Re: ASK THE EXPERTS - INTRUSION PREVENTION SYSTEMS - Page 3

ciscomoderator · ‎09-10-2010

Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to get an update on Intrusion Prevention System with Scott Fringer. Scott Fringer is a Technical Assistance Center engineer on the intrusion detection system team in Research Triangle Park, North Carolina. His team supports Cisco's various intrusion detection/prevention sensors, the Cisco IOS IPS feature set, Cisco Security MARS, Cisco Security Manager, Cisco Security Agent, and the Cisco Anomaly Detector/Guard products. Fringer has represented the Technical Assistance Center at previous Networkers conferences and currently holds CCSP certification.

Remember to use the rating system to let Scott know if you have received an adequate response.

Scott might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through September 24, 2010. Visit this forum often to view responses to your questions and the questions of other community members.

exploit_haxor · ‎09-21-2010

Hi Scott,

I am new to ips and i want to write some custom signatures, i was looking for some beginner (easy to understand) document which can tell more about the signature engine and regex?.........is there any reading material or documentation that you can point me to so that i can understand the signature engine and write custom signatures?.....any suggestion would be helpful

Thanks

Scott Fringer · ‎09-21-2010

The best place to start with understanding custom signature development for Cisco's IPS platform is to understand the system's architecture. There is a good overview available at this link:

http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/cli/cli_system_architecture.html

The next piece to understand is the functionality the various signature engines available provide. This is outlined at this link:

http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/cli/cli_signature_engines.html

With the underlying technology in place, you can start with custom signature creation as discussed at this link:

http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/cli/cli_signature_definitions.html#wp1042406

(Or for the IDM GUI):

http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/idm/idm_signature_wizard.html#wp2117436

As for references on regular expressions, there are a multitude of resources available on the Internet. There is a brief overview within the IPS user guide at this link:

http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/cli/cli_signature_engines.html#wpmkr1215311

Scott

exploit_haxor · ‎09-22-2010

Hi Scott,

Thanks a lot for your help....i had another question, in the service http engine if i specify "uri regex" and "header regex".....will the signature trigger only when it matches both uri and header regex or will it trigger if either one of them match?

Scott Fringer · ‎09-22-2010

Within a signature all enabled and defined regex values must match for the signature to match and in turn take action. So, if you want a signature to fire whether either the header regex or the URL regex matches, you would want to create two separate signatures; one for each specific match.

Scott

exploit_haxor · ‎09-22-2010

Hi Scott,

we have around 15 cisco ips devices running IPS 7.0(4)E4, sometimes the "analysis engine" of some of the sensors stops running (i.e anlaysis engine NOT running)......what is the cause of this? and what are the steps or solution to solve this problem so that analysis engine starts running normally?

Thanks

Scott Fringer · ‎09-22-2010

Unfortunately there is not a single cause or corrective action for times when the analysis engine stops running. When this occurs, the best thing you can do is gather a 'show tech' from the affected sensor and open a service request with TAC. It will take specific investigation on a case-by-case basis.

Scott