Signature and Intrusion Detection Configuration


The Presentation inside:

Slide 0

Chapter 9 Signature and Intrusion Detection Configuration


Slide 1

Objectives Upon completion of this chapter, you will be able to perform the following tasks: View Signature settings and configure their severities and actions. Enable or disable signatures. Configure connection and string signatures. Create signature templates and change which one is used by a Sensor. Configure the minimum alarm severity level a Sensor sends to the Director.


Slide 2

Objectives (cont.) Configure signature filtering to reduce false positives and tune signature triggering in the user environment. Configure signature tuning parameters to customize triggers for the user environment. Configure signature port mapping to customize it for the user environment. Create ACL signatures that generate alarms when ACL violations are detected in a Cisco IOS router.


Slide 3

Basic Signature Configuration


Slide 4

Viewing the Signature Settings Select Signature Template


Slide 5

Signature Names and Severities Severity Signature Name Select Signature Template


Slide 6

Enabling and Disabling Signatures Enable Checkbox Select Signature Template


Slide 7

Setting Signature Actions Double-click Action Select Signature Template


Slide 8

Connection Signature Type and Port Configuration TCP or UDP Port number Select Signature Template


Slide 9

String Signatures Configuration Number of Occurrences String pattern TCP Port Traffic Direction Select Signature Template


Slide 10

Signature Templates


Slide 11

What is a Signature Template? Sensor Signatures Templates


Slide 12

Creating a New Signature Template Select and Right Click Sensor Signatures Select New>Sensor Signature


Slide 13

Assigning the Signature Template Used by the Sensor Choose the Signature Template Select the Sensor Select the Sensing tab


Slide 14

Applying the Signature Template to the Sensor Select the Sensor Select the Command tab Check for errors Click Approve Now


Slide 15

Signature Filtering


Slide 16

Setting the Minimum Level to Send to the Director Minimum Event Level Select the Sensor Select the Filtering tab


Slide 17

Simple Signature Filtering Sub-signature Signature Address role IP address and netmask Select the Sensor Select the Filtering tab Select the Simple Filtering tab


Slide 18

Advanced Signature Filtering Source Address Signature Subsignature Destination Address Select the Sensor Select the Filtering tab Select the Advanced Filtering tab


Slide 19

Advanced Signature Configuration


Slide 20

Signature Tuning Parameter names Parameter values Select the Sensor Select the Sensing tab Select the Signature Tuning Parameters tab


Slide 21

Signature Port Mapping Select the Sensor Select the Sensing tab Select the Port Mapping tab Click OK


Slide 22

ACL Signatures Configuration


Slide 23

Creating ACL Signatures Click OK Click Add Select Signature Template Select the ACL Signatures Tab


Slide 24

Defining Syslog Sources Select the Sensor Select the Monitoring Tab Click Add Click OK


Slide 25

Summary All signature severities and actions are modified in the signature template in CSPM. Signatures can be enabled or disabled. Connection and string signatures are configured in the signature template in CSPM. Many signature templates can be created. A given signature template is applied to one or many Sensors. The minimum alarm severity level can be configured on a Sensor to limit the alarms sent to the Director. Signature filtering reduces false positives and other undesired alarms. Signature parameter tuning is used to customize signature triggers in the user environment. Signature port mapping is used to customize port to signature settings in the user environment. ACL signatures generate alarms when ACL violations are detected in a Cisco IOS router.


Slide 26

Lab Signatures Configuration


Slide 27

Pod P Your Pod Pod Q Peer Pod CSPM Lab Visual Objective rP e0/0 e0/1 10.0.P.0 /24 .P .1 .4 rQ e0/0 e0/1 .Q .1 .4 10.0.Q.0 /24 172.30.1.0 /24 10.0.P.3 CSPM 10.0.Q.3 Host ID = 3, Org ID = P Host Name = directorP, Org Name = podP Host ID = 3, Org ID = Q Host Name = directorQ, Org Name = podQ .6 .6 sensorP idsmP sensorQ idsmQ


×

HTML:





Ссылка: