Cisco IDS Alarms and Signatures
Cisco IDS Alarms and Signatures
Introduction
Once the Cisco IDS sensor is racked and
operational, and the IDS management device or director is configured and
communicating properly, it is time to tune the IDS signatures to the traffic
patterns that occur on your network. We need to run the sensor for a period of
time, normally a week or so to build a baseline of activity to look at. Without
the baseline it is impossible to know for sure if the alarm is real or if it has
resulted from an incorrect setting for your network traffic. Without optimized
signatures, the IDS sensor is relatively useless to us. To start the baselining
of the network, the sensor is placed in a strategic location on your network
where it can see and analyze all of the targeted traffic that passes by the
sensor. To put it simply, you are data-mining from a security perspective. With
data-mining, there needs to be a query; in this case, the tuned signature is the
query. Anything that meets the parameters of the signature triggers an alarm and
sends an event to the IDS management device. We are studying the traffic
behavior of the network and teaching the IDS sensor to make decisions on data
and patterns that are considered out of the norm for the network and which
provide some type of notification or action such as shunning.
As you can see in our discussion of IDS signatures, the IDS
signature is the heart and soul of successful IDS deployment and operation.
Without the correct signatures, the IDS sensor is useless for maintaining your
network security. However, an IDS sensor that constantly generates false
positives or false alarms is useless as well, since you will learn to ignore the
sensor's alarms even when they might be valid. And when time comes that a real
attack does take place, you will miss it because you thought it was just another
false alarm. This is not an effective way to use the Cisco IDS system. We will
show you in this chapter how to avoid this pitfall. We will also discuss exactly
what the Cisco IDS signature is, what makes up the signature, how to tune the
signatures, and how to make your very own custom IDS signature. The Cisco IDS
sensor can also provide various responses to signature triggers such as logging,
TCP resets, or blocking. We will cover the various alarms and why alarms are
useful for the IDS and your sanity.
309 times read
|
|
|
Did you enjoy this article?
(total 0 votes)
|
Sections
Comments (0 posted)
Syndication
