Home > Articles > Cisco Network Technology > General Networking > Intrusion Prevention: Signatures and Actions

Intrusion Prevention: Signatures and Actions

  • Sample Chapter is provided courtesy of Cisco Press.
  • Date: May 26, 2006.

Contents

  1. Signature Types
  2. Signature Triggers
  3. Signature Actions
  4. Summary

Chapter Description

Attack signatures have been around for long enough that the definition should be universally understood, but that's not the case. Simply put, an IPS signature is any distinctive characteristic that identifies something. Using this definition, all IPS products use signatures of some kind, regardless of what the product descriptions claim. To find something and stop it, you must be able to identify it, and for you to identify it, it must display a distinct characteristic. This chapter introduces you to the concept of signatures.

Signature Triggers

The heart of any IPS signature is the mechanism that causes it to trigger. These triggering mechanisms can be simple or complex, and every IPS incorporates signatures that use one or more of these basic triggering mechanisms to trigger signature actions. These triggering mechanisms can be applied to both atomic and stateful signatures. Current IPSs incorporate various triggering mechanisms when developing signatures, including the following:

  • Pattern detection
  • Anomaly-based detection
  • Behavior-based detection

Table 2-1 shows the relationship between the various signature types and triggering mechanisms.

Table 2-1 Signature Type Versus Signature Trigger

Signature Trigger

Signature Type

 

Atomic Signature

Stateful Signature

Pattern detection

No state required to examine pattern to determine if signature action should be applied

Must maintain state or examine multiple items to determine if signature action should be applied

Anomaly detection

No state required to identify activity that deviates from normal profile

State required to identify activity that deviates from normal profile

Behavior detection

No state required to identify undesirable behavior

Previous activity (state) required to identify undesirable behavior

The following sections explain the signature triggering mechanisms in detail. Table 2-2 and Table 2-3 provide example signatures that illustrate the various combinations of signature types and triggering mechanisms to help clarify how the different signature types and triggers combine to create useful signatures.

Table 2-2 Host-Based Signature Examples

Signature Trigger

Signature Type

 

 

Atomic Signature

Stateful Signature

Pattern detection

Searching for the string confidential in a data file

Searching for the string SELECT FROM in a URI

Anomaly detection

Detecting a function call that is not part of the normal profile

Two function calls that are part of the normal profile, but have never been called within 1 second of each other

Behavior detection

Searching for any invocation of cmd.exe

Searching for an e-mail application (program that has previously generated or received e-mail traffic) invoking command.com

Table 2-3 Network-Based Signature Examples

Signature Trigger

Signature Type

 

 

Atomic Signature

Stateful Signature

Pattern detection

Detecting for an Address Resolution Protocol (ARP) request that has a source Ethernet address of FF:FF:FF:FF:FF:FF

Searching for the string confidential across multiple packets in a TCP session

Anomaly detection

Detecting traffic that is going to a destination port that is not in the normal profile

Verifying protocol compliance for HTTP traffic

Behavior detection

Detecting abnormally large fragmented packets by examining only the last fragment

Searching for RPC requests that do not initially utilize the PortMapper

Each of these triggering mechanisms has its benefits and drawbacks. Using the correct triggering mechanism in the appropriate situation greatly improves its efficiency. IPS devices that support multiple triggering mechanisms can more adequately support efficient signatures for a wide variety of activities without significantly impacting the performance of the IPS device.

By understanding the mechanisms that a signature can use to identify an activity, you can more efficiently determine a product's true capabilities.

Pattern Detection

The simplest triggering mechanism is identifying a specific pattern. This pattern can represent a textual or binary string or it can be other patterns, such as a sequence of function calls. Besides simple string patterns, most systems provide enhanced pattern detection using the following mechanisms:

  • Regular expression (regex) patterns
  • Deobfuscation techniques

Specifying string patterns using regex provides the ability to efficiently search for textual patterns (using a single regular expression) while making it harder to bypass the pattern without detection.

grep [Aa][Tt][Tt][Aa][Cc][Kk] output.results
3. Signature Actions | Next Section Previous Section

Cisco Press Promotional Mailings & Special Offers

I would like to receive exclusive offers and hear about products from Cisco Press and its family of brands. I can unsubscribe at any time.