Understanding Signatures
Network intrusions are attacks on, or other misuses of, network resources. Cisco IPS sensors and Cisco IOS IPS devices use a signature-based technology to detect network intrusions. A signature specifies the types of network intrusions that you want the sensor to detect and report. As sensors scan network packets, they use signatures to detect known types of attacks, such as denial of service (DoS) attacks, and respond with actions that you define.
On a basic level, signature-based intrusion detection technology can be compared to virus-checking programs. Cisco IPS contains a set of signatures that the sensor compares with network activity. When a match is found, the sensor takes some action, such as logging the event or sending an alarm to the Security Manager Event Viewer.
Signatures can produce false positives, because certain normal network activity can be construed as malicious. For example, some network applications or operating systems may send out numerous ICMP messages, which a signature-based detection system might interpret as an attempt by an attacker to map out a network segment. You can minimize false positives by editing your signature parameters (tuning your signatures).
To configure a sensor to monitor network traffic for a particular signature, you must enable the signature. By default, the most critical signatures are enabled when you install the signature update. When an attack is detected that matches an enabled signature, the sensor generates an alert, which is stored in the event store of the sensor. The alerts, as well as other events, may be retrieved from the event store by web-based clients such as Event Viewer. By default the sensor logs all Informational alerts or higher.
Some signatures have subsignatures, that is, the signature is divided into subcategories. When you configure a subsignature, changes made to the parameters of one subsignature apply only to that subsignature. For example, if you edit signature 3050 subsignature 1 and change the severity, the severity change applies to only subsignature 1 and not to 3050 2, 3050 3, and 3050 4.
Cisco IPS contains over 10,000 built-in default signatures. You cannot rename or delete signatures from the list of built-in signatures, but you can retire signatures to remove them from the sensing engine. You can later activate retired signatures; however, this process requires the sensing engines to rebuild their configuration, which takes time and could delay the processing of traffic. You can tune built-in signatures by adjusting several signature parameters. Built-in signatures that have been modified are called tuned signatures.
Note |
We recommend that you retire any signatures that you are not using. This improves sensor performance. |
You can create signatures, which are called custom signatures. Custom signature IDs begin at 60000. You can configure them for several things, such as matching of strings on UDP connections, tracking of network floods, and scans. Each signature is created using a signature engine specifically designed for the type of traffic being monitored.
For more about signatures, see:
Related Topics
Obtaining Detailed Information About a Signature
You can find detailed information about each signature from the Cisco Security Intelligence Operations web site. The web site includes a wealth of information and best practice recommendations for network security, and you can set up IntelliShield alerts. There is education on advanced security topics to help you protect your network, prioritize remediation, and structure your systems to reduce organizational risk.
When you edit the Signatures policy in Security Manager (see Signatures Page), the signature ID is linked directly into the Cisco Security Intelligence Operations database of IPS signatures. Clicking a signature ID opens a page containing information about the signature, including a description, the vulnerabilities on which the signature is based, when the signature was created, and so forth. You can search this database yourself at http://tools.cisco.com/security/center/search.x?search=Signature . (The database was formerly called the Cisco Network Security Database or NSDB.)
If you do not have access to Cisco.com, then the signature ID is linked to a local copy of the signature database information. Security Manager detects whether you have access to Cisco.com and makes the appropriate link for you without your having to set a preference.
The database includes information only for built-in, default signatures. You cannot find information about custom (user-defined) signatures.
Beginning with Security Manager 4.4, the Signatures Page (IPS > Signatures > Signatures) contains an Explanation tab and a Related Threats tab for each signature. These tabs display detailed information in a separate window on the Signatures page. For example, the Explanation tab displays Description, Signature ID, and so forth; the Related Threats tab displays vulnerabilities for other software that you may be using, and so forth.
Tip |
If this window is not visible to you, expand it with the up arrow button in the bottom-left corner of the Signatures page. To hide this window, collapse it with the corresponding down arrow, also in the bottom-left corner of the Signatures page. You can resize this window with standard controls. |
Understanding Signature Inheritance
Signature inheritance for IPS devices is different than for any other Security Manager rules-based policy. Inheritance refers to the capability of Security Manager to enforce hierarchical lists of first-match, rule-based policies such as access rules. Signature inheritance is different because for IPS devices, Security Manager allows inheritance on a per-signature basis.
This example shows what is meant by inheritance on a per-signature basis:
Procedure
Step 1 |
In Policy View, select . |
Step 2 |
Create a policy named test1. |
Step 3 |
Create a second policy, named test2. |
Step 4 |
Right-click test 2 and select Inherit Signatures. The Inherit Rules—test 2 dialog box appears. |
Step 5 |
Select test1 and click the OK button. |
Step 6 |
Select test1 and edit a signature. Note the edit that you made and save your change. |
Step 7 |
Select test2 and select the signature that you just edited. Observe that test2 inherited the editing that you did on test1. |
IPS Signature Purge
Beginning with Security Manager 4.1, old signature versions (defined as being older than the lowest signature level deployed) are purged during a periodic purge operation, the purpose of which is to optimize the database.
Note |
As a result of the purge operation, you may notice the deletion of some of your unused tuning contexts. |
Some of the purged signatures may be restored during your next download of IPS signature packages from Cisco.com.
IPS signature purge is disabled by default. To enable IPS signature purge,
Procedure
Step 1 |
Stop the Cisco Security Manager Daemon Manager: At the command prompt, enter net stop crmdmgtd. |
Step 2 |
Navigate to NMSROOT \MDC\ips\etc\sensorupdate.properties file, where NMSROOT is the path to the Security Manager installation directory. The default is C:\Program Files\CSCOpx. |
Step 3 |
In sensorupdate.properties, change purgeUnusedSignautesEntriesinDB:false to purgeUnusedSignautesEntriesinDB:true. |
Step 4 |
Re-start the Cisco Security Manager Daemon Manager: At the command prompt, enter net start crmdmgtd. IPS signature purge now runs at midnight every day. |