yeslab現(xiàn)任明教教主ips7.1第三天

:

Signature

Engine介紹，Common

Parameters介紹，配置Signatures第四天:調(diào)整IPS參數(shù)，全球關(guān)聯(lián)與聲譽過濾與監(jiān)第五天:配置Blocking，控IPS

，初始化IPS模塊現(xiàn)任明教教主CCNP

SecurityIPS

V7.1作者：現(xiàn)任明教教主第一天:安全與IPS基本理論,Console初始化IPS第二天:IDM配置IPS，Signatures與AlertsYeslab安全:Signature

Engine介紹，配置Signatures課程介紹Signature

Engine介紹Common

Parameters介紹Signatures配置實例第一部分Signature

Engine介紹Engine

Overview一個SignatureEngine是Sensor的一個組成部分，它支持對Signature的歸類。Cisco

IPS

Signature

engines能讓你調(diào)整和創(chuàng)建新的

Signature來滿足你網(wǎng)絡(luò)的需求。IPS的Signature是被Signature

engine創(chuàng)建的，這些Engine是專門為了

特定流量設(shè)計的。Engine是一個分析器和

器。Engine分類1ATOMICFLOODSERVICESTRINGSWEEPEngine分類2TROJANTRAFFICAICSTATEMETANORMALIZEREngine

Parameters一個引擎參數(shù)由一個名字和一個值組成。參數(shù)的名字是為這些引擎定義的。參數(shù)值在一個特定引擎里邊被定義了一個限制值。參數(shù)的名字在一個特定引擎的所有sig里邊是恒定不變的，但是這個參數(shù)的值在不同的sig里邊是變化的。有些參數(shù)是普遍出現(xiàn)在所有引擎里邊的,但是另一些就只會在特定的引擎里出現(xiàn)Atomic

EngineThese

are

support

signatures

that

are

triggered

bythe

content

of

a

single

packet.They

do

not

store

anystate

information

across

packets.（對單一包內(nèi)的特定字段進行匹配）ATOMIC

ARPATOMIC

IPATOMIC

IP

AdvancedATOMIC

IP

version

6Atomic

IP實例FLOOD

EngineThe

FLOOD

signature

engines

are

designed

todetect

attacks

in

which

the

attacker

floods

traffic

to

asingle

host

or

an

entire

network.（對泛洪的DOS

進行防護）FLOOD.NETFLOOD.HOSTFLOOD

Host實例SERVICE

Engine

1These

engines yze

traffic

at

and

above

Layer

5

ofthe

OSI

model.

They

provide

protocol

decodingfornumerous

protocols.

（對特定服務(wù)的運用層

進行防御）SERVICE

DNSSERVICE

FTPSERVICE

GENERICSERVICE

GENERIC

ADVANCEDSERVICE

H225SERVICE

HTTPSERVICE

IDENTSERVICE

MSRPCSERVICE

Engine

2These

engines yze

traffic

at

and

above

Layer

5

ofthe

OSI

model.

They

provide

protocol

decodingfornumerous

protocols.SERVICE

MSSQLSERVICE

NTPSERVICE

RPCSERVICE

SMBSERVICE

SMB

ADVANCEDSERVICE

SNMPSERVICE

SSHSERVICE

TNSSERVICE

HTTP實例正則表達式“^”：必須以特定字符開始。例如:^A在“[”右邊使用“^”：表示排除[]的字符。例如:[^0-9]“$”：表示必須以$左邊的字符結(jié)尾。例如:abc$“|”：或者。例如:Root|root“.”：匹配任何一個字符。例如:a.b“*”：表示*左邊的字符出現(xiàn)零次或者多次。例如:a*“+”：表示*左邊的字符出現(xiàn)至少一次。例如:a+“？”：?左邊的字符出現(xiàn)零次或一次。例如:a?“[]”：[]

的所有字符任選其一。例如:[Rr]oot“\”：轉(zhuǎn)義符。例如:cmd\.exeSTRING

EngineThe

STRING

signature

engines

support

regularexpressions

for

patternmatching.

Also,

alarm

functionalityis

provided

for

ICMP,

UDP,

and

TCP.

State

information

ismaintained

because

pattern

matches

are

made

across

astreamofpackets.（對一個流內(nèi)的多個數(shù)據(jù)包進行cache，并且通過正則表達式進行匹配）STRING

ICMPSTRING

TCPSTRING

UDPMulti

STRINGSTRING

TCP實例SWEEP

EngineThe

SWEEP

signature

engines

detect

attacks

thatinvolve

the

attacker

making

connections

to

multiplehosts

and/or

ports.

（對網(wǎng)絡(luò)掃描進行

）SWEEPSWEEP

other

TCP（supports

signatures

that

fire

when

a

mix

of

TCP

packetshavedifferent

flags

set.）SWEEP

實例TROJAN

EngineThese

engines

are

designed

to

detect

Trojan

programattacks

against

your

network:（檢測木馬程序網(wǎng)絡(luò)流量）TROJAN

BO2K

（examines

UDP

and

TCP

traffic

for

Back

Orifice.）TROJAN

TFN2K

（examines

UDP,

TCP,

or

ICMP

traffic

forirregular

traffic

patterns

and

corrupted

headers.）TROJAN

UDP

（examines

UDP

traffic

for

Trojan

attacks.）TRAFFIC

EngineThe

TRAFFIC

signature

engines

yze

nonstandardprotocols

suchasTFN2K,LOKI,andDDOS.（檢測非標準流量，例如:ICMP承載木馬控制信息）TRAFFIC

ICMP

（examines

protocols

such

as

LOKI.）TRAFFIC

Anomaly

（examines

UDP,

TCP,

and

other

traffic

forworms.）AIC

EngineThe

AIC

engines

provide

Layer

4

to

Layer

7

inspectionfor

HTTP

andFTP.

（對FTP和HTTP實現(xiàn)運用層過濾，運用程序

功能）AIC

FTPAIC

HTTP注意:To

use

these

engines,you

must

enable

Application

Policyenforcement.To

do

this,choose

Configuration>SignatureDefinitions>sig0>Miscellaneous>Application

Policy.Miscellaneous

TabMiscellaneous

參數(shù)介紹1Application

Policy

（AIC

Engine必須激活相應(yīng)協(xié)議）–Enable

HTTP

—Enables

protection

for

web

services.

Check

the

Yes

check

box

to

require

thesensor

to

inspect

HTTP

traffic

for

compliance

with

the

RFC.–Max

HTTP

Requests—Specifies

the

um

number

of

outstanding

HTTP

requestsper

connection.–

AIC

Web

Ports—Specifies

the

variable

for

ports

to

look

for

AICtraffic.–Enable

FTP—Enables

protection

for

web

services.

Check

the

Yes

check

box

to

require

thesensor

to

inspect

FTP

traffic.Miscellaneous

參數(shù)介紹2Fragment

Reassembly

（配置IP分片重新組裝方式）–

IP

Reassembly

Mode—Identifies

the

method

the

sensor

uses

to

reassemble

the

fragments,based

on

the

operating

system.Miscellaneous

參數(shù)介紹3Stream

Reassembly

（配置TCP流重組裝參數(shù)，TCP

String就會受這些參數(shù)影響）–

TCP

Handshake

Required—Specifies

that

the

sensor

should

only

track

sessions

for

whichthe

three-wayhandshake

is

completed.–TCP

Reassembly

Mode—Specifies

the

mode

the

sensor

should

use

to

reassemble

TCPsessionsAsymmetric—Can

only

see

one

direction

of

bidirectional

traffic

flow.Strict—If

a

packet

is

missed

for

any

reason,

all

packets

after

the

missed

packet

are

notprocessed.Loose—Use

in

environmentswhere

packets

might

be

dropped.Miscellaneous

參數(shù)介紹4IP

Log

（當(dāng)如下任意一個條件滿足，就停止由Action

log產(chǎn)生的IP

logging）Max

IP

Log

Packets—Identifies

the

number

of

packets

you

want

logged.–IP

Log

Time—Identifies

the

duration

you

want

the

sensor

to

log.

A

valid

value

is

1

to

60seconds.

The

default

is

30

seconds.Max

IP

Log

Bytes—Identifies

the um

number

of

bytes

you

want

logged.AIC

Signature

歸類HTTP

request

method

（HTTP請求命令）Define

request

methodRecognized

request

methodsMIME

type

（HTTP請求內(nèi)容格式）Define

content

typeRecognized

content

typeDefine

web

traffic

policyThere

is

one

predefined

signature,

12674,

that

specifies

the

action

to

take

whenpliant

HTTP

traffic

is

seen.

The

parameter

Alarm

on

Non

HTTP

Traffic

enables

thesignature.Transfer

encodings

（HTTP編碼方式）Associate

an

action

with

ea

ethodList

methods

recognized

by

the

sensorSpecify

which

actions

need

to

be

taken

when

a

chunked

encoding

error

is

seenFTP

commands

（FTP命令）–

Associates

an

action

with

an

FTP

command.STATE

EngineThis

engine

enables

the

sensor

to

inspect

the

variousstates

of

Cisco

login,

an

LPR

format

string,

or

SMTP.（對Cisco登陸，

打印，SMTP發(fā)送郵件的特定State（狀態(tài)）的特定字段進行匹配）STATE

實例META

EngineThe

META

signature

engine

provides

eventcorrelation.（提供事件關(guān)聯(lián)）

This

engine

takes

signatureevents

as

its

input

instead

of

packets（并不直接處理數(shù)據(jù)包）.An

example

is

many

signatures

firing

within

a

certaintime

limit

to

indicate

the

Nimda

attack.此引擎主要減少了管理員的困惑！The

Meta

Event

GeneratorMeta

實例NORMALIZER

EngineThis

engine

detects

and

correlates

ambiguities

inpackets

of

data

flows

through

the

sensor.

Proper

packetsequencing

and

reassembly

are

options

for

this

engine.（規(guī)范化流量，保障IPS告警更準確）IP

Fragmentation

NormalizationTCP

Normalization注意:Sensors

in

promiscuous

mode

report

alerts

on

violations.Sensors

in

inline

mode

perform

the

action

specified

in

the

event

actionparameter,

such

as

produce

alert,

deny

packet

inline,

and

modify

packetinline.第二部分Common

Parameters介紹第二部分:Common

Parameters介紹第二部分:Common

Parameters介紹Common

Parameters

（基本參數(shù)）Signature

IDSubSignature

IDAlert

Severity

（High

|

Medium

|

Low

|Informational，ASR，注意:是計算RR的元素。）Sig

Fidelity

Rating

（Sig真實度，SFR，決定本Sig告警準確度，例如:75表示75%的告警都是可靠的，剩下25%可能是錯報。注意:是計算RR的元素。）Promiscuous

Delta（雜合增量，PD，雜合模式這個值需要從Risk

Rating（RR）里邊扣除。注意:是計算RR的元素。）第二部分:Common

Parameters介紹Common

Parameters

（Sig

Description）Sig

DescriptionSignature

Name—Name

your

signature.

The

default

is

MySig.Alert

Notes—Add

alertnotes

in

this

field.User

Comments—Add

your

comments

about

this

signature

in

this

field.–Alarm

Traits—Add

the

alarm

traitin

this

field.

The

value

is

0

to65535.

Thedefault

is

0.Release—Add

the

software

release

in

which

the

signature

appeared.第二部分:Common

Parameters介紹Common

Parameters

（Event

Counter）Event

Counter—Lets

you

configure

how

the

sensor

counts

events.

For

example,

you

can

specifythat

youwant

the

sensor

to

send ert

only

if

the

samesignature

fires

5

times

forthe

sameaddress

set:（多少次Event

Fires才會產(chǎn)生一個Alerts）–Event

Count—The

numberof

times

an

event

must

occur

beforevalue

is

1

to

65535.

The

defaultis

1.ert

is

generated.

The–Event

Count

Key—The

storagetype

used

to

counteventsfor

thissignature.Choose

attackeraddress,

attacker

address

and

victim

port,

attacker

and

victim

addresses,

attacker

and

victimaddresses

and

ports,

orvictim

address.

The

default

is

attacker

address.

（Address

Set）–Specify

Alert

Interval—Specifies

the

time

in

seconds

before

theevent

countisreset.Choose

Yes

or

No

from

the

drop-down

list

and

then

specify

the

amount

of

time.第二部分:Common

Parameters介紹Common

Parameters

（Alert

Frequently）Fire

once

–

Triggers

a

single

alarm

for

each

unique

entry

based

on

theSummary

Key

parameter

settings.（基于Summary

Key僅僅只產(chǎn)生一個告警）Fire

all

–Triggers arm

for

all

activity

that

matches

the

signaturecharacteristics

（每一個匹配Sig的行為都會產(chǎn)生Alerts）Summarize

–

Consolidates

alarms

for

the

address

set

specified

in

theSummary

Key

parameter.（基于Summary

Key在一定時間內(nèi)抑制Alerts）Global

summarize

–Consolidates

alarms

for

all

address

combinations.（不區(qū)分地址（沒有Summary

key）在一定時間內(nèi)抑制Alerts）第二部分:Common

Parameters介紹Threshold

Parameters

and

Automatic

AlarmSummarizationAutomatic

alert

summarization

enables

a

signature

to

change

alertmodes

automatically

based

on

the

number

of

alerts

detected

within

theSummary

Interval

parameter.（基于Summary

Interval內(nèi)的Alerts數(shù)量來切換

Summary模式）第二部分:Common

Parameters介紹Common

Parameters

（Status）EnableRetiredObsoletes

—Lists

the

signatures

that

are

obsoleted

by

this

signature.Vulnerable

OS

List

—specifies

what

OS

types

are

vulnerable

to

eachsignature.

The

default,

general-os,

applies

to

all

signatures

that

do

not

specify

avulnerable

OS

list.

（指定對于本Sig的

有脆弱性的操作系統(tǒng)）MARS

Category—Maps

signatures

to

a

MARS

attack

category.（

本Sig到MARS

歸類）第三部分Signatures配置實例實驗拓撲實例一:Signature

TuningRaise

the

severity

of

signature

2004

to

the

highest

levelSignature

2004

should

fire

only

when

icmp

echo

request

hit

All

individual

alarms

from

this

signature

should

be

reportVerify

the

operation

of

this

signatureTune

the

signature

to

alert

only

when

the

it

sees

three

consecutive

icmpecho

request

to

Signature

2004

should

now

fire

after

six

consecutive

icmp

echorequests;however,the

event

counter

should

reset

after

30

seconds.

TEST.Summarize

alerts

exceeding

the

threshold

of

two

within

40

seconds.

TEST.Set

the

global

summary

to

engage

when

the

number

of

alerts

exceed

5within

the

summary

interval.

TESTRestore

signature

2004

to

its

default

settings.實例一:需求一1. Raise

the

severity

of

signature

2004

to

the

highest

level實例一:需求二2. Signature

2004

should

fire

only

when

icmp

echo

request

hit

實例一:需求三3.

All

individual

alarms

from

this

signature

should

be

report實例一:需求四4.

Verify

the

operation

of

this

signature實例一:需求五5.

Tune

the

signature

to

alert

only

when

the

it

sees

three

consecutiveicmp

echo request

to

實例一:需求六6.

Signature

2004

should

now

fire

after

six

consecutive

icmp

echorequests

;however,the

event

counter

should

reset

after

30

seconds.

TEST.實例一:需求七7.

Summarize

alerts

exceeding

the

threshold

of

two

within

40

seconds.

TEST.實例一:需求八8.

Set

the

global

summary

to

engage

when

the

number

of

alerts

exceed

5within

the

summary

interval.

TEST實例一:需求九9.

Restore

signature

2004

to

its

default

settings.實例二:Custom

TCP

string

signatureConfigure

a

new

custom

string

signature

65000

using

the

following

parameters:The

signature

should

be

triggered

on NET

traffice

in

the

“to-service”

directionString

match

“ccie”Alarm

severity

HIGH

alertReset

the

TCP

CONNECTIONConfigure

fidelity

rating

50

and

delta

value

15

to

state

the

seriousness

of

the

alert.Validate

that

the

TCP

connection

is

being

reset

when

entering

the

string

“ccie”

in

the

session.Example

of

net

to

R4

from

R1

below

shows

the

connection

being

closed

by

foreign

host

when

the

stringis

matched.R1#

net

Trying

2YY.YY.1.1

...

OpenUser

Access

VerificationPassword:ciscoR4>ccie

<

-

-

-

enter

string

to

trigger

the

signature[Connection

to

2YY.YY.1.1

closed

by

foreign

host]R1#實例二:Step1

（SPAN）原始SPAN配置:monitor

session

1

source

vlan

2

rxmonitor

session

1

destination

interface

Fa0/20刪除原始SPAN配置:（注意需要全部刪除，最好不要在原有基礎(chǔ)上修改）SW1(config)#no

monitor

session

1配置SPAN

Ingress:monitor

session

1

source

vlan