asdmhelp501

7/28/2019 asdmhelp501

1/659

7/28/2019 asdmhelp501

2/659

7/28/2019 asdmhelp501

3/659

7/28/2019 asdmhelp501

4/659

7/28/2019 asdmhelp501

5/659

7/28/2019 asdmhelp501

6/659

7/28/2019 asdmhelp501

7/659

7/28/2019 asdmhelp501

8/659

7/28/2019 asdmhelp501

9/659

7/28/2019 asdmhelp501

10/659

7/28/2019 asdmhelp501

11/659

7/28/2019 asdmhelp501

12/659

7/28/2019 asdmhelp501

13/659

7/28/2019 asdmhelp501

14/659

7/28/2019 asdmhelp501

15/659

7/28/2019 asdmhelp501

16/659

7/28/2019 asdmhelp501

17/659

7/28/2019 asdmhelp501

18/659

7/28/2019 asdmhelp501

19/659

7/28/2019 asdmhelp501

20/659

7/28/2019 asdmhelp501

21/659

7/28/2019 asdmhelp501

22/659

7/28/2019 asdmhelp501

23/659

7/28/2019 asdmhelp501

24/659

7/28/2019 asdmhelp501

25/659

7/28/2019 asdmhelp501

26/659

7/28/2019 asdmhelp501

27/659

7/28/2019 asdmhelp501

28/659

7/28/2019 asdmhelp501

29/659

7/28/2019 asdmhelp501

30/659

7/28/2019 asdmhelp501

31/659

7/28/2019 asdmhelp501

32/659

7/28/2019 asdmhelp501

33/659

7/28/2019 asdmhelp501

34/659

7/28/2019 asdmhelp501

35/659

7/28/2019 asdmhelp501

36/659

7/28/2019 asdmhelp501

37/659

7/28/2019 asdmhelp501

38/659

7/28/2019 asdmhelp501

39/659

7/28/2019 asdmhelp501

40/659

7/28/2019 asdmhelp501

41/659

7/28/2019 asdmhelp501

42/659

7/28/2019 asdmhelp501

43/659

7/28/2019 asdmhelp501

44/659

7/28/2019 asdmhelp501

45/659

7/28/2019 asdmhelp501

46/659

7/28/2019 asdmhelp501

47/659

7/28/2019 asdmhelp501

48/659

7/28/2019 asdmhelp501

49/659

7/28/2019 asdmhelp501

50/659

7/28/2019 asdmhelp501

51/659

7/28/2019 asdmhelp501

52/659

7/28/2019 asdmhelp501

53/659

7/28/2019 asdmhelp501

54/659

7/28/2019 asdmhelp501

55/659

7/28/2019 asdmhelp501

56/659

7/28/2019 asdmhelp501

57/659

7/28/2019 asdmhelp501

58/659

7/28/2019 asdmhelp501

59/659

7/28/2019 asdmhelp501

60/659

7/28/2019 asdmhelp501

61/659

7/28/2019 asdmhelp501

62/659

7/28/2019 asdmhelp501

63/659

7/28/2019 asdmhelp501

64/659

7/28/2019 asdmhelp501

65/659

7/28/2019 asdmhelp501

66/659

7/28/2019 asdmhelp501

67/659

7/28/2019 asdmhelp501

68/659

7/28/2019 asdmhelp501

69/659

7/28/2019 asdmhelp501

70/659

7/28/2019 asdmhelp501

71/659

7/28/2019 asdmhelp501

72/659

7/28/2019 asdmhelp501

73/659

7/28/2019 asdmhelp501

74/659

7/28/2019 asdmhelp501

75/659

7/28/2019 asdmhelp501

76/659

7/28/2019 asdmhelp501

77/659

7/28/2019 asdmhelp501

78/659

7/28/2019 asdmhelp501

79/659

7/28/2019 asdmhelp501

80/659

7/28/2019 asdmhelp501

81/659

7/28/2019 asdmhelp501

82/659

7/28/2019 asdmhelp501

83/659

7/28/2019 asdmhelp501

84/659

7/28/2019 asdmhelp501

85/659

7/28/2019 asdmhelp501

86/659

7/28/2019 asdmhelp501

87/659

7/28/2019 asdmhelp501

88/659

7/28/2019 asdmhelp501

89/659

7/28/2019 asdmhelp501

90/659

7/28/2019 asdmhelp501

91/659

7/28/2019 asdmhelp501

92/659

7/28/2019 asdmhelp501

93/659

7/28/2019 asdmhelp501

94/659

7/28/2019 asdmhelp501

95/659

7/28/2019 asdmhelp501

96/659

7/28/2019 asdmhelp501

97/659

7/28/2019 asdmhelp501

98/659

7/28/2019 asdmhelp501

99/659

7/28/2019 asdmhelp501

100/659

7/28/2019 asdmhelp501

101/659

7/28/2019 asdmhelp501

102/659

7/28/2019 asdmhelp501

103/659

7/28/2019 asdmhelp501

104/659

7/28/2019 asdmhelp501

105/659

7/28/2019 asdmhelp501

106/659

7/28/2019 asdmhelp501

107/659

7/28/2019 asdmhelp501

108/659

7/28/2019 asdmhelp501

109/659

7/28/2019 asdmhelp501

110/659

7/28/2019 asdmhelp501

111/659

7/28/2019 asdmhelp501

112/659

7/28/2019 asdmhelp501

113/659

7/28/2019 asdmhelp501

114/659

7/28/2019 asdmhelp501

115/659

7/28/2019 asdmhelp501

116/659

7/28/2019 asdmhelp501

117/659

7/28/2019 asdmhelp501

118/659

7/28/2019 asdmhelp501

119/659

7/28/2019 asdmhelp501

120/659

7/28/2019 asdmhelp501

121/659

7/28/2019 asdmhelp501

122/659

7/28/2019 asdmhelp501

123/659

7/28/2019 asdmhelp501

124/659

7/28/2019 asdmhelp501

125/659

7/28/2019 asdmhelp501

126/659

7/28/2019 asdmhelp501

127/659

7/28/2019 asdmhelp501

128/659

7/28/2019 asdmhelp501

129/659

7/28/2019 asdmhelp501

130/659

7/28/2019 asdmhelp501

131/659

7/28/2019 asdmhelp501

132/659

7/28/2019 asdmhelp501

133/659

7/28/2019 asdmhelp501

134/659

7/28/2019 asdmhelp501

135/659

7/28/2019 asdmhelp501

136/659

7/28/2019 asdmhelp501

137/659

7/28/2019 asdmhelp501

138/659

7/28/2019 asdmhelp501

139/659

7/28/2019 asdmhelp501

140/659

7/28/2019 asdmhelp501

141/659

7/28/2019 asdmhelp501

142/659

7/28/2019 asdmhelp501

143/659

7/28/2019 asdmhelp501

144/659

7/28/2019 asdmhelp501

145/659

7/28/2019 asdmhelp501

146/659

7/28/2019 asdmhelp501

147/659

7/28/2019 asdmhelp501

148/659

7/28/2019 asdmhelp501

149/659

7/28/2019 asdmhelp501

150/659

7/28/2019 asdmhelp501

151/659

7/28/2019 asdmhelp501

152/659

7/28/2019 asdmhelp501

153/659

7/28/2019 asdmhelp501

154/659

7/28/2019 asdmhelp501

155/659

7/28/2019 asdmhelp501

156/659

7/28/2019 asdmhelp501

157/659

7/28/2019 asdmhelp501

158/659

7/28/2019 asdmhelp501

159/659

7/28/2019 asdmhelp501

160/659

7/28/2019 asdmhelp501

161/659

7/28/2019 asdmhelp501

162/659

7/28/2019 asdmhelp501

163/659

7/28/2019 asdmhelp501

164/659

7/28/2019 asdmhelp501

165/659

7/28/2019 asdmhelp501

166/659

7/28/2019 asdmhelp501

167/659

7/28/2019 asdmhelp501

168/659

7/28/2019 asdmhelp501

169/659

7/28/2019 asdmhelp501

170/659

7/28/2019 asdmhelp501

171/659

7/28/2019 asdmhelp501

172/659

7/28/2019 asdmhelp501

173/659

7/28/2019 asdmhelp501

174/659

7/28/2019 asdmhelp501

175/659

7/28/2019 asdmhelp501

176/659

7/28/2019 asdmhelp501

177/659

7/28/2019 asdmhelp501

178/659

7/28/2019 asdmhelp501

179/659

7/28/2019 asdmhelp501

180/659

7/28/2019 asdmhelp501

181/659

7/28/2019 asdmhelp501

182/659

7/28/2019 asdmhelp501

183/659

7/28/2019 asdmhelp501

184/659

7/28/2019 asdmhelp501

185/659

7/28/2019 asdmhelp501

186/659

7/28/2019 asdmhelp501

187/659

7/28/2019 asdmhelp501

188/659

7/28/2019 asdmhelp501

189/659

7/28/2019 asdmhelp501

190/659

7/28/2019 asdmhelp501

191/659

7/28/2019 asdmhelp501

192/659

7/28/2019 asdmhelp501

193/659

7/28/2019 asdmhelp501

194/659

7/28/2019 asdmhelp501

195/659

7/28/2019 asdmhelp501

196/659

7/28/2019 asdmhelp501

197/659

7/28/2019 asdmhelp501

198/659

7/28/2019 asdmhelp501

199/659

7/28/2019 asdmhelp501

200/659

7/28/2019 asdmhelp501

201/659

7/28/2019 asdmhelp501

202/659

7/28/2019 asdmhelp501

203/659

7/28/2019 asdmhelp501

204/659

7/28/2019 asdmhelp501

205/659

7/28/2019 asdmhelp501

206/659

7/28/2019 asdmhelp501

207/659

7/28/2019 asdmhelp501

208/659

7/28/2019 asdmhelp501

209/659

7/28/2019 asdmhelp501

210/659

7/28/2019 asdmhelp501

211/659

7/28/2019 asdmhelp501

212/659

7/28/2019 asdmhelp501

213/659

7/28/2019 asdmhelp501

214/659

7/28/2019 asdmhelp501

215/659

7/28/2019 asdmhelp501

216/659

7/28/2019 asdmhelp501

217/659

7/28/2019 asdmhelp501

218/659

7/28/2019 asdmhelp501

219/659

7/28/2019 asdmhelp501

220/659

7/28/2019 asdmhelp501

221/659

7/28/2019 asdmhelp501

222/659

7/28/2019 asdmhelp501

223/659

7/28/2019 asdmhelp501

224/659

7/28/2019 asdmhelp501

225/659

7/28/2019 asdmhelp501

226/659

7/28/2019 asdmhelp501

227/659

7/28/2019 asdmhelp501

228/659

7/28/2019 asdmhelp501

229/659

7/28/2019 asdmhelp501

230/659

7/28/2019 asdmhelp501

231/659

7/28/2019 asdmhelp501

232/659

7/28/2019 asdmhelp501

233/659

7/28/2019 asdmhelp501

234/659

7/28/2019 asdmhelp501

235/659

7/28/2019 asdmhelp501

236/659

7/28/2019 asdmhelp501

237/659

7/28/2019 asdmhelp501

238/659

7/28/2019 asdmhelp501

239/659

7/28/2019 asdmhelp501

240/659

7/28/2019 asdmhelp501

241/659

7/28/2019 asdmhelp501

242/659

7/28/2019 asdmhelp501

243/659

6-41

ASDM 5.0(1) Online Help

Chapter 6 IPSSignature Definition

Payload Data Only Specifies the payload as the portion of the packet you want the sensor toinspect.

Button Functions:

Back Returns you to the previous window in the Custom Signature Wizard.

Next Advances you to the next window in the Custom Signature Wizard.

Finish Completes the Custom Signature Wizard and saves the signature you created.

Cancel Exits the Custom Signature Wizard.

Help Displays the help topic for this feature.

For More Information

Creating Custom Signatures

Custom Signature Wizard > UDP Traffic Type

Configuration > Features > IPS > Signature Definition > Custom Signature Wizard >UDP Traffic Type

Supported User Role

The following user roles are supported:

Administrator

Operator

Viewer

You must be Administrator or Operator to create custom signatures.

FieldsThe following fields and buttons are found in the UDP Traffic Type window of the Custom SignatureWizard.

Field Descriptions:

Single Packet Specifies that you are creating a signature to inspect a single packet for an attack.

Sweeps Specifies that you are creating a signature to detect a sweep attack.

Button Functions:



Finish Completes the Custom Signature Wizard and saves the signature you created. Cancel Exits the Custom Signature Wizard.




7/28/2019 asdmhelp501

244/659

6-42



Custom Signature Wizard > UDP Sweep Type

Configuration > Features > IPS > Signature Definition > Custom Signature Wizard >UDP Sweep Type

Supported User Role


Administrator

Operator

Viewer


Fields

The following fields and buttons are found in the UDP Sweep Type window of the Custom SignatureWizard.

Field Descriptions:

Host Sweep Identifies a sweep that searches for hosts on a network.

Port Sweep Identifies a sweep that searches for open ports on a host.

Button Functions:








Custom Signature Wizard > TCP Traffic Type

Configuration > Features > IPS > Signature Definition > Custom Signature Wizard >TCP Traffic Type

Supported User Role


Administrator

Operator

Viewer


7/28/2019 asdmhelp501

245/659

6-43



Fields

The following fields and buttons are found in the TCP Traffic Type window of the Custom SignatureWizard.

Field Descriptions:

Single Packet Specifies that you are creating a signature to inspect a single packet for an attack. Single TCP Connection Specifies that you are creating a signature to inspect a single TCP

connection for an attack.

Multiple Connections Specifies that you are creating a signature to inspect multiple connectionsfor an attack.

Button Functions:








Custom Signature Wizard > Service Type

Configuration > Features > IPS > Signature Definition > Custom Signature Wizard >Service Type

Supported User RoleThe following user roles are supported:

Administrator

Operator

Viewer


Fields

The following fields and buttons are found in the Service Type window of the Custom Signature Wizard.

Field Descriptions: HTTP Specifies you are creating a signature to describe an attack that uses the HTTP service.

SMTP Specifies you are creating a signature to describe an attack that uses the SMTP service.

RPC Specifies you are creating a signature to describe an attack that uses the RPC service.

MSRPC Specifies you are creating a signature to describe an attack that uses the MSRPC service.

Other Specifies you are creating a signature to describe an attack that uses a service other thanHTTP, SMTP, RPC, or MSRPC.

7/28/2019 asdmhelp501

246/659

6-44



Button Functions:




Cancel Exits the Custom Signature Wizard. Help Displays the help topic for this feature.



Custom Signature Wizard > TCP Sweep Type

Configuration > Features > IPS > Signature Definition > Custom Signature Wizard >TCP Sweep Type

Supported User Role


Administrator

Operator

Viewer


Fields

The following fields and buttons are found in the TCP Sweep Type window of the Custom SignatureWizard.Field Descriptions:

Host Sweep Identifies a sweep that searches for hosts on a network.

Port Sweep Identifies a sweep that searches for open ports on a host.

Button Functions:








Custom Signature Wizard > Atomic IP Engine Parameters

7/28/2019 asdmhelp501

247/659

6-45



Configuration > Features > IPS > Signature Definition > Custom Signature Wizard > Atomic IPEngine Parameters

Supported User Role


Administrator

Operator

Viewer


Fields

The following fields and buttons are found in the Atomic IP Engine Parameters window of the CustomSignature Wizard. These options le t you create a signature to detect a very general or very specific typeof traffic.

Field Descriptions: Event Action Specifies the actions you want the sensor to perform if this signature is detected.

The default is Produce Alert .

Tip Hold down the CTRL key to select more than one action.

Fragment Status Indicates if you want to inspect fragmented or unfragmented traffic.

Specify Layer 4 Protocol Lets you choose whether or not a specific protocol applies to thissignature (optional).

If you select Yes , you can choose from the following protocols:

ICMP Protocol Lets you specify an ICMP sequence, type, code, identifier, and total length. Other Protocols Lets you specify an identifier. TCP Protocol Lets you set the TCP flags, window size, mask, payload length, urgent pointer,

header length, reserved attribute, and port range for the source and destination. UDP Protocol Lets you specify a valid UDP length, length mismatch, and port range for the

source and destination.

Specify Payload Inspection Allows you to specify the following payload inspection options(optional):

Specify Min-Match Length Regex String

Specify Exact Match Offset Specify Min Match Offset Specify Max Match Offset

Specify IP Payload Length Lets you specify the payload length (optional).

Specify IP Header Length Lets you specify the header length (optional).

Specify IP Type of Service Lets you specify the type of service (optional).

7/28/2019 asdmhelp501

248/659

6-46



Specify IP Time-to-Live Lets you specify the time-to-live for the packet (optional).

Specify IP Version Lets you specify the IP version (optional).

Specify IP Identifier Lets you specify an IP identifier (optional).

Specify Total IP Length Lets you specify the total IP length (optional).

Specify IP Option Inspection Options Lets you specify the IP inspection options. (optional).Select from the following:

IP Option IP option code to match. IP Option Abnormal Options Malformed list of options.

Specify IP Addr Options Lets you specify the following IP Address options (optional): Address with Localhost Identifies traffic where the local host address is used as either the

source or destination. IP Addresses Lets you specify the source or destination address. RFC 1918 Address Identifies the type of address as RFC 1918.

Src IP Equal Dst IP Identifies traffic where the source and destination addresses are thesame.

Button Functions:








Custom Signature Wizard > Service HTTP Engine Parameters

Configuration > Features > IPS > Signature Definition > Custom Signature Wizard > ServiceHTTP Engine Parameters

Supported User Role


Administrator

Operator Viewer


7/28/2019 asdmhelp501

249/659

6-47



Fields

The following fields and buttons are found in the Service HTTP Engine Parameters window of theCustom Signature Wizard. These options let you create a signature to detect a very general or veryspecific type of traffic.

Field Descriptions:

Event Action Specifies the actions you want the sensor to perform if this signature is detected.



De Obfuscate Specifies whether or not to apply anti-evasive HTTP deobfuscation beforesearching.

The default is Yes .

Max Field Sizes Lets you specify maximum URI, Arg, Header, and Request field lengths

(optional).The following figure demonstrates the maximum field sizes:

Regex Lets you specify a regular expression for the URI, Arg, Header, and Request Regex.

Service Ports Identifies the specific service ports used by the traffic.

The value is a comma-separated list of ports.

Swap Attacker Victim Specifies whether to swap the source and destination addresses that arereported in the alert when this signature fires.

The default is No .

Button Functions:








7/28/2019 asdmhelp501

250/659

6-48



Custom Signature Wizard > Service RPC Engine Parameters

Configuration > Features > IPS > Signature Definition > Custom Signature Wizard > ServiceRPC Engine Parameters

Supported User Role


Administrator

Operator

Viewer


Fields

The following fields and buttons are found in the Service RPC Engine Parameters window of the CustomSignature Wizard. These options allow you to create a signature to detect a very general or very specifictype of traffic.




Direction Indicates whether the sensor is watching traffic destined to or coming from the serviceport.

The default is To Service .

Protocol Lets you specify TCP or UDP as the protocol.

Service Ports Identifies ports or port ranges where the target service may reside.

The valid value is comma-separated list of ports or port ranges.

Specify Port Map Program Identifies the program number sent to the port mapper of interest forthis signature.

The valid range is 0 to 9999999999.

Specify RPC Program Identifies the RPC program number of interest for this signature.


Specify Spool Src Fires the alarm when the source address is set to 127.0.0.1.

Specify RPC Max Length Identifies the maximum allowed length of the whole RPC message.Lengths longer than this cause an alarm. The valid range is 0 to 65535.

Specify RPC Procedure Identifies the RPC procedure number of interest for this signature.


Button Functions:


7/28/2019 asdmhelp501

251/659

6-49









Custom Signature Wizard > State Engine Parameters

Configuration > Features > IPS > Signature Definition > Custom Signature Wizard >State Engine Parameters

Supported User Role


Administrator

Operator

Viewer


Fields

The following fields and buttons are found in the State Engine Parameters window of the CustomSignature Wizard. These options allow you to create a signature to detect a very general or very specifictype of traffic.




State Machine Identifies the name of the state to restrict the match of the regular expressionstring.

The options are: Cisco Login , LPR Format String , and SMTP .

Specify Min Match Length Identifies the minimum number of bytes the regular expression s tring

must match from the start of the match to end of the match.The valid range is 0 to 65535.

Regex String Identifies the regular expression string that triggers a state transition.

Direction Identifies the direction of the data stream to inspect for the transition.



The valid value is a comma-separated list of ports or port ranges.

7/28/2019 asdmhelp501

252/659

6-50




The default is No .

Specify Exact Match Offset Identifies the exact stream offset in bytes in which the regularexpression string must report the match.


If you select No , you can set the minimum and maximum match offset.


Button Functions:








Custom Signature Wizard > String ICMP Engine Parameters

Configuration > Features > IPS > Signature Definition > Custom Signature Wizard > StringICMP Engine Parameters

Supported User Role

The following user roles are supported: Administrator

Operator

Viewer


Fields

The following fields and buttons are found in the String ICMP Engine Parameters window of the CustomSignature Wizard. These options allow you to create a signature to detect a very general or very specifictype of traffic.

Field Descriptions:




7/28/2019 asdmhelp501

253/659

6-51



Specify Min Match Length Identifies the minimum number of bytes the regular expression s tringmust match from the start of the match to the end of the match.


Regex String Identifies the regular expression string to search for in a single packet.

Direction Identifies the direction of the data stream to inspect for the transition.The default is To Service .

ICMP Type The ICMP header TYPE value.

The valid range is 0 to 18. The default is 0-18.


The default is No .



The valid range for the maximum match offset is 1 to 65535. The valid range for the minimum matchoffset is 0 to 65535.

Button Functions:








Custom Signature Wizard > String TCP Engine Parameters

Configuration > Features > IPS > Signature Definition > Custom Signature Wizard > String TCPEngine Parameters

Supported User Role


Administrator

Operator

Viewer


7/28/2019 asdmhelp501

254/659

6-52



Fields

The following fields and buttons are found in the String TCP Engine Parameters window of the CustomSignature Wizard.These options al low you to create a signature to detect a very general or very specifictype of traffic.

Field Descriptions:




Strip Telnet Options Strips the Telnet option control characters from the data stream before thepattern is searched.

This is primarily used as an anti-evasion tool. The default is No .

Specify Min Match Length Identifies the minimum number of bytes the regular expression string

must match from the start of the match to end of the match.The valid range is 0 to 65535.








The valid range for the maximum match offset is 1 to 65535. The valid range for the minimum matchoffset is 0 to 65535.


The default is No .

Button Functions:







Custom Signature Wizard > String UDP Engine Parameters

7/28/2019 asdmhelp501

255/659

6-53



Configuration > Features > IPS > Signature Definition > Custom Signature Wizard > String UDPEngine Parameters

Supported User Role


Administrator

Operator

Viewer


Fields

The following fields and buttons are found in the String UDP Engine Parameters window of the CustomSignature Wizard. These options allow you to create a signature to detect a very general or very specifictype of traffic.




Specify Min Match Length Identifies the minimum number of bytes the regular expression s tringmust match from the start of the match to end of the match.


Specify Exact Match Offset Identifies the exact stream offset in bytes in which the regular

expression string must report the match.The valid range is 0 to 65535.








The default is No .

Button Functions:





7/28/2019 asdmhelp501

256/659

6-54






Custom Signature Wizard > Sweep Engine Parameters

Configuration > Features > IPS > Signature Definition > Custom Signature Wizard > SweepEngine Parameters

Supported User Role


Administrator

Operator

Viewer


Fields

The following fields and buttons are found in the Sweep Engine Parameters window in the CustomSignature Wizard. These options allow you to create a signature to detect a very general or very specifictype of traffic.

Field Descriptions:




Unique Identifies the threshold number of unique host connections.

The alarm fires when the unique number of host connections is exceeded during the interval.

Protocol Identifies the protocol: ICMP Lets you specify the ICMP storage type and choose one of these storage keys: attacker

address, attacker address and victim port, or attacker and victim addresses. TCP Lets you choose suppress reverse, inverted sweep, mask, TCP flags, fragment status,

storage key, or specify a port range.

UDP Lets you choose a storage key, or specify a port range Swap Attacker Victim Specifies whether to swap the source and destination addresses that are

reported in the alert when this signature fires.

The default is No .

Button Functions:



7/28/2019 asdmhelp501

257/659

6-55








Custom Signature Wizard > Alert Response

Configuration > Features > IPS > Signature Definition > Custom Signature Wizard > AlertResponse

Supported User Role


Administrator

Operator

Viewer


Fields

The following fields and buttons are found in the Alert Response window of the Custom SignatureWizard.

Field Descriptions:

Signature Fidelity Rating A weight associated with how well this signature might perform in the

absence of specific knowledge of the target.SFR is calculated by the signature author on a per-signature basis. A signature that is written withvery specific rules (specific Regex) will have a higher SFR than a signature that is written withgeneric rules.

Severity of the Alert The severity at which the alert is reported.

You can choose from the following options: High The most serious security alert. Medium A moderate security alert. Low The least security alert. Information Denotes network activity, not a security alert.

Button Functions:






7/28/2019 asdmhelp501

258/659

6-56





Custom Signature Wizard > Alert Behavior

Configuration > Features > IPS > Signature Definition > Custom Signature Wizard > AlertBehavior

Supported User Role


Administrator

Operator

Viewer


Fields

The following buttons are found in the Alert Behavior window of the Custom Signature Wizard.

Advanced Opens the Advanced Alert Behavior window from which you can change the defaultalert behavior and configure how often the sensor sends alerts.








Custom Signature Wizard > Advanced Alert Behavior Wizard > Event Count and Interval

Configuration > Features > IPS > Signature Definition > Custom Signature Wizard > AdvancedAlert Behavior Wizard > Event Counter and Interval

Supported User Role


Administrator

Operator

Viewer


7/28/2019 asdmhelp501

259/659

6-57



Fields

The following fields and buttons are found in the Event Count and Interval window of the AdvancedAlert Behavior Wizard.

Field Descriptions:

Event Count Identifies the minimum number of hits the sensor must receive before sending onealert for this signature.

Event Count Key Identifies the attribute to use for counting events.

For example, if you want the sensor to count events based on whether or not they are from the sameattacker, select Attacker Address as the Event Count Key .

Use Event Interval Specifies that you want the sensor to count events based on a rate.

For example, if set your Event Count to 500 events and your Event Interval to 30 seconds, thesensor sends you one alert if 500 events are received within 30 seconds of each other.

Event Interval (seconds) Identifies the time interval during which the sensor counts events forrate-based counting.

Button Functions: Back Returns you to the previous window in the Custom Signature Wizard.







Custom Signature Wizard > Advanced Alert Behavior Wizard > Alert Summarization

Configuration > Features > IPS > Signature Definition > Custom Signature Wizard > AdvancedAlert Behavior Wizard > Alert Summarization

Supported User Role


Administrator

Operator

Viewer


Fields

The following fields and buttons are found in the Alert Summarization window of the Advanced AlertBehavior Wizard.

Field Descriptions:

7/28/2019 asdmhelp501

260/659

6-58



Alert Every Time the Signature Fires Specifies that you want the sensor to send an alert everytime the signature detects malicious traffic.

You can then specify additional thresholds that allow the sensor to dynamically adjust the volumeof alerts.

Alert the First Time the Signature Fires Specifies that you want the sensor to send an alert thefirst time the signature detects malicious traffic.You can then specify additional thresholds that allow the sensor to dynamically adjust the volumeof alerts.

Send Summary Alerts Specifies that you want the sensor to only send summary alerts for thissignature, instead of sending alerts every time the signature fires.

You can then specify additional thresholds that allow the sensor to dynamically adjust the volumeof alerts.

Send Global Summary Alerts Specifies that you want the sensor to send an alert the first time asignature fires on an address set, and then only send a global summary alert that includes a summaryof all alerts for all address sets over a given time interval.

Button Functions:








Custom Signature Wizard > Advanced Alert Behavior Wizard > Alert Dynamic Response Fire All

Configuration > Features > IPS > Signature Definition > Custom Signature Wizard > AdvancedAlert Behavior Wizard > Alert Dynamic Response Fire All

Supported User Role


Administrator

Operator

Viewer


Fields

The following fields and buttons are found in the Alert Dynamic Response window of the AdvancedAlert Behavior Wizard when you chose Alert Every Time the Signature Fires .

Field Descriptions:

7/28/2019 asdmhelp501

261/659

6-59



Use Dynamic Summarization Lets the sensor dynamically adjust the volume of alerts it sendsbased on the summary parameters you configure.

Summary Threshold Identifies the minimum number of hits the sensor must receive beforesending a summary alert for this signature.

Summary Interval (seconds) Specifies that you want to count events based on a rate andidentifies the number of seconds that you want to use for the time interval.

Summary Key Identifies the attribute to use for counting events.

For example, if you want the sensor to count events based on whether or not they are from the sameattacker, select Attacker Address as the Summary Key .

Specify Global Summary Threshold Lets the sensor dynamically enter global summarizationmode.

When the alert rate exceeds a specified number of signatures in a specified number of seconds, thesensor changes from sending a single alert for each signature to sending a single global summaryalert. When the rate during the interval drops below this threshold, the sensor reverts to itsconfigured alert behavior. A global summary counts signature firings on all attacker IP addressesand ports and all victim IP addresses and ports.

Global Summary Threshold Identifies the minimum number of hits the sensor must receivebefore sending a global summary alert.

Button Functions:








Custom Signature Wizard > Advanced Alert Behavior Wizard > Alert Dynamic Response Fire Once

Configuration > Features > IPS > Signature Definition > Custom Signature Wizard > AdvancedAlert Behavior Wizard > Alert Dynamic Response Fire Once

Supported User Role


Administrator

Operator

Viewer


7/28/2019 asdmhelp501

262/659

6-60



Fields

The following fields and buttons are found in the Alert Dynamic Response window of the AdvancedAlert Behavior Wizard when you chose Alert the First Time the Signature Fires .

Field Descriptions:

Summary Key Identifies the attribute to use for counting events.For example, if you want the sensor to count events based on whether or not they are from the sameattacker, select Attacker Address as the Summary Key .

Use Dynamic Global Summarization Lets the sensor dynamically enter global summarizationmode.


When the alert rate exceeds a specified number of signatures in a specified number of seconds, thesensor changes from sending a single alert the first time a signature fires to sending a single globalsummary alert. When the rate during the interval drops below this threshold, the sensor reverts to itsconfigured alert behavior.

Global Summary Interval (seconds) Identifies the time interval during which the sensor countsevents for summarization.

Button Functions:








Custom Signature Wizard > Advanced Alert Behavior Wizard > Alert Dynamic Response Summary

Configuration > Features > IPS > Signature Definition > Custom Signature Wizard > AdvancedAlert Behavior Wizard > Alert Dynamic Response Summary

Supported User Role


Administrator

Operator

Viewer


Fields

The following fields and buttons are found in the Alert Dynamic Response Summary window of theAdvanced Alert Behavior Wizard.

7/28/2019 asdmhelp501

263/659

6-61



Field Descriptions:

Summary Interval (seconds) Identifies the time interval during which the sensor counts eventsfor summarization.

Summary Key Identifies the attribute to use for counting events.

For example, if you want the sensor to count events based on whether or not they are from the sameattacker, select Attacker Address as the Summary Key .

Use Dynamic Global Summarization Allows the sensor to dynamically enter globalsummarization mode.


When the alert rate exceeds a specified number of signatures in a specified number of seconds, thesensor changes from sending a single summary alert to sending a single global summary alert. Whenthe rate during the interval drops below this threshold, the sensor reverts to its configured alertbehavior.

Button Functions:

Back Returns you to the previous window in the Custom Signature Wizard. Next Advances you to the next window in the Custom Signature Wizard.






Custom Signature Wizard > Advanced Alert Behavior Wizard > Global SummarizationConfiguration > Features > IPS > Signature Definition > Custom Signature Wizard > AdvancedAlert Behavior Wizard > Global Summarization

Supported User Role


Administrator

Operator

Viewer


Fields

The following fields and buttons are found in the Global Summarization window of the Advanced AlertBehavior Wizard.

Field Descriptions:

Global Summary Interval (seconds) Identifies the time interval during which the sensor countsevents for summarization.

7/28/2019 asdmhelp501

264/659

6-62



Button Functions:







MiscellaneousConfiguration > Features > IPS > Signature Definition > Miscellaneous

On the Miscellaneous panel, you can perform the following tasks:

Configure the application policy parameters

You can configure the sensor to provide Layer 4 to Layer 7 packet inspection to prevent maliciousattacks related to web services.

Configure IP fragment reassembly options

You can configure the sensor to reassemble a datagram that has been fragmented over multiplepackets. You can specify boundaries that the sensor uses to determine how many datagrams and howlong to wait for more fragments of a datagram. The goal is to ensure that the sensor does not allocateall its resources to datagrams that cannot be completely reassembled, either because the sensormissed some frame transmissions or because an attack has been launched that is based on generatingrandom fragment datagrams.

Configure TCP stream reassembly

You can configure the sensor to monitor only TCP sessions that have been established by a completethree-way handshake. You can also configure how long to wait for the handshake to complete, andhow long to keep monitoring a connection where no more packets have been seen. The goal is toprevent the sensor from creating alerts where a valid TCP session has not been established. Thereare known attacks against sensors that try to get the sensor to generate alerts by simply replayingpieces of an attack. The TCP session reassembly feature helps to mitigate these types of attacksagainst the sensor.

Configure IP logging options

You can configure a sensor to generate an IP session log when the sensor detects an attack. WhenIP logging is configured as a response action for a signature and the signature is triggered, allpackets to and from the source address of the alert are logged for a specified period of time.

Supported User Role


Administrator

Operator

Viewer

7/28/2019 asdmhelp501

265/659

6-63



You must be Administrator or Operator to configure the parameters on the Miscellaneous panel.

Fields

The following fields and buttons are found on the Miscellaneous panel.

Application Policy Lets you configure application policy enforcement. Enable HTTP Enables protection for web services. Select Yes to require the sensor to inspect

HTTP traffic for compliance with the RFC. Max HTTP Requests Specifies the maximum number of outstanding HTTP requests per

connection. AIC Web Ports Specifies the variable for ports to look for AIC traffic. Enable FTP Enables protection for web services. Select Yes to require the sensor to inspect

FTP traffic.

Fragment Reassembly Lets you configure IP fragment reassembly. IP Reassembly Mode Identifies the method the sensor uses to reassemble the fragments,

based on the operating system.

Stream Reassembly Lets you configure TCP stream reassembly. TCP Handshake Required Specifies that the sensor should only track sessions for which the

three-way handshake is completed. TCP Reassembly Mode Specifies the mode the sensor should use to reassemble TCP

sessions with the following options:

Asymmetric May only be seeing one direction of bidirectional traffic flow.

Note Asymmetric mode lets the sensor synchronize state with the flow and maintaininspection for those engines that do not require both directions. Asymmetric modelowers security because full protection requires both sides of traffic to be seen.

Strict If a packet is missed for any reason, all packets after the missed packet are processed.

L oose Use in environments where packets might be dropped.

IP Log Lets you configure the sensor to stop IP logging when any of the following conditions aremet:

Max IP Log Packets Identifies the number of packets you want logged. IP Log Time Identifies the duration you want the sensor to log. A valid value is 1 to 60

minutes. The default is 30 minutes. Max IP Log Bytes Identifies the maximum number of bytes you want logged.

Button Functions:

Apply Applies your changes and saves the revised configuration.

Reset Refreshes the panel by replacing any edits you made with the previously configured value.


Configuring Application Policy

Configuring IP Fragment Reassembly

7/28/2019 asdmhelp501

266/659

6-64


Chapter 6 IPSEvent Action Rules

Configuring TCP Stream Reassembly

Configuring IP Logging

Event Action RulesEvent action rules are a group of settings you configure for the event action processing component of thesensor. These rules dictate the actions the sensor performs when an event occurs.

The event action processing component is responsible for the following functions:

Calculating the risk rating

Adding event action overrides

Filtering event action

Executing the resulting event action

Summarizing and aggregating events

Maintaining a list of denied attackers

Event VariablesConfiguration > Features > IPS > Event Action Rules > Event Variables

You can create event variables and then use those variables in event action filters. When you want to usethe same value within multiple filters, use a variable. When you change the value of the variable, anyfilter that uses that variable is updated with the new value.

Note You must preface the variable with a dollar ($) sign to indicate that you are using a variable rather thana string.

Some variables cannot be deleted because they are necessary to the signature system. If a variable isprotected, you cannot select it to edit it. You receive an error message if you try to delete protectedvariables. You can edit only one variable at a time.

When configuring IP addresses, specify the full IP address or ranges or set of ranges. For example:

10.89.10.10-10.89.10.23

10.90.1.1

192.56.10.1-192.56.10.255

10.1.1.1-10.2.255.255, 10.89.10.10-10.89.10.23

Timesaver For example, if you have an IP address space that applies to your engineering group and there are noWindows systems in that group, and you are not worried about any Windows-based attacks to that group,you could set up a variable to be the engineering groups IP address space. You could then use thisvariable to configure a filter that would ignore all Windows-based attacks for this group.

7/28/2019 asdmhelp501

267/659

6-65



Supported User Role


Administrator

Operator

Viewer

Fields

The following fields and buttons are found on the Event Variables panel.

Field Descriptions:

Name Identifies the name assigned to this variable.

Type Identifies the variable as an address.

Value Identifies the value(s) represented by this variable.

Button Functions:

Select All Selects all configured targets. Add Opens the Add Variable dialog box.

From this dialog box, you can add a variable and specify the values associated with that variable.

Edit Opens the Edit Variable dialog box.

From this dialog box, you can change the values associated with this variable.

Delete Removes the selected variable from the list of available variables.




Configuring Event Variables

Add/Edit Event Variable

Configuration > Features > IPS > Event Action Rules > Event Variables > Add/Edit EventVariable

Supported User Role

You must be Administrator or Operator to configure event variables.

Fields

The following fields and buttons are found on the Add/Edit Event Variable panel.

Field Descriptions:

Name Identifies the name assigned to this variable.

Type Identifies the variable as an address.

Value Identifies the value(s) represented by this variable.

7/28/2019 asdmhelp501

268/659

6-66



Button Functions:

OK Accepts your changes and closes the dialog box.

Cancel Discards your changes and closes the dialog box.



Configuring Event Variables

Target Value RatingConfiguration > Features > IPS > Event Action Rules > Target Value Rating

You can assign a TVR to your network assets. T he TVR is one of the factors used to calculate the RRvalue for each alert. You can assign different TVRs to different targets. Events with a higher RR triggermore severe signature event actions.

An RR is a value between 0 and 100 that represents a numerical quantification of the risk associated witha particular event on the network. The calculation takes into account the value of the network asset beingattacked (for example, a particular server) and therefore, it is not configured on a per-signature basis, butrather on a per-event basis. RRs let you prioritize alerts that need your attention. These RR factors takeinto consideration the severity of the attack if it succeeds, the fidelity of the signature, and the overallvalue of the target host to you. The RR is reported in the evIdsAlert.

The following values are used to calculate the RR for a particular event:

Attack Severity Rating A weight associated with the severity of a successful exploit of thevulnerability.

The ASR is derived from the alert severity parameter of the signature.

Signature Fidelity Rating A weight associated with how well this signature might perform in theabsence of specific knowledge of the target.

SFR is calculated by the signature author on a per-signature basis. The signature author defines abaseline confidence ranking for the accuracy of the signature in the absence of qualifyingintelligence on the target. It represents the confidence that the detected behavior would produce theintended effect on the target platform if the packet under analysis were allowed to be delivered. Forexample, a signature that is written with very specific rules (specific Regex) has a higher SFR thana signature that is written with generic rules.

Target Value Rating A weight associated with the perceived value of the target.

TVR is a user-configurable value that identifies the importance of a network asset (through its IPaddress). You can develop a security policy that is more stringent for valuable corporate resourcesand looser for less important resources. For example, you could assign a TVR to the company webserver that is higher than the TVR you assigned to a desktop node. In this example, attacks againstthe company web server have a higher RR than attacks against the desktop node.

Supported User Role


Administrator

Operator

7/28/2019 asdmhelp501

269/659

6-67



Viewer

Fields

The following fields and button are found on the Target Value Rating panel.

Field Descriptions: Target Value Rating (TVR) Identifies the value assigned to this network asset. The value can be

High, Low, Medium, Mission Critical, or No Value.

Target IP Address Identifies the IP address of the network asset you want to prioritize with aTVR.

Button Functions:

Select All Selects all configured targets.

Add Opens the Add Target Value Rating dialog box.

From this dialog box, you add the IP address(es) of the network asset and assign a TVR to the asset.

Edit Opens the Edit Target Value Rating dialog box.

From this dialog box, you can change the IP address(es) of the network asset.

Delete Removes the selected TVR from the list of available ratings.




Configuring Target Value Ratings

Add/Edit Target Value Rating

Configuration > Features > IPS > Event Action Rules > Target Value Rating > Add/Edit TargetValue Rat ing

Supported User Role

You must be Administrator or Operator to configure target value ratings.

Fields

The following fields and buttons are found in the Add/Edit Target Value Rating dialog boxes.

Field Descriptions:

Target Value Rating (TVR) Identifies the value assigned to this network asset. The value can beHigh, Low, Medium, Mission Critical, or No Value.

Target IP Address(es) Identifies the IP address of the network asset you want to prioritize with aTVR.

Button Functions:




7/28/2019 asdmhelp501

270/659

6-68




Configuring Target Value Ratings

Event Action OverridesConfiguration > Features > IPS > Event Action Rules > Event Action Overrides

You can add an event action override to change the actions associated with an event based on the RR of that event. Event action overrides are a way to add event actions globally without having to configureeach signature individually. Each event action has an associated RR range. If a signature event occursand the RR for that event falls within the range for an event action, that action is added to the event. Forexample, if you want any event with an RR of 85 or more to generate an SNMP trap, you can set the RRrange for Request SNMP Trap to 85-100 . If you do not want to use action overrides, you can disablethe entire event action override component.

Supported User Role


Administrator

Operator

Viewer

Fields

The following fields and buttons are found on the Event Action Overrides panel.

Field Descriptions:

Use Event Action Overrides If selected, lets you use any event action override that is enabled.

Event Action Specifies the event action that will be added to an event if the conditions of thisevent action override are satisfied.

Enabled Indicates whether or not the override is enabled.

Select Yes to enable the override, select No to disable the override.

Risk Rating Indicates the RR range between 0 and 100 that should be used to trigger this eventaction override.

If an event occurs with a RR that falls within the minimum-maximum range you configure here, theevent action is added to this event.

Button Functions:

Select All Selects all event action overrides listed in the table.

Add Opens the Add Event Action Override dialog box.

From this dialog box, you can add a event action override and specify the values associated with thatoverride.

Edit Opens the Edit Event Action Override dialog box.

From this dialog box, you can change the values associated with this event action override.

Enable Enables the selected event action override.

7/28/2019 asdmhelp501

271/659

6-69



You must select the Use Event Action Overrides check box on the Event Action Overrides panelor none of the event action overrides will be enabled regardless of the value you set here.

Disable Disables the selected event action override.

Delete Removes the selected event action override from the list of available overrides.



Configuring Event Action Overrides

Add/Edit Event Action Override

Configuration > Features > IPS > Event Action Rules > Event Action Overrides > Add/Edit EventAction Override

Supported User Role

You must be Administrator or Operator to configure event action overrides.

Fields

The following fields and buttons are found in the Add/Edit Event Action Override dialog boxes.

Field Descriptions:

Event Action Specifies the event action that will be added to an event if the conditions of thisevent action override are satisfied. You can choose from the following options:

Deny Attacker Inline Terminates the current packet and future packets from this attackeraddress for a specified period of time (inline mode only).

Note The sensor maintains a list of attackers currently being denied by the system. To removean entry from the denied attacker list, you can view the list of attackers and clear theentire list, or you can wait for the timer to expire. The timer is a sliding timer for eachentry. Therefore, if attacker A is currently being denied, but issues another attack, thetimer for attacker A is reset and attacker A remains in the denied attacker list until thetimer expires. If the denied attacker list is at capacity and cannot add a new entry, thepacket is still denied.

Deny Connection Inline Terminates the current packet and future packets on this TCP flow(inline mode only).

Deny Packet Inline Terminates the packet (inline mode only).

Log Attacker Packets Starts IP logging on packets that contain the attacker address and sendsan alert.

This action causes an alert to be written to the Event Store even if Produce Alert is not selected. Log Attacker/Victim Pair Packets Starts IP logging on packets that contain the

attacker/victim address pair and sends an alert.

This action causes an alert to be written to the Event Store even if Produce Alert is not selected.

7/28/2019 asdmhelp501

272/659

6-70



Log Victim Packets Starts IP logging on packets that contain the victim address and sends analert.

This action causes an alert to be written to the Event Store even if Produce Alert is not selected. Produce Alert Writes the event to the Event Store as an alert.

Produce Verbose Alert Includes an encoded dump of the offending packet in the alert.This action causes an alert to be written to the Event Store even if Produce Alert is not selected.

Request Block Connection Sends a request to the NAC to block this connection. Request Block Host Sends a request to the NAC to block this attacker host. Request SNMP Trap Sends a request to the Notification Application component of the

sensor to perform SNMP notification.

This action causes an alert to be written to the Event Store even if Produce Alert is not selected. Reset TCP Connection Sends TCP resets to hijack and terminate the TCP flow.

Enabled Indicates whether or not the override is enabled.

Select Yes to enable the override, select No to disable the override.

Risk Rating Indicates the RR range between 0 and 100 that should be used to trigger this eventaction override.

If an event occurs with an RR that falls within the minimum-maximum range you configure here,the event action is added to this event.

Button Functions:





Configuring Event Action Overrides

Event Action FiltersConfiguration > Features > IPS > Event Action Rules > Event Action Filters

Event action filters are processed as an ordered list and you have the ability to move filters up or downin the list.

Filters let the sensor perform certain actions in response to the event without requiring the sensor toperform all actions or remove the entire event. Filters work by removing actions from an event. A filterthat removes all the actions from an event effectively consumes the event.

You can configure event action filters to remove specific actions from an event or to discard an entireevent and prevent further processing by the sensor. You can use the variables that you defined on theEvent Variables panel to group addresses for your filters.

Note You must preface the variable with a dollar sign ($) to indicate that you are using a variable rather thana string. Otherwise, you receive the Bad source and destination error.

7/28/2019 asdmhelp501

273/659

6-71



Supported User Role


Administrator

Operator

Viewer

Fields

The following fields and buttons are found on the Event Action Filters panel.

Field Descriptions:

Use Event Action Filters Enables the event action filter component.

You must select this check box to use any filter that is enabled.

Name Lets you give the filter you are adding a name.

You need to name your filters so that you can move them around in the list and move them to the

inactive list if needed. Active Indicates whether the filter is enabled or disabled.

Enabled Indicates whether or not this filter is enabled.

Sig ID Identifies the unique numerical value assigned to this signature.

This value lets the sensor identify a particular signature. You can also enter a range of signatures.

SubSig ID Identifies the unique numerical value assigned to this subsignature.

A subSig ID is used to identify a more granular version of a broad signature. You can also enter arange of subSig IDs.

Attacker Address Identifies the IP address of the host that sent the offending packet.

You can also enter a range of addresses.

Attacker Port Identifies the port used by the attacker host.

This is the port from where the offending packet originated. You can also enter a range of ports.

Victim Address Identifies the IP address of the host being attacked (the recipient of the offendingpacket).


Victim Port Identifies the port through which the offending packet was received.

You can also enter a range of ports.

Risk Rating Indicates the RR range between 0 and 100 that should be used to trigger this EventAction Filter.

If an event occurs with an RR that falls within the minimum-maximum range you configure here,the event is processed against the rules of this event filter.

Actions to Subtract Indicates the actions that should be removed from the event, should theconditions of the event meet the criteria of the event action filter.

Stop on Match Determines whether or not this event will be processed against remaining filtersin the event action filters list.

If set to false, the remaining filters are processed for a match until a Stop flag is encountered.

7/28/2019 asdmhelp501

274/659

6-72



If set to true, no further processing is done. The actions specified by this filter are removed and theremaining actions are performed.

Comments Identifies the user comments associated with this filter.

Button Functions:

Select All Selects all of the event action filters listed.

Add Opens the Add Event Action Filter dialog box. From this dialog box, you can add an eventaction filter and specify the values associated with that filter.

Insert Before Lets you add an event action filter above the one you have selected.

Opens the Add Event Action Filter dialog box.

Insert After Lets you add an event action filter after the one you have selected.

Opens the Add Event Action Filter dialog box.

Edit Opens the Edit Event Action Filter dialog box. From this dialog box, you can change thevalues associated with this filter.

Enable Enables the selected event action filter.

You must select the Use Event Action Filters check box on the Event Action Filters panel or noneof the event action filters will be enabled regardless of the value you set here.

Disable Disables the selected event action filter.

Move Up Moves the selected filter up one row in the list and changes the processing order of thefilters.

Move Down Moves the selected filter down one row in the list and changes the processing orderof the filters.

Delete Removes this event action filter from the list of available filters.




Configuring Event Action Filters

Add/Edit Event Action Filter

Configuration > Features > IPS > Event Action Rules > Event Action Filters > Add/Edit EventAction Filter

Supported User Role

You must be Administrator or Operator to configure Event Action Filters.

Fields

The following fields and buttons are found in the Add/Edit Event Action Filters dialog boxes.

Field Descriptions:

Name Lets you give the filter you are adding a name.

7/28/2019 asdmhelp501

275/659

6-73



You need to name your filters so that you can move them around in the list and move them to theinactive list if needed.

Active Indicate whether the filter is enabled or disabled.

Enabled Indicates whether or not this filter is enabled.

Signature ID Identifies the unique numerical value assigned to this signature.This value lets the sensor identify a particular signature. You can also enter a range of signatures.

SubSignature ID Identifies the unique numerical value assigned to this subsignature.

A subSig ID is used to identify a more granular version of a broad signature. You can also enter arange of subSig IDs.

Attacker Address Identifies the IP address of the host that sent the offending packet.


Attacker Port Identifies the port used by the attacker host.

This is the port from where the offending packet originated. You can also enter a range of ports.

Victim Address Identifies the IP address of the host being attacked (the recipient of the offendingpacket).


Victim Port Identifies the port through which the offending packet was received.

You can also enter a range of ports.

Risk Rating Indicates the RR range between 0 and 100 that should be used to trigger this eventaction filter.

If an event occurs with an RR that falls within the minimum-maximum range you configure here,the event is processed against the rules of this event filter.

Actions to Subtract Indicates the actions that should be removed from the event, should theconditions of the event meet the criteria of the event action filter.

Choose from the following options: Deny Attacker Inline Terminates the current packet and future packets from this attacker

address for a specified period of time (inline mode only).

Note The sensor maintains a list of the attackers currently being denied by the system. Toremove an entry from the denied attacker list, you can view the lis t of attackers and clearthe entire list, or you can wait for the timer to expire. The timer is a sliding timer foreach entry. Therefore, if attacker A is currently being denied, but issues another attack,the timer for attacker A is reset and attacker A remains in the denied attacker list untilthe timer expires. If the denied attacker list is at capacity and cannot add a new entry,the packet is still denied.

Deny Connection Inline Terminates the current packet and future packets on this TCP flow(inline mode only).

Deny Packet Inline Terminates the packet (inline mode only). Log Attacker Packets Starts IP logging on packets that contain the attacker address and sends

an alert.


7/28/2019 asdmhelp501

276/659

6-74



Log Attacker/Victim Pair Packets Starts IP logging on packets that contain theattacker/victim address pair and sends an alert.

This action causes an alert to be written to the Event Store even if Produce Alert is not selected. Log Victim Packets Starts IP logging on packets that contain the victim address and sends an

alert.

This action causes an alert to be written to the Event Store even if Produce Alert is not selected. Produce Alert Writes the event to the Event Store as an alert. Produce Verbose Alert Includes an encoded dump of the offending packet in the alert.

This action causes an alert to be written to the Event Store even if Produce Alert is not selected. Request Block Connection Sends a request to the NAC to block this connection. Request Block Host Sends a request to the NAC to block this attacker host. Request SNMP Trap Sends a request to the notification application component of the sensor

to perform SNMP notification.


Reset TCP Connection Sends TCP resets to hijack and terminate the TCP flow. Stop on Match Determines whether or not this event will be processed against remaining filters

in the event action filters list.

If set to false, the remaining filters are processed for a match until a Stop flag is encountered.

If set to true, no further processing is done. The actions specified by this filter are removed and theremaining actions are performed.

Comments Identifies the user comments associated with this filter.

Button Functions:





Configuring Event Action Filters

General SettingsConfiguration > Features > IPS > Event Action Rules > General Settings

You can configure the general settings that apply to the event action rules, such as whether you want touse the summarizer and the meta event generator. The summarizer groups events into a single aler t, thusdecreasing the number of alerts the sensor sends out. The meta event generator processes the componentevents, which lets the sensor watch for suspicious activity transpiring over a series of events.

You can configure how long you want to deny attackers, the maximum number of denied attackers, andhow long you want blocks to last.

7/28/2019 asdmhelp501

277/659

6-75


Chapter 6 IPSBlocking

Supported User Role


Administrator

Operator

Viewer

You must be Administrator or Operator to configure the general settings for event action rules.

Fields

The following fields and buttons are found the on the General Settings panel.

Field Descriptions:

Use Summarizer Enables the Summarizer component.

You must select this check box to use the summarizer.

Use Meta Event Generator Enables the meta event generator.

Deny Attacker Duration Number of seconds to deny the attacker inline. Block Attack Duration Number of minutes to block a host or connection.

Maximum Denied Attackers Limits the number of denied attackers possible in the system at anyone time.

Button Functions:




Configuring the General Settings

BlockingNAC, the blocking application on the sensor, starts and stops blocks on routers, switches, PIX Firewalls,the FWSM 1.1 or greater, and the ASA. NAC blocks the IP address on the devices it is managing. It sendsthe same block to all the devices it is managing, including any other master blocking sensors. NACmonitors the time for the block and removes the block after the time has expired.

Caution If the ASA or FWSM is configured in multi-mode, blocking is not supported for the admin context.Blocking is only supported in single mode and in multi-mode customer context.

There are two types of blocks:

Host blockBlocks all traffic from a given IP address

Connection blockBlocks traffic from a given source IP address to a given destination IP addressand destination port

7/28/2019 asdmhelp501

278/659

6-76


Chapter 6 IPSBlocking

Note Multiple connection blocks from the same source IP address to either a different destination IP addressor destination port automatically switch the block from a connection block to a host block.

On Cisco routers and Catalyst 6500 series switches NAC creates blocks by applying ACLs or VACLs.

ACLs and VACLs permit or deny passage of data packets through interface ports. Each ACL or VACLcontains permit and deny conditions that apply to IP addresses. The PIX Firewall, the FWSM

asdmhelp501

Documents