Solved: Re: purpose of IPS 5.x signature 50000

mhellman · ‎01-04-2006

50000-0 Outbreak Prevention Signature

50000-1 Outbreak Prevention Signature

50000-2 Outbreak Prevention Signature

Can anyone provide a good description of these signatures? I have some vague recollection of a Cisco "outbreak detection" solution but are they useful otherwise?

marcabal · ‎01-04-2006

Just to add to what Brian posted.

If you don't have Cisco ICS, then leave these signatures disabled.

By default 5000,0 will fire on ALL TCP packets, 5000,1 will fire on ALL UDP packets, and 5000,2 will fire on ALL ICMP packets.

So if you enable them yourself with having been tuned by Cisco ICS they just create alot of meaningless noise.

By default they are disabled, and should be left disabled.

Cisco ICS can specifically tune these signatures for specific outbreaks. It tunes the signatures to narrow down the type of TCP, UDP, or ICMP packets to detect, adds a deny-packet-inline action, and will automatically enable the signature. It is a very course signature that stops all traffic for a particular service being attacked by the worm/virus. It is just a temporary measure to prevent spread of the worm/virus until a specific signature can be written.

Cisco ICS will also automatically disable the 50000 signature when a specific signature for the virus/worm has been created.

Without Cisco ICS's automatic tuning, enabling, and disabling the 50000,0-2 signatures won't really doing anything for you, and they should be left disabled.

If you don't have Cisco ICS and what to do these types of signatures to deny entire TCP or UDP ports, then I recommend creating your own separate custom signatures rather than trying to re-use the 50000 signatures.

For more information about Cisco ICS refer to the following:

http://www.cisco.com/en/US/products/ps6542/products_data_sheet0900aecd8033185b.html

View solution in original post

joe.oranday · ‎01-04-2006

If I understand correctly, 50000 series signatures represent META-Event signatures. These types of signatures can correlate multiple IDS signatures that, when combined, make up a specific attack sequence. I'm thinking these are signficant because they represent a person who knows what they are doing.

mhellman · ‎01-04-2006

They use the atomic IP engine not the meta engine, so I don't think that's it. I believe they have something to do with some solution Cisco has for preventing outbreaks, but we haven't purchased any such beast. I'm guessing they're useless without the entire solution, but I'm just trying to figure out what they are alerting on.

brhamon · ‎01-04-2006

Cisco Incident Control System (ICS) is the software product in our outbreak prevention solution. It deploys Outbreak Management Tasks (OMTs) to Cisco IPS sensors and Cisco routers on your network. OMTs deploy new ACLs on Cisco routers and tune the 50000-* signatures on Cisco IPS sensors.

The OMT causes all traffic on the affected service ports to be stopped until a signature can be developed and tested. After the OMT is applied, security researchers study the attack more closely. Next, they release and deploy a new IPS signature. Finally the OMT is withdrawn, allowing normal traffic to resume.

By adding destination ports to 50000-0, new TCP connections are denied. This protects a service that is under attack by preventing new connections.

By adding destination ports to 50000-1, UDP services can be blocked. By adding ICMP types to 50000-2, ICMP services can be blocked.

Cisco ICS deploys the OMT to IPS sensors exactly as if a user tunes these signatures using IDM or the command line interface.

If you do not use Cisco ICS in your environment, and you have your IPS sensor deployed inline, you can set the Event Action to "Deny Packet Inline" to activate these signatures, then add destination ports/ICMP types to achieve the same effect.

marcabal · ‎01-04-2006