Home > Articles > Cisco Network Technology > General Networking > Intrusion Prevention: Signatures and Actions

Intrusion Prevention: Signatures and Actions

Chapter Description

Attack signatures have been around for long enough that the definition should be universally understood, but that's not the case. Simply put, an IPS signature is any distinctive characteristic that identifies something. Using this definition, all IPS products use signatures of some kind, regardless of what the product descriptions claim. To find something and stop it, you must be able to identify it, and for you to identify it, it must display a distinct characteristic. This chapter introduces you to the concept of signatures.

From the Book

Intrusion Prevention Fundamentals

Intrusion Prevention Fundamentals

$51.99 (Save 20%)

Summary

Different products use different terminology to describe their product's functionality. For explanation purposes, our definition of a signature is any distinctive characteristic that identifies something. Based on this definition, all IPS devices use signatures to identify activity in your network traffic and on hosts on your network. Signatures are distinguished by the following characteristics:

  • Signature type
  • Signature trigger
  • Signature actions

Signature types fall into the following two base categories:

  • Atomic
  • Stateful

The major distinction between these two base signature types is that atomic signatures do not require the IPS device to maintain state information about previous activity.

In conjunction with the base signature types, a signature needs to trigger one or more actions depending on one of the following triggering mechanisms:

  • Pattern detection
  • Anomaly-based detection
  • Behavior-based detection

Table 2-4 outlines the relationship between the base signature types and the triggering mechanisms.

Table 2-4 Signature Type Versus Signature Trigger

Signature Trigger

Signature Type

 

 

Atomic Signature

Stateful Signature

Pattern detection

No state required to examine pattern to determine if signature action should be applied

Must maintain state or examine multiple items to determine if signature action should be applied

Anomaly detection

No state required to identify activity that deviates from normal profile

State required to identify activity that deviates from normal profile

Behavior detection

No state required to identify undesirable behavior

Previous activity (state) required to identify undesirable behavior

Pattern detection is the simplest triggering because it involves searching for a specific predefined pattern. This pattern might be textual, binary, or even a series of function calls.

Anomaly-based detection involves first defining a profile of what is considered normal. This normal profile can be learned by monitoring activity over a period of time. It can also be based on a defined specification (such as an RFC). Whenever activity is observed that is not included in the normal profile, the signature triggers some action. Correlating the signature to a specific attack, however, can be complicated.

Behavior-based detection is similar to pattern detection, but it detects classes of activities based on known unacceptable behavior. Therefore, instead of many signatures for each unwanted activity, a single signature can watch for a specific behavior. Once the behavior has been detected, the appropriate signature actions are applied.

Detecting unwanted activity is only the initial step in protecting your network. Once a signature triggers, your IDS device must take certain configured actions to mitigate the activity identified. Signature actions fall into the following categories:

  • Generating an alert
  • Dropping or preventing the activity
  • Logging the activity
  • Resetting a TCP connection
  • Blocking future activity
  • Allowing the activity

The alerts (or alarms) generated by your IPS device enable you to monitor the attacks being launched against your network. To efficiently monitor alerts, IPS devices incorporate the following types of alerts:

  • Atomic alerts
  • Summary alerts