Event Action Filters

As we could see so far, for every signature there could be one or more actions associated with it. Those actions are per signature, which means that action or actions associated with a signature will be executed for every attacker/victim combination. For instance, let’s go back to our custom signature. Every time anyone tries to get a CONFIDENTIAL.TXT file, an alarm would be generated. However, there could be a user or users which are entitled to get this file and we would not like to prevent them to do so, but we would like to prevent other users to get a file. If we create a custom signature like described in that article, then no exception will be made. This is where Event Action Filters get handy.

In order to modify our custom signature, we need to go to IPS Policies->Event Action Rules and select appropriate virtual sensor’s event action rules entry. In our case it’s once again “vlan4”. On the right hand side select Event Action Filters tab and click Add:

SNAGHTML1518a004

This is how the default settings for new filter look like:

image

The fields are as follows:

  • Name – signature name in text form
  • Enabled – self explanatory
  • Signature ID – this is the ID of a signature that we would like to put a filter on
  • Subsignature ID – this is obvious
  • Attacker IPv4 Address – the IP address or range of addresses we would like to exclude. This is in the form of firstaddress-lastaddress
  • Attacker IPv6 Address – same as previous field
  • Attacker Port – this is TCP/UDP port at the attacker side. Most often we will not change this value.
  • Victim IPv4 Address – the address of the target host (victim)
  • Victim IPv6 Address – same as above
  • Victim Port – the TCP/UDP port of the target (victim)
  • Risk rating – the range of risk level in which we want to actions to subtract
  • Actions to Subtract – this is where we choose what action we would like to remove from the list of actions we configured. By clicking here we have this dialog:

image

Now that we know what are the field meanings, we will do the following: we will prevent all users to access the file except for a user with the IP address of 10.0.0.1, which is the manager who needs to access this file:

image

And the actions we would like to subtract is the only one we have configured – Produce Alert:

image

After selecting Produce Alert, we click OK, OK again and then Apply.

We might want to move the newly created rule at the top of the list so we would have the following situation:

image

If we now try to retrieve the CONFIDENTIAL.TXT file, we should have an event generated by any IP address except of 10.0.0.1.

Advertisements
This entry was posted in Cisco, IPS and tagged , , , , , , , , . Bookmark the permalink.

4 Responses to Event Action Filters

  1. Mike Moein says:

    Hi popravak,

    Thanks for your useful blog! I have some question regarding the IPS devices. My company is looking for a IPS device and I have found Juniper IDP 800 and Cisco IPS 4360.
    Could you please let me know which one is better?

    we just have 3 x Cisco 6509 and 1 Internet router and I want to put that IPS between those 4 devices. we have 4 VLANs.

    Please advise.

    Thanks,
    Mike

    • Sasa says:

      Well, unfortunately, there is no easy answer to this question.

      I have experience with both vendors and both do a good job in preventing attacks. You should perhaps focus on things such as number of interfaces, number of signatures, supported protocols, throughput, technical support, price and your knowledge and experience with specific vendor.

      With Juniper, there is more work with initial setup and maintenance, because you have to install and later manage a dedicated server under RH Linux, so you have to
      have knowledge in Linux. There are steps to be done on both IDP CLI/GUI as well as on NSM server CLI/GUI. Cisco is easier to set up. At least you don’t have to have a dedicated Linux server to install, setup and manage.

      Juniper has a great technical support. I’m not saying Cisco does not, but I never asked Cisco for a help regarding the IPS.

      Cisco has this feature called Global correlation/Reputation filtering, which is great way of speeding the inspection process. With Cisco IPS you can also
      log in to another device, such as router or firewall and block an attacker there. Perhaps Juniper has something like this as well, but I never got to use them.

      You will have to do some research, with your network layout and traffic flow in mind.

      • Mike says:

        I am CCNP (R&S) and a Linux guy so I am familiar with shell and CLI.
        Could you please let me know which one is better on reporting stuff ? do I get reporting tools on NSM and Cisco by free? or should I install and pay for anther software to do that?

        I am always hearing that Juniper security devices are better than Cisco and can detect more attacks. I am really confuse! 🙂

        also I have checked your weblog and saw that on Cisco IPS we can configure Inline VLAN Pairs, which is really cool! and I just need to have 1 interface for different VLANs in inline mode. unfortunately I could not find that feature on Juniper.

        Thank you so much for your time and reply.
        Mike

      • Sasa says:

        Yes, you have reporting for free with both Juniper NSM and Cisco IME.

        Good luck with your implementation!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s