Chapter Review

Chapter Review

Signatures represent the intelligence behind your intrusion detection system. To protect your network infrastructure fully, you must understand both how these signatures are structured and each signature series. A signature is a set of rules used to match activity and traffic present on your network. Once a match is made, the signatures trigger an alarm.

Signatures are broken down into many different categories to facilitate understanding of how they operate and detect intrusions. All signatures are either content based or context based. Content-based signatures analyze the contents of the network packets, while context-based signatures analyze the protocol headers of the network packets. In addition, every CIDS signature is either:

  • Atomic

  • Composite

Atomic signatures can be matched by analyzing a single network packet. Composite signatures must analyze more than one network packet before a match is made. CIDS signatures also belong to one of four signature classes. The signature classes define the type of attack the signature was designed to detect. The signature classes map closely to the types of attacks discussed in Chapter 23. The four signature classes are as follows:

  • Reconnaissance

  • Informational

  • Access

  • Denial of Service

The final signature category all CIDS signatures belong to is the signature series. The signature series defines the protocol the signature is responsible for analyzing. The CIDS signature series includes the following:

  • 1000 Series Signatures—IP Signatures

  • 2000 Series Signatures—ICMP Signatures

  • 3000 Series Signatures—TCP Signatures

  • 4000 Series Signatures—UDP Signatures

  • 5000 Series Signatures—Web (HTTP) Signatures

  • 6000 Series Signatures—Cross Protocol Signatures

  • 8000 Series Signatures—String Match Signatures

  • 10000 Series Signatures—ACL Policy Violation signatures

The Event Viewer represents your view into your intrusion detection system. Without this powerful application, you would be unaware of the alarms and intrusions on your network. To use the Event Viewer correctly, you should understand the following topics:

  • Managing Alarms

  • Customizing the Event Viewer

  • Preference Settings

You can access the Network Security Database (NSDB) to research information regarding an alarm or a vulnerability. The NSDB is an HTML database containing detailed information on all the CIDS signatures and vulnerabilities. The NSDB also has a User Notes section that allows security administrators to record additional information for later viewing. User Notes are stored within the NSDB.

Review Questions

1.?

What is a subsignature ID?

  1. The signature ID

  2. The signature ID combined with the host ID

  3. The signature ID combined with the organization ID

  4. The ID of the subsignature associated with the CIDS signature

 D. The ID of the subsignature associated with the CIDS signature

2.?

What is the NSDB?

  1. The network security database that contains all CIDS signatures

  2. The network security database that contains all 1000, 2000, 3000, 4000, and 5000 series signatures

  3. The network security database that contains descriptions of all CIDS signatures and vulnerabilities

  4. The network security database located on the sensor and used to define the configured signatures

 C. The network security database that contains descriptions of all CIDS signatures and vulnerabilities

3.?

Which of the following accurately lists all the possible alarm levels?

  1. 1, 2, 3, 4, 5

  2. Low, Medium, High

  3. 1, 3, 5

  4. Low, Medium, High, Critical

 A. 1, 2, 3, 4, 5

4.?

Which of the following accurately lists all the possible severity levels?

  1. 1, 2, 3, 4, 5

  2. Low, Medium, High

  3. 1, 3, 5

  4. Low, Medium, High, Critical

 B. Low, Medium, High

5.?

Which of the following categories describes the amount of packets a signature must analyze to make a match? (Choose two.)

  1. Composite

  2. Context

  3. Atomic

  4. Content

 A. and C. Composite and Atomic

6.?

Which of the following is an example of a signature class?

  1. Denial of service class

  2. General signature class

  3. String signature class

  4. Access control lists

 A. Denial of service class

7.?

Which of the following signatures have an associated subsignature? (Choose two.)

  1. General signatures

  2. String signatures

  3. Access control lists

  4. Reconnaissance class

 B. and C. String signatures and access control lists

8.?

Which of the following is an example of a signature implementation?

  1. Composite

  2. Atomic

  3. Context

  4. Access class

 C. Context

9.?

Which of the following signature series is responsible for analyzing the IP protocol?

  1. 2000 series

  2. 1000 series

  3. 4000 series

  4. 9000 series

 B. 1000 series

10.?

Which of the following is not a valid CIDS signature series?

  1. 2000 series

  2. 5000 series

  3. 7000 series

  4. 10000 series

 C. 7000 series

Answers

1.?

D. The ID of the subsignature associated with the CIDS signature

2.?

C. The network security database that contains descriptions of all CIDS ?signatures and vulnerabilities

3.?

A. 1, 2, 3, 4, 5

4.?

B. Low, Medium, High

5.?

A. and C. Composite and Atomic

6.?

A. Denial of service class

7.?

B. and C. String signatures and access control lists

8.?

C. Context

9.?

B. 1000 series

10.?

C. 7000 series




Part III: Virtual Private Networks (VPNs)