Finding better IPS signature documentation?

Unanswered Question
Jun 19th, 2007

Hello,

I'm currently interning at a company using many of Cisco's IPS/IDS. One of my primary responsibilities is researching signatures used by the various devices to get a better understanding of what signatures should be activated.

I am have an extremely difficult time finding information about some (most) of the signatures. Not even the all-powerful Google seems to turn up much info.

I was wondering if anyone could suggest some documentation or other websites I can read to get a better understanding of each of the signatures. For most of the signatures, the little explanations provided by VMS are insufficient to make an educated decision (not to mention, many of them seem redundant and difficult to distinguish between).

Any and all help is greatly appreciated!

*Edit: I know there is the section under MySDN, however most of the signatures I am looking at don't appear to be in there for some reason.

I'm new to the whole IPS thing, so please forgive my ignorance!*

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.

My role is similar, in that we have to ticket IPS activity, informing the client what the signature means, cause & effect, plus a work round.

You will find that info is sometimes missing from MySDN, as signatures are updated. In other words the name XYZ used to be numbered 123, but is now 789. Vice versa is also possible.

The likelihood is that the signature you are looking for has a new name or number.

I usually use 3 resources for researching signatures. Google, MySDN and this forum.

Failing that, there is little you can do, other than provide the minimum & plus IP details and let the client decide.

If there is little available on a given sig, then the related articles are usually helpful.

I will keep a close eye on this article as it would be useful to know what other people do.

Cheers.

mhellman Wed, 06/20/2007 - 05:13

Do you have access to a sensor? I find that the first step is to look at the signature on the sensor itself. Then MySDN. And finally, web search for the specific vulnerability/exploit being detected.

Researching and understanding every signature is an admirable goal, but perhaps a bit unrealistic. there are thousands of signatures and even if you did 10 per day it would take you a year to understand them all.

The approach we took was to enable ALL [non-retired] signatures and then selectively disable. Nothing gets disabled with a valid rationale.

RITgrad2008 Wed, 06/20/2007 - 07:32

I am using Cisco's VMS program to monitor the IPS sensors. I am only an intern, so I am not entirely sure if I have access to the sensors themselves.

I believe what you suggest would be a superior approach since it appears our goals are the same - ensure all useful signatures are enabled. But we approach it different. I am having difficult determining which ones can be disabled (as well as which ones should be enabled).

As I mentioned, Google doesn't seem to help much - I've searched via signature number (99% of the data is unrelated) and I've tried by name (where there is barely any data at all).

To be honest, I'm a bit suprised there isn't a site (oh wait, there is Cisco's...) that is dedicated solely to explaining the signatures to experts and novices alike.

They essentially said "start at the top of the list and work your way down". Kinda like trying to eat a whale with a shrimp fork if ya ask me! ;)

rupadras Wed, 06/20/2007 - 10:32

You can go to Cisco Security Center at http://tools.cisco.com/security/center/home.x and search for a signature. Alternatively you can go to MySDN (http://tools.cisco.com/MySDN/Intelligence/home.x) and use the "Search IPS SIgnatures" tab to go to http://tools.cisco.com/MySDN/Intelligence/searchSignatures.x. (CCO login required.)

You can use the keyword field to enter the (or a substring of the) sig name or sig id. I haven't had any problems with the search feature. If you know the sig update (Sxxx) number in which a signature was released, you can use it in the "Release status" field.

If you want to view all the signatures, you can choose the "all" link next to the "Signature ID" column in the Search IPS Signatures page (http://tools.cisco.com/MySDN/Intelligence/searchSignatures.x)

Once you select a signature, you will find the related vulnerability under the "Related Intelligence Reports" section. This link will give you a detailed description of the vulnerability with which the signature is associated.

RITgrad2008 Mon, 06/25/2007 - 06:40

Thank you for the information. But sadly, this is information I already knew and have been using.

It seems the short answer is that there is simply NO better documentation than whats already available within VMS. This is disheartening because it is rather limited, and not terribly useful to someone with a limited knowledge-base like myself.

Wilson Samuel Mon, 06/25/2007 - 08:13

Hi,

I have also got the profile similar to yours, and I have always wondered how to get more information about the Threats for which the Signature has been released.

Though its bit difficult to get all the information about the threats however a good lead could be taken from Wikipedia, which offers great links and information about a particular threat.

I guess you shall also feel the same, e.g. just enter 'Back Orifice' in the Wikipedia and you will come to know many details which otherwise is very difficult to compile.

I hope that helps,

Please rate if it helps,

Kind Regards,

Wilson SAmuel

clausonna Thu, 06/28/2007 - 06:48

If you have an active IPS support contract I'd check out Cisco's Intellishield. From the most recent Cisco IPS Active Update Bulletin:

Cisco IPS Signature correlation available in the Cisco? Security IntelliShield Alert Manager Service Search Access Feature

The Cisco IPS Team is pleased to announce the correlation of Cisco IPS Signature information within the IntelliShield Alert Manager Search Access Feature. Cisco Services for IPS clients that subscribe to the service now have access to perform targeted searches to display Cisco IPS Signatures associated with different alerts to ensure they have the most up to date intelligence. Subscribers can view a new IPS Signature list page that is searchable and will display Cisco IPS Signatures associated with IntelliShield Alerts. IntelliShield Alerts also contain the associated Cisco IPS Signature information within each alert.

The IntelliShield Alert Manager Search Access Feature provides clients with access to one of the most extensive collections of vendor-neutral security intelligence alerts in the industry. Clients can access a fully indexed and searchable database that extends back over six years and contains more than 1700 vendors, 5500 products, and 20,000 distinct versions of applications.

To obtain access to the IntelliShield Alert Manager Search Access Feature, each user is required to provide either a valid IPS License File or a valid IPS Serial Number to authorize the creation of this user account. Only one user account is permitted for each IPS License File or IPS Serial Number. Please proceed to the registration page at the following link to obtain your access:

https://intellishield.cisco.com/security/alertmanager/intelliShieldSearch

Email support is available for users of the Cisco Security IntelliShield Alert Manager Service Search Access Feature at [email protected] . Support is provided by Cisco during the hours of 7:00 a.m. and 7:00 p.m. Eastern Time.

cmfigue Thu, 06/28/2007 - 11:53

You need to read the Earl Carter book IPS Exam Certification Guide. It could be a good source of literature for IPS management.

Figueroa

Actions

This Discussion