signature definition

Unanswered Question
Sep 3rd, 2007

Hi everybody. I am new with cisco IPS. I would like to get a little help. Where can i find the definition and/or explanation about the different signatures? I mean, after I check the "Events" in the IPS and I see the matches, how can i know the meaning of the signatures?

Thanks

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
jreekers Mon, 09/03/2007 - 15:21

Hi Damaso,

I'm not too sure how helpful this might be, but I think it's can get you started in the right track. Check this pdf file out:

http://www.cisco.com/warp/public/732/Tech/security/intrusion/docs/ips.pdf

It discusses signatures in-depth, and should be useful to you.

If that doesn't answer your specific questions, you might want to post on the Security/IDS thread here:

http://forum.cisco.com/eforum/servlet/NetProf;jsessionid=3018F6D7EF871414A81989D03B3350DB.SJ2A?page=netprof&forum=Security&topic=Intrusion%20Prevention%20Systems/IDS&CommCmd=MB%3Fcmd%3Ddisplay_messages%26mode%3Dnew%26location%3D.ee6e1fc

And the folks there should be more helpful.

HTH,

-Joe

Damaso,

When we have asked for documentation of this part of the system, it has been acknowledged by Cisco that this is still very poorly documented. It is my understanding that this is being worked on.

However, in the mean time, you may want to "upload" the Signature file from your WLC. This is a text file that is fairly well-documented and you will find some helpful information regarding the values in the Wireless IDS signature file and what they do.

To download the file from your WLC:

Commands -> Upload File -> Select 'Signature file' from the dropdown and store the file where you like.

For your convenience, I have included the factory version of the IDS signature file.

In case you are thinking about making any changes to your Wireless IDS file, you may be interested in our experience:

* We found that the WLC appeared to need a reboot after updating and "downloading" the IDS signature file to the WLC.

* File nameing appears to be VERY important (as in: DON'T CHANGE THE WIDS FILE NAME or the WLC will not parse the new signature file.

* In terms of understanding exactly what a particular alarm is, why it is critical, etc. Cisco is notably silent on this at this time. If you are using AirMagnet, you may find their descriptions much more meaningful since they explain what behavior causes these kinds of alarms, as well as why they may be a threat.

If you are looking into this because you are suffering from what appear to be false alarms from your system, you may also benefit from what we are going through with Cisco over the past eleven months with the WIDS:

After suffering from a number of false alarms in the system: Bcast Deauth, Disassoc Flood, Deauth Flood, we asked TAC for some help (back in October 2006).

After numerous promises that the problem would be "fixed in the next release" we finally got into June 2007 with some of the false alarms going away, and others appearing that were not before.

After our customer expressed their dissatisfaction, TAC, in a desperate attempt to try something, suggested adjusting some of the WIDS signature file values as follows: "Bcast Deauth", "Broadcast Probe flood", "Disassoc flood" Cisco TAC had us adjust our "Freq" values from 50 to 80 because it is not uncommon for certain drivers to sign off with a string of 64 disassociation messages once the client has drifted out of range. However, due to the low value for "Freq" (which is factory-set to 50). The value of 50 can often result in false alarms as clients send their normal signoff 64 times when going out of range. (Why 64 is not the default for these alarms is still unclear). So, we were directed to change the Freq=50 statements to Freq=80.

Result: While this will theoretically helps reduce false positives and may have minimally reduced their frequency, our customer's system still alarms on its own containment messages (even in 4.1.185) due to a bug in WLC IDS system. Bug ID: CSCsj06015 - Prevent 'Bcast deauth' alerts for rogue containment by other WLC in MG.

The level that WNBU (the Wireless Business Unit) has assigned for this bug is 6 (the lowest priority / a "cosmetic" bug) and it has been relegated to a "feature request" (apparently, for the WLC to NOT alarm on its own containment signals is a feature). To get this bug fixed, request has had to go through sales team, back to TAC, and ultimately to the product manager for the WLC!

WNBU's motto seems to have become "it's not a bug, it's a Feature Request".

We are still working with Cisco to get this self-alarming "feature request" escalated so that we do not continue to get CRITICAL false alarms from the WLC when we are performing containment.

Also, we are awaiting better documentation from Cisco on what these alarms are and how they are a threat.

I hope your experience with the Wireless IDS goes smoother than ours has so far.

- John

Attachment: 
damaso.rodriguez Tue, 09/04/2007 - 21:18

John:

thanks for your good wishes. Also for sharing your experience, it is very helpful. I can see you have been fighting some while with the systems. I can note that it is not so easy to interpret and manage the info from the device.

I will check your recomendations, for sure they help me.

Thanks for your time also.

Kind regards.

damaso.rodriguez Tue, 09/04/2007 - 12:21

Joe:

Thanks a lot for your help. I have gotten the document and i will check it. At the first glance, seems to be a good starting point.

Thanks again for your preciious time.

Kind regards

Actions

This Discussion

 

 

Trending Topics - Security & Network