Solved: Re: IPS Signature Engine

learnsec · ‎11-04-2010

Hello,

While Checking IPS signature database, i noticed that there is a column named engine.

Some signatures are Atomic IP, others Normalizer, i don't know if there is a third value.

but what do that values means?

One more question, if a signature Action is set to "block attacker inline" it do block the attacker address IP for a one hour right?

Also is there a way to know from IPS what are the group of IP's blocked for one hour and when??

Scott Fringer · ‎12-06-2010

First, let me clarify the differences between blocking actions and deny actions:

block - relies on an external device, such as a firewall or router, to implement the action via a shun or ACL entry

deny - performs the action directly on the IPS sensor, requires the sensor to be configured for inline operation

All of the output provided in the output of the 'show statistics network-access' relates to block actions. 'AllowSensorBlock' is a parameter that allows the IPS sensor to add its management IP address to a requested block action; this is not usually recommended. To adjust the timeout for blocks to remain active you would make use of the 'global-block-timeout' command from the CLI:

sensor# configure terminal

sensor(config)# service event-action-rules rules0

sensor(config-rul)#

sensor(config-rul)# general

sensor(config-rul-gen)# global-block-timeout 30

The timeout is specified in minutes.

For deny actions you can adjust the timeout using the 'global-deny-timeout command:

sensor# configure terminal

sensor(config)# service event-action-rules rules0

sensor(config-rul)#

sensor(config-rul)# general

sensor(config-rul-gen)# global-deny-timeout 1800

The timeout is specified in seconds.

To adjust timeouts using the IDM GUI, please reference this documentation link:

http://www.cisco.com/en/US/docs/security/ips/6.2/configuration/guide/idm/idm_event_action_rules.html#wp2039284

You can monitor active blocks from the CLI using the 'show statistics network-access' command.

You can monitor active denies from the CLI using the 'show statistics denied-attackers' command.

To monitor blocks and denies using the IDM GUI, please reference this documentation link:

http://www.cisco.com/en/US/docs/security/ips/6.2/configuration/guide/idm/idm_monitoring.html

There is not a direct method within the sensor to view historical block/deny lists.

Scott

View solution in original post

Scott Fringer · ‎11-05-2010

There are multiple possible signature engines available, they are discussed here in the user guide:

http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/cli/cli_signature_engines.html

The default block timeout on a sensor is 30 minutes, and can be adjusted as your environment needs.

You can view blocked hosts in the IDM GUI by navigating to Monitoring>Time-Based Actions>Host Blocks

From the CLI it will be the last section of output from:

show statistics network-access

Scott

learnsec · ‎12-04-2010

hello scott,

i was out of the office for a while, so i couldn't answer before.

thank you very much for your reply.

the output of the command is the following:

!

show statistics network-access
Current Configuration
   LogAllBlockEventsAndSensors = true
   EnableNvramWrite = false
   EnableAclLogging = false
   AllowSensorBlock = false
   BlockMaxEntries = 250
   MaxDeviceInterfaces = 250
State
   BlockEnable = true

!

the "block enable=true" but the other parameter "AllowSensorBlock= false" is that a problem?

the "AllowSensorBlock= false" is talking about the deny through a firewall or a router right? and not the deny through the IPS itself ONLY!?

shall the IPS itself (and alone without the contribution of a router or firewall) still able to block the ip of a certain host for 30 minutes?

also, how to adjust the period from 30 minutes to one hour for example!

al last, once an iIP is blocked how much the IP still appears in the GUI or CMD (show statistics network-access)?

can i view a history of the list of blocked addresses.

thank you

Scott Fringer · ‎12-06-2010

First, let me clarify the differences between blocking actions and deny actions:

block - relies on an external device, such as a firewall or router, to implement the action via a shun or ACL entry

deny - performs the action directly on the IPS sensor, requires the sensor to be configured for inline operation

All of the output provided in the output of the 'show statistics network-access' relates to block actions. 'AllowSensorBlock' is a parameter that allows the IPS sensor to add its management IP address to a requested block action; this is not usually recommended. To adjust the timeout for blocks to remain active you would make use of the 'global-block-timeout' command from the CLI:

sensor# configure terminal

sensor(config)# service event-action-rules rules0

sensor(config-rul)#

sensor(config-rul)# general

sensor(config-rul-gen)# global-block-timeout 30

The timeout is specified in minutes.

For deny actions you can adjust the timeout using the 'global-deny-timeout command:

sensor# configure terminal

sensor(config)# service event-action-rules rules0

sensor(config-rul)#

sensor(config-rul)# general

sensor(config-rul-gen)# global-deny-timeout 1800

The timeout is specified in seconds.

To adjust timeouts using the IDM GUI, please reference this documentation link:

http://www.cisco.com/en/US/docs/security/ips/6.2/configuration/guide/idm/idm_event_action_rules.html#wp2039284

You can monitor active blocks from the CLI using the 'show statistics network-access' command.

You can monitor active denies from the CLI using the 'show statistics denied-attackers' command.

To monitor blocks and denies using the IDM GUI, please reference this documentation link:

http://www.cisco.com/en/US/docs/security/ips/6.2/configuration/guide/idm/idm_monitoring.html

There is not a direct method within the sensor to view historical block/deny lists.

Scott

learnsec · ‎12-13-2010

Thank you scott