Each signature group contains a configuration pane that can be used to configure each specific signature contained in that signature group. From the configuration pane, the signatures can be enable or disabled, the severity can be assigned, and the responsive action can be specified.

Figure 25-12: Signature groups configuration pane

The six categories of signatures are as follows:

Built-in
Custom
TCP Connection
UDP Connection
String Matching
ACL

Built-in signatures are known attack signatures included in the sensor software. The signatures that make up the built-in group can’t be added to, removed, or renamed. You can adjust the built-in signatures by adjusting a number of group signature parameters. Figure 25-13 illustrates the configuration pane for built-in and custom signatures.

Figure 25-13: Configration panel for built-in and custom signatures

Custom signatures are user defined. These signatures can be fine-tuned through signature engine parameters.

TCP connection signatures are user-defined signatures based on the TCP port number of the traffic being monitored. As seen in Figure 25-14, you can use the TCP connection signatures configuration pane to enable or disable a TCP connection signature. You can also configure the severity of the signature, as well as the actions to take when the signature is matched.

Figure 25-14: TCP connection signatures configuration pane

UDP connection signatures are user-defined signatures based on the UDP port number of the traffic being monitored. As seen in Figure 25-15, the UDP connection configuration pane can be used to configure the UDP connection signatures.

Figure 25-15: UPD connection signatures configuration pane

String matching signatures are user-defined signatures that detect malicious activity by analyzing network traffic looking for a specific string match. String-matching signatures can be configured to analyze incoming, outgoing, or bidirectional traffic. Figure 25-16 illustrates the String matching signature configuration pane.

Figure 25-16: String matching signature configuration pane

ACL signatures are user-defined signatures that generate alerts based on policy violations recorded by access devices. To allow a sensor to send alarms based on ACL violations, you must first configure one or more routers to log ACL violations. The routers must then be configured to send syslog messages to the sensor. When the sensor receives a syslog message from the router, the sensor generates an alarm.

By default, the most critical signatures are enabled. Other signatures must be enabled to allow the sensor to monitor network traffic for that specific signature. Enabling and configuring the parameters for each signature is accomplished from the Configuration Area and the Sensing Engine Sub-Area. Signatures are discussed in more detail in the next chapter.

Level of Traffic Logging

From the Configuration Area, you can configure the level of logging the sensor should perform. As seen in Figure 25-17, you can configure the sensor to log the following:

Figure 25-17: Level of logging configuration pane

None
TCP connection requests and UDP traffic

TCP connection requests, SYN-ACK, FIN, RST, and UDP traffic

TCP SYN-ACK packets from the specified port and UDP traffic

Filter Configuration (Configuration | Sensing Engine | Filters)

You can configure filters to control the behavior of the sensing engine filters. You can configure the sensor to exclude or include signature matches based on the source or destination IP address. Signature filtering is only effective on enabled signatures. You can configure filters based on the IP address or IP address range. Figure 25-18 illustrates the filtering configuration pane.

Figure 25-18: Signature filtering configuration pane

Spam Control (Configuration | Sensing Engine | Spam Control)

You can use your network sensors to monitor the amount of spam entering your network. This feature examines the number of recipients contained in a mail message crossing the network. Figure 25-19 illustrates the spam control configuration pane.

Figure 25-19: Spam control configuration pane

IP Fragmentation Reassembly (Configuration | Sensing Engine | Reassembly Options)

The reassembly options TOC item contained in the Configuration Area can be used to configure IP fragment reassembly parameters. By configuring this configuration pane, you configure the sensor to reassemble all the fragmented packets before they’re compared to the signature database. Figure 25-20 displays the IP fragment reassembly options configuration pane.

Figure 25-20: IP fragmentation reassembly configuration pane

Reassembling IP fragments into the complete datagram consumes sensor resources, such as memory and CPU cycles. Without some additional parameters in place, it would be possible for the sensor to run out of resources by attempting to track and reassemble too many datagram fragments. To prevent this from happening you must configure the following parameters:

Maximum Partial Datagrams
Maximum Fragments per Datagram
Fragmented Datagram Timeout

Note
Cisco recommends you don’t modify these settings unless you thoroughly understand your traffic patterns and the likelihood of receiving fragmented packets over a specified amount.

Maximum Partial Datagrams

The Maximum Partial Datagrams parameter is used to specify the maximum number of partial datagrams that can be tracked by the sensor. When the sensor receives a fragmented datagram, it must then collect all the associated fragments that make up the entire datagram and reassemble them. This parameter sets the maximum amount of partial datagrams the sensor will attempt to reassemble. The sensor has a limited amount of resources and could be swamped if this limit is set too high.

Maximum Fragments per Datagram

The Maximum Fragments per Datagram parameter is used to limit the amount of fragments the sensor will track to reassemble a single datagram. This parameter is used to limit the amount of fragments that must be tracked by the sensor.

Fragmented Datagram Timeout

The Fragmented Datagram Timeout parameter represents the maximum amount of time that can elapse between fragments. The sensor can’t wait forever to receive all the fragments that make up a datagram. In addition, hackers could swamp the network with partial datagram fragments in an attempt to overwhelm the sensor’s resources. If the sensor doesn’t receive any additional fragments for a specific datagram within the timeout period, the existing fragments for that datagram are discarded and the datagram fragments are no longer tracked.

TCP Session Reassembly (Configuration | Sensing Engine >|Reassembly Options)

You can specify which TCP data streams should be analyzed based on the capability of the sensor to rebuild the entire session. Like IP fragment reassembly settings, these settings ensure that system resources, such as memory and CPU cycles, aren’t reserved for sessions that are no longer active. The TCP reassembly configuration pane is illustrated in Figure 25-21.

Figure 25-21: TCP reassembly configuration pane

TCP Three-Way Handshake

To specify that the sensor track only sessions for which the three-way handshake is completed, select Enabled in the TCP Three Way Handshake list box.

Embryonic Timeout

In the TCP Embryonic Timeout field, enter a numerical value between 1 and 180 to specify the number of seconds that can elapse before the sensor frees the resources allocated for an initiated, but not fully established, TCP session. The default number of seconds is five.

TCP Open Establish Timeout

In the TCP Open Establish Timeout field, enter a numerical value between 1 and 3,600 to specify the number of seconds before the sensor frees the resources allocated to a fully established TCP connection when no more packets are being seen for that connection. The default number of seconds is 90.

Internal Networks (Configuration | Sensing Engine | Internal Networks)

You can specify that specific network IP addresses are internal networks for the purpose of logging and reporting. IP addresses that don’t match a configured IP internal network are considered external addresses. When the sensor generates an alarm, the IP address of both the source and destination are logged as internal (IN) or external (OUT) to help security administrators to identify the origin and destination of suspected attacks.

Data Sources (Configuration | Sensing Engine | Data Sources)

You must configure data sources when using ACL policy violation signatures. Cisco routers publish syslog messages to the sensors, including attempted ACL policy violations. The Cisco routers represent the data sources for ACL policy violation signatures. In the IP Address field, enter the IP address of the interface of the router that will publish syslog data to the sensor or the IP address of a network, if multiple routers from the same network will be sending syslog data to the sensor.

Sensing Properties (Configuration | Sensing Engine | Sensing Properties)

As shown in Figure 25-22, the Sensing properties configuration panel can be used to configure the following:

Sensing interface
Alarm level for traffic flow
Alarm level for link status
The amount of time the sensor should store information once a host stops communication

Figure 25-22: Sensing properties configuration panel

Sensing Interface

You can select automatic to allow the sensor to choose the interface to be used for IDS or you can manually specify the interface to be used as the sensing interface. If you choose to configure the sensing interface manually, you need to know the specific device name for your sensor. Table 25-4 lists the sensor interfaces and their names.

Table 25-4: Sensor Monitoring Interfaces
Packet Capturing Device	Description
/dev/spwr0	All Ethernet sensors except the 4210
/dev/mtok	4200 Series Token ring Sensors where NICs aren't labeled 100/16/4
/dev/mtok36	4200 Series Token ring Sensors where NICs are labeled 100/16/4
/dev/ptpci0	Used with SFDDI and DFDDI interfaces
/dev/iprb0	Monitoring interface on the 4210 series sensor

Traffic Flow Timeout and Alarm Severity

You can configure the sensor to generate an alert when no traffic is seen for a specified amount of time, possibly indicating the sensor is no longer receiving traffic on the network. You can configure the timeout period, the amount of time the sensor will wait to see traffic before generating an alert, and the level of alert that will be generated if the timeout is reached.

Link Status

You can configure the sensor to generate an alert if the link fails between the sensing interface and the local access device. If the sensor detects the physical link is non-operational, it generates an alert. You can configure the level of alert to be generated when the link fails.

Storage Timeout Seconds

The Storage Timeout Seconds field enables you to configure the amount of time the sensor will store data from a host once that host gone silent.

Logging (Configuration | Communications | Logging)

The logging Sub-Area can be used to configure specific logging settings on the sensor. The logging Sub-Tab includes four TOC items. TOC items are as follows:

Event logging
Exporting event logs
Automatic IP logging
IP logging

Event Logging

The event logging configuration panel can be used to enable logging, as well as to specify the level and type of events that should be logged. As Figure 25-23 shows, you can log the following:

Alarms
Errors
Commands
IP logs

Figure 25-23: Event logging configuration panel

Exporting Event Logs

The exporting event logs configuration panel can be used to configure the automatic exporting of event logs to an FTP server. These logs can be stored for future examination, if needed. Figure 25-24 illustrates the exporting event logs configuration panel. You must specify the FTP server, directory, user name, and password to allow the sensor to upload event logs.

Figure 25-24: Exporting event logs configuration panel

Automatic IP Logging

Automatic IP logging is a responsive action that can be initiated when a signature is matched. When a properly configured signature is matched, the sensor responds by sending an alarm, and then recording all IP packets transmitted by the offending IP address. The automatic IP logging configuration panel enables you to configure the number of minutes the sensor should continue logging once the signature has been matched.

IP Logging

Sensors can be configured to log all packets from a specified host or host range. On the IP logging configuration panel, you must specify the host or range of IP addresses that should be logged by the sensor.

Blocking (Configuration > > Blocking)

The 4200 series network appliances are the only sensors that support blocking. The IDSM can’t be configured to block IP addresses through device management. The blocking properties configuration panel is illustrated in Figure 25-25.

Figure 25-25: The blocking properties configuration panel

The 4200 series network appliances can be configured to block specific host addresses once a signature is matched. The blocking response is configured within the signature file itself. If a signature is matched and that signature is configured for blocking, the network appliance can configure a perimeter router or firewall to block all packets from that host for a specific number of minutes. To use this feature, you must specify the number of minutes the offending host should be blocked, as well as the Cisco ACL number used on the perimeter device.

Additional parameters used when blocking is enabled are located in the Blocking area Sub-Areas. The following Sub-Areas are used to configure blocking:

Never Block Addresses
Blocking Devices
Master Blocking Sensors

STUDY TIP
Blocking an IP address is also called shunning a host or IP address.

Never Block Addresses

When you enable address blocking, you must specify which addresses should never be blocked. Without this feature, hackers could spoof the address of your event viewer host (for example) and use this address to launch an attack. The sensors, detecting this attack, would then update the ACL on a managed device to block the IP address of your event viewer. If the Event Viewer address is blocked, you could potentially lose communication between your sensors and your Event Viewer host. If communication between the sensors and the Event Viewer host is lost, you won’t receive alarm notifications. Figure 25-26 shows the never block addresses configuration panel.

Figure 25-26: Never block addresses configuration panel

Blocking Devices

The Blocking Devices area lists the devices managed by the sensor. The router must be configured to allow telnet access from the sensor. Figure 25-27 illustrates the Blocking Device Properties window. You can use a single sensor to manage more than one perimeter device, but a perimeter device can’t be managed by more than one sensor. The information that must be configured on this panel to enable the sensors to block IP addresses includes the following:

Figure 25-27: Adding a managed device

The IP address used for telnet access to the router
The telnet user name and password

The enable password

The perimeter device interface address (configured in the Blocking Device interface TOC)

STUDY TIP

You should understand how to configure a sensor to manage a perimeter device.

Note

If the router to be managed doesn’t have user names configured, leave the Telnet User field blank.

Master Blocking Sensors

Depending on the size and complexity of your network, you could have multiple entry points into your network. Some perimeter routers might be controlled by one sensor, while other perimeter routers are controlled by others. To configure your CIDS environment to allow any managing sensor to block IP addresses on routers controlled by a different sensor, you must enable a master blocking sensor. The master blocking sensor sends messages to the managing sensors to update the ACL on the routers that they manage. This master blocking arrangements prevents multiple sensors from attempting to update routers ACLs simultaneously.

Restore Defaults (Configuration | Restore Defaults)

You can restore the factory defaults of the sensor by clicking Reset Configuration on the restore defaults configuration panel. All configuration settings are restored to factory defaults except

IP address, subnet mask, default gateway
Allowed hosts
Password
Time