Home > Articles > Cisco Network Technology > Security > Network Security Using Cisco IOS IPS

Network Security Using Cisco IOS IPS

Signatures and Signature Engines

A signature is a set of rules that an IDS and an IPS use to detect typical intrusive activity, such as DoS attacks. You can easily install signatures using IDS and IPS management software such as Cisco IDM. Sensors enable you to modify existing signatures and define new ones.

As sensors scan network packets, they use signatures to detect known attacks and respond with predefined actions. A malicious packet flow has a specific type of activity and signature, and an IDS or IPS sensor examines the data flow using many different signatures. When an IDS or IPS sensor matches a signature with a data flow, the sensor takes action, such as logging the event or sending an alarm to IDS or IPS management software, such as the Cisco SDM.

Signature-based intrusion detection can produce false positives because certain normal network activity can be misinterpreted as malicious activity. For example, some network applications or operating systems may send out numerous Internet Control Message Protocol (ICMP) messages, which a signature-based detection system might interpret as an attempt by an attacker to map out a network segment. You can minimize false positives by tuning your sensors. You can tune built-in signatures (tuned signatures) by adjusting the many signature parameters.

Examining Signature Micro-Engines

A signature micro-engine is a component of an IDS and IPS sensor that supports a group of signatures that are in a common category. Each engine is customized for the protocol and fields that it is designed to inspect and defines a set of legal parameters that have allowable ranges or sets of values. The signature micro-engines look for malicious activity in a specific protocol. Signatures can be defined for any of the supported signature micro-engines using the parameters offered by the supporting micro-engine. Packets are scanned by the micro-engines that understand the protocols contained in the packet.

Cisco signature micro-engines implement parallel scanning. All the signatures in a given signature micro-engine are scanned in parallel fashion, rather than serially. Each signature micro-engine extracts values from the packet and passes portions of the packet to the regular expression engine. The regular expression engine can search for multiple patterns at the same time (in parallel). Parallel scanning increases efficiency and results in higher throughput.

When IDS (promiscuous mode) or IPS (inline mode) is enabled, a signature micro-engine is loaded (or built) on to the router. When a signature micro-engine is built, the router may need to compile the regular expression found in a signature. Compiling a regular expression requires more memory than the final storage of the regular expression. Be sure to determine the final memory requirements of the finished signature before loading and merging signatures.

Table 6-6 summarizes the types of signature engines available in Cisco IOS Release 12.4(6)T. Table 6-7 provides more details on signature engines.

Table 6-6. Summary of Supported Signature Engines

Signature Engine

Description

Atomic

Signatures that examine simple packets, such as ICMP and UDP

Service

Signatures that examine the many services that are attacked

String

Signatures that use regular expression-based patterns to detect intrusions

Multi-string

Supports flexible pattern matching and supports Trend Labs signatures

Other

Internal engine to handle miscellaneous signatures

Table 6-7. Details on Signature Micro-Engines

Signature Micro-Engine

Description

ATOMIC.IP

Provides simple Layer 3 IP alarms

ATOMIC.ICMP

Provides simple ICMP alarms based on these parameters: type, code, sequence, and ID

ATOMIC.IPOPTIONS

Provides simple alarms based on the decoding of Layer 3 options

ATOMIC.UDP

Provides simple UDP packet alarms based on these parameters: port, direction, and data length

ATOMIC.TCP

Provides simple TCP packet alarms based on these parameters: port, destination, and flags

SERVICE.DNS

Analyzes the Domain Name System (DNS) service

SERVICE.RPC

Analyzes the remote procedure call (RPC) service

SERVICE.SMTP

Inspects Simple Mail Transfer Protocol (SMTP)

SERVICE.HTTP

Provides HTTP protocol decode-based string engine; includes anti-evasive URL de-obfuscation

SERVICE.FTP

Provides FTP service special decode alarms

STRING.TCP

Offers TCP regular expression-based pattern inspection engine services

STRING.UDP

Offers UDP regular expression-based pattern inspection engine services

STRING.ICMP

Provides ICMP regular expression-based pattern inspection engine services

MULTI-STRING

Supports flexible pattern matching and supports Trend Labs signatures

Other

Provides internal engine to handle miscellaneous signatures

Signature Alarms

The capability of IDS and IPS sensors to accurately detect an attack or a policy violation and generate an alarm is critical to the functionality of the sensors. Attacks can generate the following types of alarms:

  • False positive: A false positive is an alarm triggered by normal traffic or a benign action. Consider this scenario: A signature exists that generates alarms if the enable password of any network devices is entered incorrectly. A network administrator attempts to log in to a Cisco router but enters the wrong password. The IDS cannot distinguish between a rogue user and the network administrator, and it generates an alarm.
  • False negative: A false negative occurs when a signature is not fired when offending traffic is detected. Offending traffic ranges from someone sending confidential documents outside of the corporate network to attacks against corporate web servers. False negatives are bugs in the IDS and IPS software and should be reported. A false negative should be considered a software bug only if the IDS and IPS have a signature that has been designed to detect the offending traffic.
  • True positive: A true positive occurs when an IDS and IPS signature is correctly fired, and an alarm is generated, when offending traffic is detected. For example, consider a Unicode attack. Cisco IPS sensors have signatures that detect Unicode attacks against Microsoft Internet Information Services (IIS) web servers. If a Unicode attack is launched against Microsoft IIS web servers, the sensors detect the attack and generate an alarm.
  • True negative: A true negative occurs when a signature is not fired when nonoffending traffic is captured and analyzed. In other words, the sensor does not fire an alarm when it captures and analyzes “normal” network traffic.

Table 6-8 provides a summary of the alarm types. To understand the terminology, think in terms of “Was the alarm triggered?” A positive means that the alarm was triggered and a negative means that the alarm was not triggered. Thus the expression false alarm, which is the same as false positive (positive because the alarm was triggered, but false because the intrusion did not happen or the intrusion was not detected by the sensor).

Table 6-8. Alarm Types

Intrusion Occurred/Detected

Intrusion Did Not Occur / Not Detected

Alarm was triggered

True positive

False positive

Alarm was not triggered

False negative

True negative

Alarms fire when specific parameters are met. You must balance the number of incorrect alarms that you can tolerate with the capability of the signature to detect actual intrusions. If you have too few alarms, you might be letting in more suspect packets, but network traffic will flow more quickly. If IPS systems use untuned signatures, they will produce many false positive alarms. You should consider the following factors when implementing alarms that a signature uses:

  • The level assigned to the signature determines the alarm severity level.
  • A Cisco IPS signature is assigned one of four severity levels:

    • Informational: Activity that triggers the signature is not considered an immediate threat, but the information provided is useful information.
    • Low: Abnormal network activity is detected that could be perceived as malicious, but an immediate threat is not likely.
    • Medium: Abnormal network activity is detected that could be perceived as malicious, and an immediate threat is likely.
    • High: Attacks used to gain access or cause a DoS attack are detected, and an immediate threat is extremely likely.
  • You can manually adjust the severity level that an alarm produces.
  • To minimize false positives, study your existing network traffic patterns and then tune your signatures to recognize intrusion patterns that are atypical (out of character) for your network traffic patterns. Do not base your signature tuning on traffic patterns that are based only on industry examples. Use an industry example as a starting point, determine what your own network traffic patterns are, and use them in your signature alarm tuning efforts.
6. IPS Best Practices | Next Section Previous Section