Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Bulk filtering

Is there a way to filter traffic for one particular process to numerous IP addresses without going through and doing each signature by itself with all the IPs. In other words, can I filter all HTTP signatures to a known protected http server. Or SMTP sigs to e-mail servers. It would make it so much easier if this could be done as well as enter bulk single address without inputting them one by one and clicking OK between each one.

Thanks

Dwane

4 REPLIES
Cisco Employee

Re: Bulk filtering

The sensor filtering code has what are known as "System Variables":

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids10/idmiev/swchap3.htm#31030

The 4.1 sensor comes with the following hardcoded list of variable names:

OUT, IN, DMZ1, DMZ2, DMZ3, USER-ADDRS1, USER-ADDRS2, USER-ADDRS3, USER-ADDRS4, USER-ADDRS5, SIG1, SIG1, SIG3, SIG4, SIG5

The IN, DMZ and USER-ADDRS variables can be populated by the user with a list of addresses.

You could place a single address: 10.1.1.1

Or even a Range of Addresses: 10.2.1.2-10.2.1.30

Or a comma delimited list of both ranges and single addresses:

10.1.1.1,10.2.1.2-10.2.1.30,20.1.1.1,20.3.4.5-20.3.5.255

I would recommend placing the IPs of all your HTTP Servers in one of these variables, and the IPs of all your SMTP Servers in another variable.

NOTE: The OUT variable is automatically calculated by the sensor to be all IPs not included in the IN variable. If you will make use of the OUT variable for designatin addresses outside your network you will need to list all of the addresses inside your network in the IN variable (including the addresses used in the DMZ and USER-ADDRS variables).

NOTE: The System Variables are currently a hardcoded list of names with user definable values. If you would also like to be able to define the name of the variable itself then please contact the TAC and ask them to enter an enhancement request to be able to create your own variable names.

The SIG variables can be populated by the user with a list of Signature Ids that woudl be a comma delimited list of single SigIds and Ranges of SigIds. For example:

2000-2012,2030,2050,3000-3005

Cisco does not have a default System Variable prepoluated with the list of HTTP signatures or SMPT signatures or any other signature set.

(You can feel free to contact the TAC and enter an enhancement request to have Cisco create default variables for these if yu think you need them)

If you want to create you own list of HTTP signatures, then go to: Configuration->Sensing Engine->Virtual Sensor Configuration->Signature Configuration Mode in IDM:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids10/idmiev/swchap3.htm#31303

Select the "Service" entry which will take you to a list of services. Select the service you want, and it will give you a listing of the signatures associated with that service (NOTE: The list may spread over multiple pages, look at the page indicator in the lower right hand corner).

You will need to take that listing of signatures and enter their SigIds into one of the SIG variables.

For a shortcut you may be able to do ranges like 2000-2004 to cover multiple signatures and reduce the size of your variable.

NOTE: If you are familiar with XML, another possibility would be to login to the sensor with the "service" account. Then cd to the /usr/cids/idsRoot/etc directory. In this directory is the defSigCategoriesConfig.xml file. This XML config file is what is used by IDM to determine which signatures belong to which category (which service, etc..).

You coudl copy the list of SigIds directly from this file to your SIG variables.

NOTE: Any time a signature update is applied to the sensor this list of signatures will change. New signatures will be add to each category. So you will need to go back through and add any new signatures in the signature update to your SIG variable.

OK, now you have your SIG variables populated with the HTTP and/or SMTP sig lists. And you have your DMZ or USER-ADDRS variables populated with your list of HTTP and/or SMTP Servers.

These variables can now be used when creating filters on the sensor.

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids10/idmiev/swchap3.htm#31156

In the SIGID field you can substitute in $SIG1 or another SIG variable instead of having to type in SigIds.

In the SrcAddrs or DstAddrs fields you can substite in $DMZ1 or anther DMZ or USER-ADDRS variable instead of having to type each address.

Remember to put a "$" in front of the variable name.

NOTE: If you don't want to use System Variables, you can also place the list of SigIds that you would have placed in SIG1 directly into the SIGID field in the filter (the SIGID field supports the comma delimited list just like the SIG variable).

The same is true for the SrcAddrs and DstAddrs fields, you can also put the list of addresses directly into these fields without using a System Variable.

CAUTION:

IF you are using VMS, then you won't be able to use the System Variables. The current version of VMS does not support System Variable definitions. So if using VMS you will need to place the list of signatures, and the list of IP addresses directly into the filters in VMS. (I haven't used the filter capability in VMS but I think it does support the comma separated list so you can put all the signatures on a single filter instead of a separate filter for each sig,)

New Member

Re: Bulk filtering

Great post (as usual), couple of questions though.

Will this put a great deal of overhead on the processing of packets and cause missed packets?

Also, I know you can't post roadmap stuff on this forum, but can you say if Cisco is looking at adding the system variable functionallity to VMS?

Thanks

New Member

Re: Bulk filtering

Since alarm filtering is performed per alarm, not per packet, the run time overhead should be negligible. Factors affecting performance impact are the rate of alarms (with this filter) and the complexity of the filter.

When designing filters consider using '*' for sub-sig ID where possible and consolidate addresses into ranges wherever possible. Large numbers of SIGID's have no impact on performance.

Well designed filters could actually improve performance in the alarm channel if the filters hit frequently.

Cisco Employee

Re: Bulk filtering

I know that the request has been made to the VMS team to add the functionality.

But I am not sure if/when the functionality may be added.

I have limited insight into what is being added to future VMS versions.

211
Views
0
Helpful
4
Replies
CreatePlease login to create content