Cisco IDS/IPS Fundamentals (Sensor Platforms (ASA with FirePOWER services,…
Cisco IDS/IPS Fundamentals
Risk Rating (RR) Calculation Factors
Attack relevancy (AR)=>pertinance de l'attaque en cas ou nous connaissons l'adresse ip du host visée
Attack severity rating (ASR)=>The criticality of the attack as determined by the person who created that signature
Signature fidelity rating (SFR)=>la precision de la signature donné par le propritaire et la probabilité qu'elle n'est pas une resultat d'un faut positif
Target value rating (TVR) "assigned to specific
destination IP addresses or subnets where the critical servers/devices live"
Possible Sensor Responses to Detected Attacks/for further details see table in page 503/504
An alert is a basic mechanism that is used by the IDS/IPS to identify that an event has occurred, such as a signature match indicating malicious traffic.This is the default behavior for most signatures enabled on a sensor.
Log pair (source,destination) packets
This logging action begins to log IP packets if the source and destination addresses indicate that the packets from the source IP address that triggered the alert and the destination address match the destination address of the packet that triggered the alert. In essence, the sensor is only logging future packets sent between the attacker and the victim (the attacked device address )
Log victim (destination) packets
This logging action begins to log all IP packets that have a destination IP address of the victim (the destination address from the packet or packets that triggered the alert)
Log attacker (source) packets
This action begins to log future packets based on the attacker’s source IP address. This is done usually for a short duration, such as 30 seconds, after the initial alert. Log files are stored in a format that is readable by most protocol analyzers
Deny packet inline
Deny packet terminates the packet that triggered the alert (IPS only)
Deny connection inline
This action terminates the packet that triggered the action and future packets that are part of the same TCP connection. The attacker could open up a new TCP session (using different port numbers), which could still be permitted through the inline IPS.
This action denies packets from the source IP address of the attacker for a configurable duration of time, after which the deny action can be dynamically removed (existing option in IPS only).
Identifying Malicious Traffic on the Network
A true negative is also a wonderful thing in that there was normal nonmalicious traffic, and the sensor did not generate any type of alert, which is normal sensor behavior regarding nonmalicious traffic.
means that there was malicious traffic and that the sensor saw it and reported on it; if the sensor was an IPS, it may have dropped the malicious traffic based on the current set of rules in place.
false negative, however, is when there is malicious traffic on the network, and for whatever reason the IPS/IDS did not trigger an alert, so there is no visual indicator (at least from the IPS/IDS system) that anything negative is going on
must use some third-party or external system to alert you to the problem at hand, such as syslog messages from a network device
A false positive is when the sensor generates an alert about traffic and that traffic is not
or important as related to the safety of the network. False positives are easy to identify because alerts are generated and easily viewed.
ASA with FirePOWER services
Virtual Next-Generation IPS (NGIPSv) for VMware
Cisco FirePOWER 8000/7000 series appliances
Blade that works in a 6500 series multilayer switch
Module on an ASA firewall in the form of the AIP module for IPS
Module in an IOS router, such as the AIM-IPS or NME-IPS modules
Software running on the router in versions of IOS that support it
Dedicated IPS appliance, such as the 4200 series
Difference Between IPS and IDS
Instead of preventing the malicious traffic to reach the destination, the IDS just send alerts if it detects something wrong.
Instead of placing the sensor inline in the network, we just send copies of the packets that are going through a network to the IDS sensor
One negative about IPS is that because it is inline, if the sensor fails and you do not have an alternate path in your network, the entire network could fail as a result of the sensor having a problem
Any traffic going through the network is forced to go in one physical or logical port on the sensor. It will be analyzed and permitted or denied to continue its journey to reach the destination
Whenever heard IPS mentioned, we immediately know that the sensor is inline with the traffic. which makes it possible to prevent the attack from making it further into the network