information on countermeasures

Unanswered Question
May 27th, 2008

We have a 4215 IDS in place that is identifying quite a few triggers based on Cisco signatures. It does not perform any automatic countermeasures. Right now, it is just providing information. Typically it is the same 5-10 different alerts being repeated many times. I am trying to assemble a report that will include recommended countermeasures for the various alerts, but can't find any good information. I thought going in that Cisco would include in its sig definitions that actions recommended for each alert, but I can't find such a thing. e.g. we get DNS Tunneling quite often. Cisco describes breifly what it is, but doesn't tell you what to do about fixing or mitigating the problem. Where do I find this type of information.

Thanks,

Tim

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
rhermes Tue, 05/27/2008 - 09:22

The first order of business is to verify that your alerts are true positives. This requires analysis. Turn on logging for both attacker and victim and review the capture files to see what is actually going on.

Turn down severity or disable/retire your false positive signatures (and there will be many). Once you go through though the "noisy" signatures, you'll have a better view of the real, actionable events that are happening on your network.

It takes time and effort, but there is no "automatic" solution, despite what the sales folks might have promised.

tjcorlando Tue, 05/27/2008 - 10:37

Thanks for the information. I am assumming that most of what I am seeing represents false positives. When you refer to logging, is this a reference to logging on the workstation or server, or are you referring to logging on the IDS device?

Thanks,

Tim

rhermes Tue, 05/27/2008 - 13:49

tjc -

Logging is an action you can configure on the IPS device on a per-signature basis. It will capture x number of packets after the signature triggering packet is seen. The packet capture are held on the IPS sensor and you have to retrieve them yourself.

If you don;t want this much deatil, the alternate option is to enable "detailed" alerts (again, configurable on a per-signature basis), and it will include some of the trigger packet in the alert.

wsulym Tue, 05/27/2008 - 09:57

So here's an open-ended question... If we were to include mitigation/countermeasures, what would you expect to see, or like to see?

Would it be worthwhile to see router ACL's or something like that listed as mitigations? Or is that too much to see in the signature details area?

What I'm gunning for here is what's useful in the signature details area (description, benign triggers, suggested filters), do you think you might use it, and how much is too much?

Anyone can jump in on this question, I'm interested in what you think would be useful and how much is too much (as in, that's great to have, but its better off in some other document)

tjcorlando Tue, 05/27/2008 - 10:56

Sorry. It is open-ended, very much so. I am trying to get better educated to allow myself to ask better questions.

I was looking for something like e.g.:

DNS Tunneling - sig 6066/0.

If the source address refers to a MS 2003 Server acting as DNS server, turn off the xyz function in DNS, patch the server with abc level patch or something like this.

This client is a 100-seat bank and cannot afford the resources to designate a person to monitoring/managing the IDS function.

This has to be something that can be achieved in a few hours a month. Maybe I have the wrong tool for a client of this size.

Thanks,

Tim

mhellman Wed, 05/28/2008 - 04:57

I would personally not want or expect this information to be on the sensor, but perhaps on the Cisco website (mySDN or whatever it's called) when I link from the sensor or MARS.

Actions

This Discussion