Chapter Review
Chapter Review
Signatures represent the intelligence behind your intrusion detection system. To protect your network infrastructure fully, you must understand both how these signatures are structured and each signature series. A signature is a set of rules used to match activity and traffic present on your network. Once a match is made, the signatures trigger an alarm.
Signatures are broken down into many different categories to facilitate understanding of how they operate and detect intrusions. All signatures are either content based or context based. Content-based signatures analyze the contents of the network packets, while context-based signatures analyze the protocol headers of the network packets. In addition, every CIDS signature is either:
-
Atomic
-
Composite
Atomic signatures can be matched by analyzing a single network packet. Composite signatures must analyze more than one network packet before a match is made. CIDS signatures also belong to one of four signature classes. The signature classes define the type of attack the signature was designed to detect. The signature classes map closely to the types of attacks discussed in Chapter 23. The four signature classes are as follows:
-
Reconnaissance
-
Informational
-
Access
-
Denial of Service
The final signature category all CIDS signatures belong to is the signature series. The signature series defines the protocol the signature is responsible for analyzing. The CIDS signature series includes the following:
-
1000 Series Signatures—IP Signatures
-
2000 Series Signatures—ICMP Signatures
-
3000 Series Signatures—TCP Signatures
-
4000 Series Signatures—UDP Signatures
-
5000 Series Signatures—Web (HTTP) Signatures
-
6000 Series Signatures—Cross Protocol Signatures
-
8000 Series Signatures—String Match Signatures
-
10000 Series Signatures—ACL Policy Violation signatures
The Event Viewer represents your view into your intrusion detection system. Without this powerful application, you would be unaware of the alarms and intrusions on your network. To use the Event Viewer correctly, you should understand the following topics:
-
Managing Alarms
-
Customizing the Event Viewer
-
Preference Settings
You can access the Network Security Database (NSDB) to research information regarding an alarm or a vulnerability. The NSDB is an HTML database containing detailed information on all the CIDS signatures and vulnerabilities. The NSDB also has a User Notes section that allows security administrators to record additional information for later viewing. User Notes are stored within the NSDB.
Review Questions
|
1.? |
What is a subsignature ID?
|
|
|
2.? |
What is the NSDB?
|
|
|
3.? |
Which of the following accurately lists all the possible alarm levels?
|
|
|
4.? |
Which of the following accurately lists all the possible severity levels?
|
|
|
5.? |
Which of the following categories describes the amount of packets a signature must analyze to make a match? (Choose two.)
|
|
|
6.? |
Which of the following is an example of a signature class?
|
|
|
7.? |
Which of the following signatures have an associated subsignature? (Choose two.)
|
|
|
8.? |
Which of the following is an example of a signature implementation?
|
|
|
9.? |
Which of the following signature series is responsible for analyzing the IP protocol?
|
|
|
10.? |
Which of the following is not a valid CIDS signature series?
|
|
Answers
|
1.? |
D. The ID of the subsignature associated with the CIDS signature |
|
2.? |
C. The network security database that contains descriptions of all CIDS ?signatures and vulnerabilities |
|
3.? |
A. 1, 2, 3, 4, 5 |
|
4.? |
B. Low, Medium, High |
|
5.? |
A. and C. Composite and Atomic |
|
6.? |
A. Denial of service class |
|
7.? |
B. and C. String signatures and access control lists |
|
8.? |
C. Context |
|
9.? |
B. 1000 series |
|
10.? |
C. 7000 series |
