Saturday, October 24, 2015

Configuring Basic Cisco IPS Signature Properties

The signatures in the Cisco IPS Sensor can be accessed through the Cisco IDM by choosing Configuration > Policies  > Signature Definitions > sig0 and then clicking All Signatures to access the Signature Configuration panel. The All Signatures view is only visible when the Sig0 is expanded. By default, the signature configuration panel displays signatures that are lissted by signature ID number. The All Signature database view displays all signatures available in the sensor signature set; when each signature set is clicked on, it displays the list of signatures grouped under it in the view pane.

The signature sets are as follows:

* Active Signatures: Displays all non-retired signatures

* Adware/Spyware: Displays signatures that are designed to address adware and spyware issues

* Attack: Displays attack-based signatures that are grouped by attack types

* Configurations: Displays configuration-based signatures that mitigate atacks typically because of misconfiguration

* DDoS: Displays distributed denial of service (DDoS) signatures

* DoS: Displays denial of service signatures

* Email: Displays email signatures by protocol, such as Internet Message Access Protocol (IMAP) or Simple Mail Transfer Protocol (SMTP)

* IOS IPS: Displays signatures in the IOS IPS

* Instant Messaging: Displays instant messaging (IM) signatures grouped by IM application

* L2/L3/L4 Protocol: Displays signatures grouped by network protocol type, including Address Resolution Protocol (ARP), IP fragment, IP version 6 (IPv6), and others

* Network Services: Displays signatures that are based on network service protocols, such as DHCP

* OS: Displays signatures grouped by operating system type

* Other Services: Displays signatures based on application layer services, such as FTP, HTTP, and others

* P2P: Displays signatures based on different peer-to-peer file-sharing applications

* Reconnaissance: Display signatures based on discovery protocols, such as Internet Control Message Protocol (ICMP) sweeps

* Releases: Enables you to view signatures grouped by signature update releases

* Telepresence: Enables you to display Telepresence-based signatures

* UC Protection: Displays Cisco Unified Communications-based signatures

* Viruses/Worms/Trojans: Displays signatures based on malware that is defined as these three types

* Web Server: Enables you to display signatures based on web servers

* All Signatures: Displays all defined signatures


Enabling and Disabling Signatures

Enabling a signature makes the signature inspect traffic; when it is disabled, it does not inspect traffic. The following steps walk you through enabling a signature:

Step 1: Click Configuration and choose Policies > Signature Definitions > Sig0 > Active Signatures. The Signature Configuration panel is displayed.

Step 2: Locate the signature that you want to enable.

Step 3: A signature that is already enabled has a check mark in the check box. If the signature is disabled, the check box is empty.

Step 4: If the signature is currently disabled, select the signature by clicking it.

Step 5: Click Apply to apply your changes and save the updated configuration. To disable a signature that is already disabled, deselect the check box in the Enabled column.

Tip: To enable multiple signatures at the same time, hold down the Ctrl or Shift key and click the signatures that you would like to enable; then righ-click one of the selected signatures and click Enable.


Retiring and Activating Signatures

Signatures that are not being used are no longer applicable to the network resources being protected should be retired to improve sensor performance. Retiring a signature removes it from the set of currently available signatures, which are part of the signature database. After the signature is retired, it is removed from memory but stored in flash. For a signature to function, the signature must be both activated and enabled.

You can activate signatures you have previously retired. When this is done, the sensor rebuilds its configurations and the signature is once again added to the set of currently active signatures. Follow these steps to retire or activate a signature:

Step 1: Click Configuration and choose Policies > Signature Definitions > Sig0 > All Signatures. The Signature Configuration panel is displayed.

Step 2: Select a signature that you want to retire or activate, and click Edit on the toolbar. The Edit Signature window opens.

Step 3: Scroll down to the Status section and click the Retired field.

Step 4: Select yes or No from the drop-down list.

Alternatively, you can retire or activate signature from the Signature Configuration panel by following these steps:

Step 1: Select a signature that you want to retire or activate.

Step 2: Right-click the signature

Step 3: Choose the Change Status to and then choose Active or Retired.

Note: Retiring or activating signatures can take 30 minutes or longer.


No comments:

Post a Comment