Cisco IPS Event Summarization

One thing an intruder could try pulling off to evade being detected is hammering our IPS with so many events that IPS gets too busy to do its job but rather handling events. This is where summarization comes into play.

So, what is this summarization all about? Well, let’s focus on our custom signature that we created earlier. Here is our custom signature with the focus on summarization fields:

SNAGHTML66a3a81

Here are fields descriptions:

  • Summary Mode can be:
    • Fire All – every time an attack happens, record an event. This is something we would want in production network. It is good for testing purposes, though.
    • Fire Once – when an attack happens, record an event and forget about it for an eternity. I guess this is what we do not want either.
    • Summarize – this is a default setting. With this setting enabled, two additional fields are available to us:
      • Summary Interval – this is in seconds and it represents a time interval during which the IPS won’t record additional events after an initial one. The default is 15 seconds. This means that when first attack is recorded, no events related to this attack will be logged for a 15 seconds. So if we receive a hundred such attacks in 15 seconds, only two events will be recorded: first event which is a normal event and a summary event after a 15 second period that says how many times we have been hit by this attack in this period. If an attack keeps on, we will receive a summary events for every 15 second period.
      • Summary Key – is the criterion or a key by which IPS decides how to create a summary event. By default, this is an attacker address, which means that if we have one attacker triggering our signature, one regular event and one summary would be generated. If we had two attackers, two regular and two summary events would be generated for this period and so on.  If we, for instance, set a victim address for a Summary Key, then two attackers would record only one regular and one summary event, because there would be only one victim.

Now let’s pay attention to one more important thing concerning an event generation – Event Counter fields:

SNAGHTML6875a90

In here we have two important values to deal with. These fields tell an IPS when to generate the first event. Not the summary, but the first event that triggered our signature. These fields are:

  • Event Count – how many hits we would tolerate before recording an event. Usually this is one, which means if we got hit once – trigger an event. If we listed two here, we would not record an event if we got hit once, but if we took two hits – we would record such event. The key for triggering is by default an attacker address. This means that if we stated a two for Event Count, one attacker would not trigger an event, but two (distinct) attackers would.
  • Event Count Key – is explained above.

Finally, to make this article complete, Global Summary should be explained. If turned on, we need to specify a Global Summary Threshold in number of attacks. If we stated a hundred here, an IPS would generate one global summary event for ALL attacker within the specified time window, a 15 seconds in our case.

Now let’s take a look at the following snapshot:

image

If we didn’t specify a global summary, if two attackers hit us once each, the IPS would record two normal events. After a period of 15 seconds, two additional events – summaries would be generated, each one for each attacker,  stating how many times each attacker hit us within this period. So in total, we would have a FOUR events recorded within specified period.

If we now turned on a Global Summarization with the Global Summary Threshold of two, and repeated the above scenario, then a total of THREE events would be recorded: two for initial hits for each attacker and one for all attackers (two in this case) within specified period. Now if we scaled up the number of attackers and hits, we would see that a Global Summarization saves up a lot of events/logs and thus a processor cycles.

Advertisements
This entry was posted in Cisco, IPS and tagged , , , , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s