Chapter 26: Signature and Alarm Management

Chapter 26: Signature and Alarm Management

Overview

In this chapter, you will learn how to:

  • Understand the CIDS signature series

  • Recognize signature structure and implementation

  • Make use of signature types

  • Know about signature classes

  • Understand signature series

  • Use signature categories

  • Learn about signature severities

  • View and manage alarms

  • Use Event Viewer customization

  • Configure preference settings

  • Understand the Network Security database

Sensors constantly monitor the network, looking for traffic that matches predefined signatures. Once a signature is matched, an alarm is generated, indicating the severity and signature that was matched. Signatures, which allow your sensors to detect intrusive activity, are a vital component of your IDS system. This chapter describes and details the CIDS signatures.

When the sensor matches a signature, an alarm is sent to the director platform. The director platform is then responsible for notifying security personnel. Each alarm has a severity associated with the matched signature. To insure the security of the network, you must be able to view these alarms using Event Viewer. During an actual attack on your network, sensors can generate a large number of alarms in a short period of time. If you’re unaware of the functionality of the Event Viewer, you can easily become overwhelmed with the number of alarms generated by your network sensors. To help with the understanding of the Event Viewer and the management of alarms, you should first understand the signatures that generate those alarm events.




Part III: Virtual Private Networks (VPNs)