Signatures represent the intelligence behind your intrusion
detection system. To protect your network infrastructure fully, you must
understand both how these signatures are structured and each signature series. A
signature is a set of rules used to match activity and traffic present on your
network. Once a match is made, the signatures trigger an alarm.
Signatures are broken down into many different categories to
facilitate understanding of how they operate and detect intrusions. All
signatures are either content based or context based. Content-based signatures
analyze the contents of the network packets, while context-based signatures
analyze the protocol headers of the network packets. In addition, every CIDS
signature is either:
Atomic signatures can be matched by analyzing a single network
packet. Composite signatures must analyze more than one network packet before a
match is made. CIDS signatures also belong to one of four signature classes. The
signature classes define the type of attack the signature was designed to
detect. The signature classes map closely to the types of attacks discussed in
Chapter 23. The
four signature classes are as follows:
-
Reconnaissance
-
Informational
-
Access
-
Denial of Service
The final signature category all CIDS signatures belong to is the
signature series. The signature series defines the protocol the signature is
responsible for analyzing. The CIDS signature series includes the following:
-
1000 Series Signatures—IP Signatures
-
2000 Series Signatures—ICMP Signatures
-
3000 Series Signatures—TCP Signatures
-
4000 Series Signatures—UDP Signatures
-
5000 Series Signatures—Web (HTTP) Signatures
-
6000 Series Signatures—Cross Protocol Signatures
-
8000 Series Signatures—String Match Signatures
-
10000 Series Signatures—ACL Policy Violation
signatures
The Event Viewer represents your view into your intrusion
detection system. Without this powerful application, you would be unaware of the
alarms and intrusions on your network. To use the Event Viewer correctly, you
should understand the following topics:
You can access the Network Security Database (NSDB) to research
information regarding an alarm or a vulnerability. The NSDB is an HTML database
containing detailed information on all the CIDS signatures and vulnerabilities.
The NSDB also has a User Notes section that allows security administrators to
record additional information for later viewing. User Notes are stored within
the NSDB.
Sections
Comments (0 posted)
Syndication
