How to disable the signature and summary events for a signature on IPS

TCC_2 · ‎06-22-2009

What the intrusion prevention system is for and how it works?

Network intrusion is undesirable network traffic impacting on functionality or security of the victim-host. Its purpose is mostly to get illegitimate access or/and to exploit fragile data. A typical attribute of such intrusions is their apparent legitimacy and it is difficult to uncover such traffic and filter it simply out by traffic rules. Let us use DoS intrusion (Denial of Service) as an example. In this type of intrusion, too many connections are established on a port to use up the system resources of the server application so that no other users can connect there. However, the firewall considers this act only as an access to an allowed port.

Therefore, sophisticated analysis of network traffic is needed here to detect network intrusions. Network intrusion detection systems use databases of known intrusions (this is similar to antivirus programs using databases of known viruses). Thanks to regular update of the database, new intrusion types are also recognized.

Intrusion detection is performed before application of traffic rules which avoids intervention of traffic rules with the detection process.

Resolution

In order to disable the summary events on the signature, complete these required steps with IPS Device Manager (IDM):

Choose Configuration.

Choose Configuration > Signature Definition > Signature Configuration.

Choose the signature.

Click Edit in order to edit the signature.

Choose Alert Frequency > Summary mode and choose Fire All.

For Specify Summary Threshold, click No.

Click OK in order to save.

Master Engine Alert Frequency Parameters

Parameter	Description	Value
Alert Frequency	Summary options for grouping alerts.	—
Summary Mode	Mode used for summarization.	—
Fire All	Fires an alert on all events.	—
Fire Once	Fires an alert only once.	—
Global Summarize	Summarizes an alert so that it only fires once regardless of how many attackers or victims.	—
Summarize	Summarizes alerts.	—
Summary Threshold	Threshold number of alerts to send signature into summary mode.	0 to 65535
Global Summary Threshold	Threshold number of events to take alerts into global summary.	1 to 65535
Summary Interval	Time in seconds used in each summary alert.	1 to 1000
Summary Key	The storage type on which to summarize this signature: •Attacker address •Attacker and victim addresses •Attacker address and victim port •Victim address •Attacker and victim addresses and ports	Axxx AxBx Axxb xxBx AaBb

Complete these steps in order to enable or disable a signature:

Log in to IDM with an account that has administrator or operator privileges.

Choose Configuration > Signature Definition > Signature Configuration.

The Signature Configuration panel appears.

In order to locate a signature, choose a sorting option from the Select By list.

For example, if you search for a UDP Flood signature, choose L2/L3/L4 Protocol and then UDP Floods.

The Signature Configuration panel refreshes and displays only those signatures that match your sorting criteria.

In order to enable or disable an existing signature, select the signature and complete these steps:

View the Enabled column in order to determine the status of the signature. A signature that is enabled has the value Yes in this column.

In order to enable a signature that is disabled, select the signature and click Enable.

In order to disable a signature that is enabled, select the signature and click Disable.

Click Apply in order to apply your changes and save the revised configuration.
Problem Type

Configuration Issue

Product Family

IDS/IPS - 4200 series sensor

Acknowledgement:

IPS

Reference

Refer to the Alert Frequency http://www.cisco.com/en/US/docs/security/ips/6.2/configuration/guide/ime/ime_signature_engines.html#wp1145555 section of Signature Engines http://www.cisco.com/en/US/docs/security/ips/6.2/configuration/guide/ime/ime_signature_engines.html for more information about summary mode Parameter.