We have a 4215 IDS in place that is identifying quite a few triggers based on Cisco signatures. It does not perform any automatic countermeasures. Right now, it is just providing information. Typically it is the same 5-10 different alerts being repeated many times. I am trying to assemble a report that will include recommended countermeasures for the various alerts, but can't find any good information. I thought going in that Cisco would include in its sig definitions that actions recommended for each alert, but I can't find such a thing. e.g. we get DNS Tunneling quite often. Cisco describes breifly what it is, but doesn't tell you what to do about fixing or mitigating the problem. Where do I find this type of information.
The first order of business is to verify that your alerts are true positives. This requires analysis. Turn on logging for both attacker and victim and review the capture files to see what is actually going on.
Turn down severity or disable/retire your false positive signatures (and there will be many). Once you go through though the "noisy" signatures, you'll have a better view of the real, actionable events that are happening on your network.
It takes time and effort, but there is no "automatic" solution, despite what the sales folks might have promised.
Thanks for the information. I am assumming that most of what I am seeing represents false positives. When you refer to logging, is this a reference to logging on the workstation or server, or are you referring to logging on the IDS device?
Logging is an action you can configure on the IPS device on a per-signature basis. It will capture x number of packets after the signature triggering packet is seen. The packet capture are held on the IPS sensor and you have to retrieve them yourself.
If you don;t want this much deatil, the alternate option is to enable "detailed" alerts (again, configurable on a per-signature basis), and it will include some of the trigger packet in the alert.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...