|
|
This chapter describes the following topics:
This section introduces the Network Security Database (NSDB)---Cisco's HTML-based encyclopedia of network vulnerability information---and describes the following topics:
To access the NSDB from the Director interface, click an Alarm icon and then click Show>NSDB on the Security menu. It is not necessary to click an Alarm to view the NSDB; not clicking an alarm before accessing the NSDB opens the main index page, which is pictured in Figure 8-1.
To access the NSDB directly from your HTML browser, type the following URL into the browser's location field:
/usr/ciscosec/nsdb/html/all_sigs_index.html
A typical NetRanger NSDB entry contains the following critical security information:
Figures 8-2 and 8-3 illustrate how these sections are presented in HTML.
There are two types of signatures:
Embedded signatures have the following characteristics:
String matching signatures have the following characteristics:
A string-matching signature looks like the following example:
RecordOfStringName 2101 21 1 1 "[Rr][Ee][Tt][Rr][]+passwd"
where RecordOfStringName is the generic title, 2101 is the SubSignature ID, 21 is the port number to detect on (FTP), 1 is the direction (1= to port, 2=from port, 3=both), 1 is the number of string match occurrences to allow before generating an alarm, and "[Rr][Ee][Tt][Rr][]+passwd" is the regular expression to match on.
Detecting a string match is only the first step in identifying misuse; once misuse is identified, NetRanger requires further instructions to send an alarm. When the number of occurrences for a particular RecordOfStringName's regular expression match the Occurrences limit, an action is triggered by a corresponding SigOfStringMatch token.
Step 1 On the Director interface, click a Sensor icon and click Configure on the Security menu.
Step 2 On nrConfigure, double-click Intrusion Detection.
Step 3 Click on the Profile tab.
Step 4 Click Manual Configuration, and then click Modify Sensor.
Step 5 Scroll down to the "Matched Strings" signature and click it.
Step 6 Click Expand to open the String Signatures dialog box.
The String Signatures dialog box (see Figure 8-4) consists of a grid containing the following columns: string to search on, SubSignature ID, port to scan, direction of traffic to scan, the number of string matches to allow before triggering an action, the action to trigger, and destinations for the data captured by the signature.
Step 7 Click Add.
Step 8 Enter [Ss]ecret in the String column.
This regular expression detects instances of the strings "Secret" and "secret".
Step 9 Enter a unique number in the ID column.
Step 10 Enter 23 in the Port column.
TCP Port 23 is the well-known port for Telnet traffic.
Step 11 Select To & From from the Direction list.
Step 12 Enter 1 under Occurrences.
Step 13 Select Reset under Action.
Step 14 Enter a 5 in each destination column.
Step 15 Click OK to save the new signature.
Step 16 Click OK to close the Intrusion Detection dialog box.
Step 17 Click Apply to apply the new signature.
Each time the Sensor detects the string "secret" or "Secret" during a Telnet session, it now resets the user's TCP connection, and sends level 5 alarms to all destinations.
|
|