I've been playing with IDS/IDM/IEV 4.0 and so far I'm really impressed with the upgrade!
A few questions/suggestions :
1) With IDM, for sensing signature configuration, is there a quick way to edit to a particular signature number? Say, for example I want to tune signature 3041 -- The only way I can find to get there if I don't know the category is to pick all signatures, then try to guess which page it's on. I think the previous version had a pop-up that listed the range of signatures on each page.
2) A Suggestion: In IEV, when looking at a View, the first column is a grouping, and the second column is the # of items in that group. However, double-clicking on the first column doesn't give the detail, only double clicking on the second column. It'd be nice if the first column did it too. (For example, for severity level group, it'd be nice to double click on the word "High" to see all the signatures of High status. )
3) Is there a simple way in IEV or IDM to see which connections have been blocked? It'd be nice to have a summary log of when connections were blocked and what IP's were affected. It'd also be groovy if this was shown in the IEV under the individual events (ie. Add an "Action" column showing what action was taken, if any for each signature firing)
4) Is there a way to export the settings I've changed from default? So far I've just been keeping a Notepad file listing signatures I've tuned in case I have to re-install. (And from the looks of it, updating to the latest signatures wiped out my blocking settings)
5) What's the difference between ShunHost & ShunConnection? The documentation doesn't really say. And which one is appropriate for use with IOS vs. Pix shunning?
6) The Docs for IDM imply that system variables can be used in event filters, but when I try to apply the system variable IN for a filter, it won't let me so I have to type in logical addresses.
Glad to hear that you like the new versions. My answers to some of these questions/comments will hopefully enhance your experience.
1) With IDM, for sensing signature configuration, is there a quick way to edit to a particular signature number? Say, for example I want to tune signature 3041 -- The only way I can find to get there if I don't know the category is to pick all signatures, then try to guess which page it's on. I think the previous version had a pop-up that listed the range of signatures on each page.
ANSWER: Not at this time. We have heard this feature request from multiple users. A future version of 4.0 is already scheduled to bring back the 3.1 feature (listing of signature range per page). Can't comment on when that version will be released.
An alternative until then would be to select the option to see all of the sigs on the one page (it will take sometime to load) and then use the find button in your browser to take you to the line for that signature.
2) A Suggestion: In IEV, when looking at a View, the first column is a grouping, and the second column is the # of items in that group. However, double-clicking on the first column doesn't give the detail, only double clicking on the second column. It'd be nice if the first column did it too. (For example, for severity level group, it'd be nice to double click on the word "High" to see all the signatures of High status. )
ANSWER: I will pass this on to developers.
3) Is there a simple way in IEV or IDM to see which connections have been blocked? It'd be nice to have a summary log of when connections were blocked and what IP's were affected. It'd also be groovy if this was shown in the IEV under the individual events (ie. Add an "Action" column showing what action was taken, if any for each signature firing)
ANSWER: The Manual Blocking Tab in IDM will provide you the current list of blocks as well as allow you to add blocks or remove existing blocks.
it is called "Manual Blocking" but it will also show you the current "Automatic Blocking" (you may need to go to another IDM screen and then come back to refresh with the latest Block list)
Also you can execute the "show events " line to show you what blocks have been attempted. If I remember correctly the show events line you want would be: "show events nac
I recommend playing around with the different possibilities in show events to see the different information that the sensor can provide in the new CLI.
Additionally the attempted action is now included in the alarm itself, and IEV should have a column for IPLOG, SHUN, and TCP Reset to show which action was attempted. Check you settings and ensure that you have these columns selected to show up in your view. (The attempted actions are only viewable when looking at the individual alarms and not in any of the summary windows)
4) Is there a way to export the settings I've changed from default? So far I've just been keeping a Notepad file listing signatures I've tuned in case I have to re-install. (And from the looks of it, updating to the latest signatures wiped out my blocking settings)
CLI commmands to check out:
more current-config - gives a CLI style listing of the configuraiton, under the virtualSensor area it shows you just the changes you've made to the signatures rather than seeing the entire default signature definition.
copy current-config backup-config - backups your current-config to a storage space on the sensor itself
copy current-config - allows you to backup your configuration to the location. The location could be an ftp server, or an scp server.
5) What's the difference between ShunHost & ShunConnection? The documentation doesn't really say. And which one is appropriate for use with IOS vs. Pix shunning?
Shun Host creates the following ACL entry:
deny ip any
SO it blocks all packets from the source.
Shun Connection on the otherhand creates the following ACL entry
(NOTE: I am doing this off memory so I may not be fully correct in my statement below, you may need to test it to find out for sure):
deny eq
SO it only blocks packets from the source going to the victim's ip that are going to the same port where the attack was seen.
NOTE: Multiple Shun Connections for the same srcip can result in the shuns being combined into a single Shun Host to prevent that ip from filling your ACL list.
As for IOS vs. PIX. The above commands are for IOS. Similar entries may be seen with the "shun" command of the Pix, but no matter what you enter with the "shun" command of the Pix it will always shun the entire source ip address. So if you do Shun Connections with a Pix the "shun" command will have the other information but the Pix will still shun the entire sourceip.
6) The Docs for IDM imply that system variables can be used in event filters, but when I try to apply the system variable IN for a filter, it won't let me so I have to type in logical addresses.
Glad to hear that you like the new versions. My answers to some of these questions/comments will hopefully enhance your experience.
1) With IDM, for sensing signature configuration, is there a quick way to edit to a particular signature number? Say, for example I want to tune signature 3041 -- The only way I can find to get there if I don't know the category is to pick all signatures, then try to guess which page it's on. I think the previous version had a pop-up that listed the range of signatures on each page.
ANSWER: Not at this time. We have heard this feature request from multiple users. A future version of 4.0 is already scheduled to bring back the 3.1 feature (listing of signature range per page). Can't comment on when that version will be released.
An alternative until then would be to select the option to see all of the sigs on the one page (it will take sometime to load) and then use the find button in your browser to take you to the line for that signature.
2) A Suggestion: In IEV, when looking at a View, the first column is a grouping, and the second column is the # of items in that group. However, double-clicking on the first column doesn't give the detail, only double clicking on the second column. It'd be nice if the first column did it too. (For example, for severity level group, it'd be nice to double click on the word "High" to see all the signatures of High status. )
ANSWER: I will pass this on to developers.
3) Is there a simple way in IEV or IDM to see which connections have been blocked? It'd be nice to have a summary log of when connections were blocked and what IP's were affected. It'd also be groovy if this was shown in the IEV under the individual events (ie. Add an "Action" column showing what action was taken, if any for each signature firing)
ANSWER: The Manual Blocking Tab in IDM will provide you the current list of blocks as well as allow you to add blocks or remove existing blocks.
it is called "Manual Blocking" but it will also show you the current "Automatic Blocking" (you may need to go to another IDM screen and then come back to refresh with the latest Block list)
Also you can execute the "show events " line to show you what blocks have been attempted. If I remember correctly the show events line you want would be: "show events nac
I recommend playing around with the different possibilities in show events to see the different information that the sensor can provide in the new CLI.
Additionally the attempted action is now included in the alarm itself, and IEV should have a column for IPLOG, SHUN, and TCP Reset to show which action was attempted. Check you settings and ensure that you have these columns selected to show up in your view. (The attempted actions are only viewable when looking at the individual alarms and not in any of the summary windows)
4) Is there a way to export the settings I've changed from default? So far I've just been keeping a Notepad file listing signatures I've tuned in case I have to re-install. (And from the looks of it, updating to the latest signatures wiped out my blocking settings)
CLI commmands to check out:
more current-config - gives a CLI style listing of the configuraiton, under the virtualSensor area it shows you just the changes you've made to the signatures rather than seeing the entire default signature definition.
copy current-config backup-config - backups your current-config to a storage space on the sensor itself
copy current-config - allows you to backup your configuration to the location. The location could be an ftp server, or an scp server.
5) What's the difference between ShunHost & ShunConnection? The documentation doesn't really say. And which one is appropriate for use with IOS vs. Pix shunning?
Shun Host creates the following ACL entry:
deny ip any
SO it blocks all packets from the source.
Shun Connection on the otherhand creates the following ACL entry
(NOTE: I am doing this off memory so I may not be fully correct in my statement below, you may need to test it to find out for sure):
deny eq
SO it only blocks packets from the source going to the victim's ip that are going to the same port where the attack was seen.
NOTE: Multiple Shun Connections for the same srcip can result in the shuns being combined into a single Shun Host to prevent that ip from filling your ACL list.
As for IOS vs. PIX. The above commands are for IOS. Similar entries may be seen with the "shun" command of the Pix, but no matter what you enter with the "shun" command of the Pix it will always shun the entire source ip address. So if you do Shun Connections with a Pix the "shun" command will have the other information but the Pix will still shun the entire sourceip.
6) The Docs for IDM imply that system variables can be used in event filters, but when I try to apply the system variable IN for a filter, it won't let me so I have to type in logical addresses.
6) The Docs for IDM imply that system variables can be used in event filters, but when I try to apply the system variable IN for a filter, it won't let me so I have to type in logical addresses.
NOT a bug, just heard back from development.
The method in 4.0 has changed from how it was done in 3.1.
You need to add a $ sign in front of IN to tell the sensor it is a variable: $IN
2) A Suggestion: In IEV, when looking at a View, the first column is a grouping, and the second column is the # of items in that group. However, double-clicking on the first column doesn't give the detail, only double clicking on the second column. It'd be nice if the first column did it too. (For example, for severity level group, it'd be nice to double click on the word "High" to see all the signatures of High status. )
The last column "Total Alarm Count" gives you the above feature. When you double-click that column, it will open an "Alarm Information Dialog" which lists the details of all the alarms under that category.
Jie
Getting Started
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:
