Header
Home | Set as homepage | Add to favorites
  Search the Site     » Advanced Search
Sections
Syndication


Blogroll:

||||| ALL Cisco-Network ARTICLES |||||  
CCIE Journey,
The CCIE Journey,

Home : CCSP-Cisco Certified Security Professional : Signature Types

Signature Types

Mar 10,2010 by alperen

small font medium font large font
image

The signature types describe the type of network traffic the signature is used to match. Some signatures detect intrusions by examining the TCP connection requests or UDP connections. Other signature types examine the protocol information in the IP headers or the protocol-dependant application commands located in the packet payload. The four signature types are as follows:

  • General

  • Connection

  • String

  • Access control list

General Signature Types

General signatures are used to detect a wide range of intrusive activity. General signatures are used to detect intrusive activity from a number of different protocols included in the TCP/IP protocol suite. Protocols that general signatures monitor include the following:

Many of the general signature types are context based because they examine the protocol header data, while attempting to find abnormalities. Other of the general signature types are content based because they examine the application layer protocol information in the payload portion of the packet, such as HTTP web signatures. The following signature series contain general signatures:

  • Series 1000 signatures (IP)

  • Series 2000 signatures (ICMP)

  • Series 5000 signatures (Web/HTTP)

  • Series 6000 signatures (cross-protocol)

Connection Signatures

Connection signatures are used to monitor TCP and UDP connection requests between hosts. Connection signatures report the number of connections detected for each transport layer protocol. Connection signatures also have subsignatures, used to identify the port number each connection is using. The following two signature series make up your connection signatures:

  • TCP connections, series 3000

  • UDP traffic, series 4000

Connection signatures that detect TCP connections are from the 3000 series; UDP traffic is detected and monitored with 4000 series signatures. Each of these connection signatures has subsignatures, used to identify the TCP or UDP port. For example, a Telnet connection request (using TCP) creates an alarm with a 3000 series signature and a subsignature of 23 (Telnet). If the Telnet application is using UDP, a 4000 series signature triggers the alarm. The series identifies the protocol in use—TCP or UDP—while the subsignature identifies the port in use.

String Signatures

String signatures are used to detect text strings within the TCP/IP packets. You can determine and configure the strings that should be detected. String signatures trigger an alarm whenever the configured string is matched using a standard regular expression-matching algorithm. All string-matching signatures fall into the 8000 signature series.

Whenever a string signature is matched, an alarm is generated with a signature ID of 8000. The string subsignature is used to identify which string was matched by the sensor. When you want to configure a string signature, you must also define the subsignature used to specify the string that was matched. For example, you can create a string signature used to search for the string “root,” and then configure this signature with a subsignature ID of 11000. When this string is matched, the signature ID will be 8000, with a sub-ID of 11000. Based on this information, you can determine which string your network sensor matched. Some predefined signature series 8000 are configured on your network sensors:

  • Telnet-/etc/shadow (ID 8000, SubID 2302)

  • Rlogin + + (ID 8000, SubID 51303)

If you receive an alarm on your CSPM host with a signature ID of 8000, you know a string signature was matched. By examining the SubID, you can determine which string was matched.

Access Control Lists

Cisco routers can be configured with access control lists (ACLs) to block traffic that violates defined security policies. If configured to do so, the router can log information anytime an ACL denies traffic into or out of the network. This logged data can then be sent in real time to a SYSLOG server or a sensor. The sensor can monitor this SYSLOG information and generate alarms whenever the ACL is forced to block suspicious traffic. Access control signature types belong to the signature series 10000. All alarms triggered by router ACLs will have a signature ID of 10000. The subsignature ID is used to differentiate the ACL that generated the SYSLOG message.


1247 times read

Related news
» Understanding Cisco IDS Signature Series
by admin posted on Nov 25,2008
» Signature and Alarm Management Review
by alperen posted on Mar 20,2010
» Signature Series
by alperen posted on Mar 10,2010
» CIDS Signatures
by alperen posted on Mar 10,2010
» Signature and Alarm Management
by alperen posted on Mar 10,2010
Did you enjoy this article?
1 2 3 4 5
(total 0 votes)

comment Comments (0 posted) 

More Top News
CCSP-Cisco Certified Security Professional
arrow Cisco SAFE Implementation
arrow Preparation Documents
arrow Exam Topics
arrow Skills Required for the Exam
arrow Cisco SAFE Implementation Questions and Answers
arrow Access Control Lists Cisco
arrow Access List Basics
arrow Standard Access Lists
arrow Verifying ACLs
arrow Extended Access Lists
arrow TCP Access Lists
arrow UDP Access Lists
arrow ICMP Access Lists
arrow Named Access Lists
arrow Signature and Alarm Management Review
arrow Signature and Alarm Management Review Questions and Answers
arrow Event Viewer
arrow Managing Alarms
arrow Event Viewer Customization
arrow Preference Settings
arrow Sensor Installation
arrow Connecting to Your Network Sensor Appliance
arrow Sensor Bootstrap
arrow Sensor Installation and Configuration Review
arrow Sensor Installation and Configuration Questions and Answers
arrow Signature and Alarm Management
arrow CIDS Signatures
arrow Signature Series
arrow Signature Implementations
arrow Signature Classes
arrow Signature Types
arrow Signature Severity
Most Popular
Most Commented
Featured Author

alperen

image
<| Cisco Articles | Maximum Learning | All Cisco-Network Study Notes | Privacy Policy |>
If you think you own the material being used without permission, contact alperenmad[at]hotmail.com. material will be removed from the site.