Explain how signatures are used to detect malicious network traffic.
Signatures are used to detect specific malicious traffic patterns and characteristics (e.g., viruses, worms, protocol anomalies).
The IPS scans incoming traffic for signatures or abnormal traffic patterns.
Type: Determines if the signature is simple (atomic) or complex (composite).
Trigger: Defines the event that causes the signature to trigger.
Action: Defines the response action of the IPS, such as blocking or logging the detected traffic.
Atomic Signature:
Triggered by a single packet, activity, or event.
Advantages: Quick and efficient analysis.
No state information needed for traffic analysis.
Composite (Stateful) Signature:
Requires multiple packets and maintains state information (e.g., IP addresses, port numbers).
Advantages: Can detect more complex threats but requires more resources for analysis.
Trigger Mechanisms: Signature alarms are triggered based on detection mechanisms:
Pattern-based: Matches a known traffic pattern.
Anomaly-based: Detects deviations from normal traffic.
Policy-based: Based on defined policies for traffic flow.
Honey pot-based: Involves deceiving attackers into interacting with a fake system.
Alert: Generates an alert without taking action.
Log: Logs the activity without an alert.
Deny: Denies the activity and logs it.
Pass: Allows the activity through without logging.
Reject: Rejects the traffic, logs it, and sends a reset.
True Positive: Correctly identified as malicious. Ideal outcome.
True Negative: Normal traffic correctly identified as benign.
False Positive: Normal traffic mistakenly flagged as malicious. Requires tuning to avoid unnecessary investigation.
False Negative: Malicious traffic not detected. Dangerous, as it leaves the system vulnerable.
Cisco Snort IPS is a flexible, open-source IPS solution integrated into Cisco devices, such as ISR 4000 series.
Offers both Intrusion Detection System (IDS) and Intrusion Prevention System (IPS) capabilities.
Cisco Firepower Next-Generation IPS (NGIPS): Dedicated inline appliances for threat prevention.
Snort IPS on ISR 4000 series: Installed as a service on routers, with a second-generation Snort engine.
External Snort IPS Server: Requires external monitoring through a SPAN switch port.
NGIPS:
Built on open-source Snort technology.
Includes advanced malware analysis, URL filtering, and sandboxing technology.
Integrates with Cisco Talos for real-time threat intelligence.
Application Visibility and Control (AVC) and Advanced Malware Protection (AMP) provide additional defense layers.
Snort IPS on ISR 4000:
Runs on Linux Service Containers within the router.
Supports IDS/IPS modes and allows for real-time traffic analysis.
Snort Engine: Core detection and enforcement engine.
Snort Rule Software Subscriptions: Term-based subscriptions for rule updates (Community vs. Subscriber Rule Set).
Community Rule Set: Free, reactive response, delayed updates (30 days).
Subscriber Rule Set: Paid, proactive research, rapid updates, full Cisco support.
Rule header includes:
Action (e.g., alert, log, pass).
Protocol (e.g., TCP, UDP).
Source IP and Destination IP (e.g., 192.168.1.1 -> 10.0.0.1).
Source port and Destination port (e.g., 80 -> 443).
Rule options: Additional conditions (e.g., content matching, IP header options).
Download Snort OVA File: Obtain the latest OVA file for Snort IPS from Cisco's website.
Install Snort OVA: Use the virtual-service install
command to deploy the OVA file on the router.
Configure Virtual Port Group (VPG): Define management interfaces (VPG0) for logging and signature updates, and data interfaces (VPG1) for user traffic inspection.
Activate Virtual Services: Set up and configure the virtual service for IPS functionality.
IPS Mode: Actively blocks malicious traffic.
IDS Mode: Only detects and alerts without blocking traffic.
Connectivity Policy: Least protection, prioritizes connectivity.
Balanced Policy: Default policy, balances security and performance.
Security Policy: Maximum protection, ideal for high-security environments.
Enable IPS either globally or on specific interfaces depending on the network setup.
Use the show
commands to verify the Snort IPS configuration, including:
show virtual-service list
show utd engine standard config
show platform hardware qfp active feature utd stats
IPS Signatures have attributes: type (atomic/composite), trigger, and action.
True Positive and True Negative are the ideal alarm results.
Snort IPS on ISR devices can be configured for IDS or IPS services.
Signature Updates are crucial for effective protection against new and evolving threats.
Snort Rule Configuration: Snort rules are designed to identify specific threats and can be customized based on traffic patterns.
IPS Modes: IPS operates in both detection and prevention modes depending on the security posture.