Enterasys Intrusion Prevention System User manual
P/N 9034379-05
Enterasys®
Intrusion Prevention System
Creating Network Sensor Policies and Signatures
i
Notice
Enterasys Networks reserves the right to make changes in specifications and other information contained in this document and
its web site without prior notice. The reader should in all cases consult Enterasys Networks to determine whether any such
changes have been made.
The hardware, firmware, or software described in this document is subject to change without notice.
IN NO EVENT SHALL ENTERASYS NETWORKS BE LIABLE FOR ANY INCIDENTAL, INDIRECT, SPECIAL, OR
CONSEQUENTIAL DAMAGES WHATSOEVER (INCLUDING BUT NOT LIMITED TO LOST PROFITS) ARISING OUT OF
OR RELATED TO THIS DOCUMENT, WEB SITE, OR THE INFORMATION CONTAINED IN THEM, EVEN IF
ENTERASYS NETWORKS HAS BEEN ADVISED OF, KNEW OF, OR SHOULD HAVE KNOWN OF, THE POSSIBILITY OF
SUCH DAMAGES.
Enterasys Networks, Inc.
50 Minuteman Road
Andover, MA 01810
2011 Enterasys Networks, Inc. All rights reserved.
Part Number: 9034379-05 November 2011
ENTERASYS, ENTERASYS DRAGON, ENTERASYS NETSIGHT, ENTERASYS NETWORKS, and any logos associated
therewith, are trademarks or registered trademarks of Enterasys Networks, Inc. in the United States and other countries. For a
complete list of Enterasys trademarks, see http://www.enterasys.com/company/trademarks.aspx.
Adobe, Acrobat, and Acrobat Reader are registered trademarks of Adobe Systems Incorporated.
Intel, Intel Pentium, Xeon, Celeron, and Pentium II are trademarks or registered trademarks of Intel Corporation.
Cisco is a registered trademark of Cisco Systems, Inc.
FireWall-1, OPSEC and Check Point are trademarks or registered trademarks of Check Point Software Technologies Ltd.
Dell and PowerEdge are trademarks of Dell Inc.
IPX/SPX, Novell and NetWare are trademarks or registered trademarks of Novell, Inc.
Linux is a trademark of Linus Torvalds.
Microsoft, Windows, and Windows NT are trademarks or registered trademarks of Microsoft Corporation.
Netscape is a registered trademark of Netscape Communications Corporation.
Red Hat is a registered trademark of Red Hat, Inc.
Solaris is a trademark of Sun MicroSystems, Inc.
SPARC is a registered trademark of SPARC International, Inc.
Sun and Java are trademarks or registered trademarks of Sun Microsystems, Inc.
UNIX is a registered trademark of The Open Group.
Product Series Name includes software whose copyright is licensed from MySQL AB.
Product Series Name contains a proprietary operating system based on Linux.
GNU general public License Copyright (C) 1989, 1991 Free Software Foundation, Inc.
All other product names mentioned in this manual may be trademarks or registered trademarks of their respective companies.
Support Site URL: http://www.enterasys.com/support
Documentation URL: https://extranet.enterasys.com/downloads/
ii
Embedded Software Copyrights
Bleeding Snort
Copyright (c) 2005, Bleedingsnort.com
All rights reserved. Redistribution and use in source and binary forms, with or without modification, are
permitted provided that the following conditions are met: * Redistributions of source code must retain the above
copyright notice, this list of conditions and the following disclaimer. * Redistributions in binary form must
reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation
and/or other materials provided with the distribution. * Neither the name of the nor the names of its contributors
may be used to endorse or promote products derived from this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY
EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT
SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY
WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
iii
Enterasys Networks, INC. Software License Agreement
This document is an agreement (“Agreement”) between You, the end user, and Enterasys Networks, Inc. on behalf of itself and
its Affiliates (“Enterasys”) that sets forth your rights and obligations with respect to the software contained in CD-ROM or
other media. “Affiliates” means any person, partnership, corporation, limited liability company, or other form of enterprise that
directly or indirectly through one or more intermediaries, controls, or is controlled by, or is under common control with the
party specified. BY INSTALLING THE ENCLOSED PRODUCT, YOU ARE AGREEING TO BECOME BOUND BY THE TERMS
OF THIS AGREEMENT, WHICH INCLUDES THE LICENSE AND THE LIMITATION OF WARRANTY AND DISCLAIMER
OF LIABILITY. IF YOU DO NOT AGREE TO THE TERMS OF THIS AGREEMENT, RETURN THE UNOPENED PRODUCT TO
ENTERASYS OR YOUR DEALER, IF ANY, WITHIN TEN (10) DAYS FOLLOWING THE DATE OF RECEIPT FOR A FULL
REFUND.
IF YOU HAVE ANY QUESTIONS ABOUT THIS AGREEMENT, CONTACT ENTERASYS NETWORKS, INC. (978) 684-1000.
Attn: Legal Department.
Enterasys will grant You a non-transferable, non-exclusive license to use the machine-readable form of software (the “Licensed
Software”) and the accompanying documentation (the Licensed Software, the media embodying the Licensed Software, and the
documentation are collectively referred to in this Agreement as the “Licensed Materials”) on one single computer if You agree
to the following terms and conditions:
1. TERM. This Agreement is effective from the date on which You open the package containing the Licensed Materials. You
may terminate the Agreement at any time by destroying the Licensed Materials, together with all copies, modifications and
merged portions in any form. The Agreement and your license to use the Licensed Materials will also terminate if You fail to
comply with any term or condition herein.
2. GRANT OF SOFTWARE LICENSE. The license granted to You by Enterasys when You open this sealed package
authorizes You to use the Licensed Software on any one, single computer only, or any replacement for that computer, for internal
use only. A separate license, under a separate Software License Agreement, is required for any other computer on which You or
another individual or employee intend to use the Licensed Software. YOU MAY NOT USE, COPY, OR MODIFY THE LICENSED
MATERIALS, IN WHOLE OR IN PART, EXCEPT AS EXPRESSLY PROVIDED IN THIS AGREEMENT.
3. RESTRICTION AGAINST COPYING OR MODIFYING LICENSED MATERIALS. Except as expressly permitted in this
Agreement, You may not copy or otherwise reproduce the Licensed Materials. In no event does the limited copying or
reproduction permitted under this Agreement include the right to decompile, disassemble, electronically transfer, or reverse
engineer the Licensed Software, or to translate the Licensed Software into another computer language.
The media embodying the Licensed Software may be copied by You, in whole or in part, into printed or machine readable
form, in sufficient numbers only for backup or archival purposes, or to replace a worn or defective copy. However, You agree
not to have more than two (2) copies of the Licensed Software in whole or in part, including the original media, in your
possession for said purposes without Enterasys’ prior written consent, and in no event shall You operate more than one copy of
the Licensed Software. You may not copy or reproduce the documentation. You agree to maintain appropriate records of the
location of the original media and all copies of the Licensed Software, in whole or in part, made by You. You may modify the
machine-readable form of the Licensed Software for (1) your own internal use or (2) to merge the Licensed Software into other
program material to form a modular work for your own use, provided that such work remains modular, but on termination of
this Agreement, You are required to completely remove the Licensed Software from any such modular work. Any portion of the
Licensed Software included in any such modular work shall be used only on a single computer for internal purposes and shall
remain subject to all the terms and conditions of this Agreement.
You agree to include any copyright or other proprietary notice set forth on the label of the media embodying the Licensed
Software on any copy of the Licensed Software in any form, in whole or in part, or on any modification of the Licensed Software
or any such modular work containing the Licensed Software or any part thereof.
4. TITLE AND PROPRIETARY RIGHTS.
(a) The Licensed Materials are copyrighted works and are the sole and exclusive property of Enterasys, any company or a
division thereof which Enterasys controls or is controlled by, or which may result from the merger or consolidation
with Enterasys (its “Affiliates”), and/or their suppliers. This Agreement conveys a limited right to operate the Licensed
Materials and shall not be construed to convey title to the Licensed Materials to You. There are no implied rights. You
shall not sell, lease, transfer, sublicense, dispose of, or otherwise make available the Licensed Materials or any portion
thereof, to any other party.
(b) You further acknowledge that in the event of a breach of this Agreement, Enterasys shall suffer severe and irreparable
damages for which monetary compensation alone will be inadequate. You therefore agree that in the event of a breach
of this Agreement, Enterasys shall be entitled to monetary damages and its reasonable attorney’s fees and costs in
enforcing this Agreement, as well as injunctive relief to restrain such breach, in addition to any other remedies available
iv
to Enterasys.
5. PROTECTION AND SECURITY. In the performance of this Agreement or in contemplation thereof, You and your
employees and agents may have access to private or confidential information owned or controlled by Enterasys relating to the
Licensed Materials supplied hereunder including, but not limited to, product specifications and schematics, and such
information may contain proprietary details and disclosures. All information and data so acquired by You or your employees or
agents under this Agreement or in contemplation hereof shall be and shall remain Enterasys’ exclusive property, and You shall
use your best efforts (which in any event shall not be less than the efforts You take to ensure the confidentiality of your own
proprietary and other confidential information) to keep, and have your employees and agents keep, any and all such information
and data confidential, and shall not copy, publish, or disclose it to others, without Enterasys’ prior written approval, and shall
return such information and data to Enterasys at its request. Nothing herein shall limit your use or dissemination of information
not actually derived from Enterasys or of information which has been or subsequently is made public by Enterasys, or a third
party having authority to do so.
You agree not to deliver or otherwise make available the Licensed Materials or any part thereof, including without
limitation the object or source code (if provided) of the Licensed Software, to any party other than Enterasys or its employees,
except for purposes specifically related to your use of the Licensed Software on a single computer as expressly provided in this
Agreement, without the prior written consent of Enterasys. You agree to use your best efforts and take all reasonable steps to
safeguard the Licensed Materials to ensure that no unauthorized personnel shall have access thereto and that no unauthorized
copy, publication, disclosure, or distribution, in whole or in part, in any form shall be made, and You agree to notify Enterasys
of any unauthorized use thereof. You acknowledge that the Licensed Materials contain valuable confidential information and
trade secrets, and that unauthorized use, copying and/or disclosure thereof are harmful to Enterasys or its Affiliates and/or
its/their software suppliers.
6. MAINTENANCE AND UPDATES. Updates and certain maintenance and support services, if any, shall be provided to
You pursuant to the terms of a Enterasys Service and Maintenance Agreement, if Enterasys and You enter into such an
agreement. Except as specifically set forth in such agreement, Enterasys shall not be under any obligation to provide Software
Updates, modifications, or enhancements, or Software maintenance and support services to You.
7. DEFAULT AND TERMINATION. In the event that You shall fail to keep, observe, or perform any obligation under this
Agreement, including a failure to pay any sums due to Enterasys, or in the event that You become insolvent or seek protection,
voluntarily or involuntarily, under any bankruptcy law, Enterasys may, in addition to any other remedies it may have under
law, terminate the License and any other agreements between Enterasys and You.
(a) Immediately after any termination of the Agreement or if You have for any reason discontinued use of Software, You
shall return to Enterasys the original and any copies of the Licensed Materials and remove the Licensed Software from
any modular works made pursuant to Section 3, and certify in writing that through your best efforts and to the best of
your knowledge the original and all copies of the terminated or discontinued Licensed Materials have been returned
to Enterasys.
(b) Sections 4, 5, 7, 8, 9, 10, 11, and 12 shall survive termination of this Agreement for any reason.
8. EXPORT REQUIREMENTS. You understand that Enterasys and its Affiliates are subject to regulation by agencies of the
U.S. Government, including the U.S. Department of Commerce, which prohibit export or diversion of certain technical products
to certain countries, unless a license to export the product is obtained from the U.S. Government or an exception from obtaining
such license may be relied upon by the exporting party.
If the Licensed Materials are exported from the United States pursuant to the License Exception CIV under the U.S. Export
Administration Regulations, You agree that You are a civil end user of the Licensed Materials and agree that You will use the
Licensed Materials for civil end uses only and not for military purposes.
If the Licensed Materials are exported from the United States pursuant to the License Exception TSR under the U.S. Export
Administration Regulations, in addition to the restriction on transfer set forth in Section 4 of this Agreement, You agree not to
(i) reexport or release the Licensed Software, the source code for the Licensed Software or technology to a national of a country
in Country Groups D:1 or E:2 (Albania, Armenia, Azerbaijan, Belarus, Cambodia, Cuba, Georgia, Iraq, Kazakhstan, Kyrgyzstan,
Laos, Libya, Macau, Moldova, Mongolia, North Korea, the People’s Republic of China, Russia, Tajikistan, Turkmenistan,
Ukraine, Uzbekistan, Vietnam, or such other countries as may be designated by the United States Government), (ii) export to
Country Groups D:1 or E:2 (as defined herein) the direct product of the Licensed Software or the technology, if such foreign
produced direct product is subject to national security controls as identified on the U.S. Commerce Control List, or (iii) if the
direct product of the technology is a complete plant o r any major component of a plant, export to Country Groups D:1 or E:2
the direct product of the plant or a major component thereof, if such foreign produced direct product is subject to national
security controls as identified on the U.S. Commerce Control List or is subject to State Department controls under the U.S.
Munitions List.
v
9. UNITED STATES GOVERNMENT RESTRICTED RIGHTS. The Licensed Materials (i) were developed solely at private
expense; (ii) contains “restricted computer software” submitted with restricted rights in accordance with section 52.227-19 (a)
through (d) of the Commercial Computer Software-Restricted Rights Clause and its successors, and (iii) in all respects is
proprietary data belonging to Enterasys and/or its suppliers. For Department of Defense units, the Licensed Materials are
considered commercial computer software in accordance with DFARS section 227.7202-3 and its successors, and use,
duplication, or disclosure by the U.S. Government is subject to restrictions set forth herein.
10. LIMITED WARRANTY AND LIMITATION OF LIABILITY. The only warranty Enterasys makes to You in connection
with this license of the Licensed Materials is that if the media on which the Licensed Software is recorded is defective, it will be
replaced without charge, if Enterasys in good faith determines that the media and proof of payment of the license fee are
returned to Enterasys or the dealer from whom it was obtained within ninety (90) days of the date of payment of the license fee.
NEITHER ENTERASYS NOR ITS AFFILIATES MAKE ANY OTHER WARRANTY OR REPRESENTATION, EXPRESS OR
IMPLIED, WITH RESPECT TO THE LICENSED MATERIALS, WHICH ARE LICENSED "AS IS". THE LIMITED WARRANTY
AND REMEDY PROVIDED ABOVE ARE EXCLUSIVE AND IN LIEU OF ALL OTHER WARRANTIES, INCLUDING
IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE, WHICH ARE EXPRESSLY
DISCLAIMED, AND STATEMENTS OR REPRESENTATIONS MADE BY ANY OTHER PERSON OR FIRM ARE VOID. ONLY
TO THE EXTENT SUCH EXCLUSION OF ANY IMPLIED WARRANTY IS NOT PERMITTED BY LAW, THE DURATION OF
SUCH IMPLIED WARRANTY IS LIMITED TO THE DURATION OF THE LIMITED WARRANTY SET FORTH ABOVE. YOU
ASSUME ALL RISK AS TO THE QUALITY, FUNCTION AND PERFORMANCE OF THE LICENSED MATERIALS. IN NO
EVENT WILL ENTERASYS OR ANY OTHER PARTY WHO HAS BEEN INVOLVED IN THE CREATION, PRODUCTION OR
DELIVERY OF THE LICENSED MATERIALS BE LIABLE FOR SPECIAL, DIRECT, INDIRECT, RELIANCE, INCIDENTAL OR
CONSEQUENTIAL DAMAGES, INCLUDING LOSS OF DATA OR PROFITS OR FOR INABILITY TO USE THE LICENSED
MATERIALS, TO ANY PARTY EVEN IF ENTERASYS OR SUCH OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY
OF SUCH DAMAGES. IN NO EVENT SHALL ENTERASYS OR SUCH OTHER PARTY'S LIABILITY FOR ANY DAMAGES
OR LOSS TO YOU OR ANY OTHER PARTY EXCEED THE LICENSE FEE YOU PAID FOR THE LICENSED MATERIALS.
Some states do not allow limitations on how long an implied warranty lasts and some states do not allow the exclusion or
limitation of incidental or consequential damages, so the above limitation and exclusion may not apply to You. This limited
warranty gives You specific legal rights, and You may also have other rights which vary from state to state.
11. JURISDICTION. The rights and obligations of the parties to this Agreement shall be governed and construed in
accordance with the laws and in the State and Federal courts of the Commonwealth of Massachusetts, without regard to its rules
with respect to choice of law. You waive any objections to the personal jurisdiction and venue of such courts. None of the 1980
United Nations Convention on the Limitation Period in the International Sale of Goods, and the Uniform Computer Information
Transactions Act shall apply to this Agreement.
12. GENERAL.
(a) This Agreement is the entire agreement between Enterasys and You regarding the Licensed Materials, and all prior
agreements, representations, statements, and undertakings, oral or written, are hereby expressly superseded and
canceled.
(b) This Agreement may not be changed or amended except in writing signed by both parties hereto.
(c) You represent that You have full right and/or authorization to enter into this Agreement.
(d) This Agreement shall not be assignable by You without the express written consent of Enterasys, The rights of
Enterasys and Your obligations under this Agreement shall inure to the benefit of Enterasys’ assignees, licensors, and
licensees.
(e) Section headings are for convenience only and shall not be considered in the interpretation of this Agreement.
(f) The provisions of the Agreement are severable and if any one or more of the provisions hereof are judicially determined
to be illegal or otherwise unenforceable, in whole or in part, the remaining provisions of this Agreement shall
nevertheless be binding on and enforceable by and between the parties hereto.
(g) Enterasys’ waiver of any right shall not constitute waiver of that right in future. This Agreement constitutes the entire
understanding between the parties with respect to the subject matter hereof, and all prior agreements, representations,
statements and undertakings, oral or written, are hereby expressly superseded and canceled. No purchase order shall
supersede this Agreement.
(h) Should You have any questions regarding this Agreement, You may contact Enterasys at the address set forth below.
Any notice or other communication to be sent to Enterasys must be mailed by certified mail to the following address:
ENTERASYS NETWORKS, INC., 50 Minuteman Road, Andover, MA 01810 Attn: Manager - Legal Department.
vi
vii
Contents
About This Guide
Intended Audience .............................................................................................................................................xi
Version Support .................................................................................................................................................xi
Related Documents ...........................................................................................................................................xi
Conventions ...................................................................................................................................................... xii
Getting Help ...................................................................................................................................................... xii
Chapter 1: Network Sensor Overview
Enterasys IPS Network Sensors .................................................................................................................... 1-1
Virtual Network Sensors ........................................................................................................................... 1-2
Network Sensor Policies ................................................................................................................................. 1-2
Network Sensor Policy Modules .............................................................................................................. 1-4
Network Sensor Signatures ............................................................................................................................ 1-9
Signature Libraries and Event Groups ................................................................................................... 1-10
Basic and Extended Signatures ............................................................................................................. 1-14
Configuring Port Macros ............................................................................................................................... 1-14
Procedure ............................................................................................................................................... 1-15
Chapter 2: Creating Network Sensor Policies
Creating New Policies .................................................................................................................................... 2-1
Copying Existing Policies ............................................................................................................................... 2-3
Configuring the Application Filter Module ....................................................................................................... 2-3
General Settings Tab ............................................................................................................................... 2-4
IP Settings Tab ......................................................................................................................................... 2-6
Port Settings Tab ..................................................................................................................................... 2-8
Protocol Settings Tab ............................................................................................................................. 2-11
VLAN Settings Tab ................................................................................................................................. 2-13
Probe Settings Tab ................................................................................................................................ 2-14
Rule Settings Tab ................................................................................................................................... 2-16
Signature Settings Tab ........................................................................................................................... 2-18
Configuring the Covert Channel Analysis Module ........................................................................................ 2-20
Backdoor Settings .................................................................................................................................. 2-20
Fast ICMP Settings ................................................................................................................................ 2-21
Enable Loki Check Setting ..................................................................................................................... 2-21
Procedure ............................................................................................................................................... 2-21
Configuring the DoS Check Module ............................................................................................................. 2-22
Procedure ............................................................................................................................................... 2-23
Configuring the Dragon Filter Module ........................................................................................................... 2-24
Writing a Filter Rule ................................................................................................................................ 2-25
Procedure ............................................................................................................................................... 2-26
Configuring the Dynamic Module ................................................................................................................ 2-28
Procedure ............................................................................................................................................... 2-28
Configuring the Header Search Module ...................................................................................................... 2-29
Specifying Search Strings ...................................................................................................................... 2-29
Procedure ............................................................................................................................................... 2-30
Example ................................................................................................................................................. 2-31
Configuring the Logging Module ................................................................................................................... 2-31
Procedure ............................................................................................................................................... 2-32
Configuring the Network Layer Module ........................................................................................................ 2-33
General Settings Tab ............................................................................................................................. 2-34
viii
Log Option Tab ...................................................................................................................................... 2-39
Log Protocol Tab .................................................................................................................................... 2-41
Log Frag Tab .......................................................................................................................................... 2-42
Log Static Tab ........................................................................................................................................ 2-44
Log Broadcast Tab ................................................................................................................................. 2-46
Configuring the Probe Detection Module ...................................................................................................... 2-47
Procedure ............................................................................................................................................... 2-48
Configuring the Protocol Analysis Module .................................................................................................... 2-50
DNS Analysis Configuration ................................................................................................................... 2-51
FTP Analysis Configuration .................................................................................................................... 2-54
Finger Analysis Configuration ................................................................................................................ 2-56
H.225 Analysis Configuration ................................................................................................................. 2-58
H.245 Analysis Configuration ................................................................................................................. 2-61
HTTP Analysis Configuration ................................................................................................................. 2-63
ICMP Analysis Configuration ................................................................................................................ 2-66
MGCP Analysis Configuration ................................................................................................................ 2-69
RIP Analysis Configuration .................................................................................................................... 2-72
RPC Analysis Configuration ................................................................................................................... 2-74
SIP Analysis Configuration ..................................................................................................................... 2-78
SMB Analysis Configuration ................................................................................................................... 2-81
SNMP Analysis Configuration ................................................................................................................ 2-83
Telnet Analysis Configuration ................................................................................................................ 2-85
Configuring the SNMP Trap Module ............................................................................................................. 2-88
Procedure ............................................................................................................................................... 2-88
Configuring the TCP State Module ............................................................................................................... 2-89
Procedure ............................................................................................................................................... 2-89
Configuring the Transport Layer Module ...................................................................................................... 2-91
General Settings Tab ............................................................................................................................. 2-91
Stream Rebuilding Tab .......................................................................................................................... 2-94
Flags Tab ............................................................................................................................................... 2-96
Log Syn Tab ........................................................................................................................................... 2-97
Log Session Tab .................................................................................................................................... 2-99
Log Start Stop Tab ............................................................................................................................... 2-101
Log Destination Tab ............................................................................................................................. 2-103
Log Server Tab .................................................................................................................................... 2-105
Log Syn Pattern Tab ............................................................................................................................ 2-108
Log Pairs Tab ....................................................................................................................................... 2-109
Chapter 3: Creating Network Sensor Signatures
Signature Overview ........................................................................................................................................ 3-1
Resource-Based Signatures .................................................................................................................... 3-1
Suspicious Traffic ..................................................................................................................................... 3-2
Server Messages ..................................................................................................................................... 3-2
Indirect Signatures ................................................................................................................................... 3-2
Tips for Creating Signatures .................................................................................................................... 3-3
Creating Custom Signature Libraries ............................................................................................................. 3-5
Signatures and Live Update ..................................................................................................................... 3-5
Creating a Custom Library ....................................................................................................................... 3-6
Copying Existing Signatures Into a Custom Library ................................................................................. 3-8
Using the Signature Filter Dialog ............................................................................................................. 3-9
Creating Custom Signatures ........................................................................................................................ 3-12
Configuring Basic Signature Properties ................................................................................................. 3-14
Configuring Extended Signature Properties ........................................................................................... 3-21
Creating Custom Event Groups .................................................................................................................... 3-43
Example of Signature Creation ..................................................................................................................... 3-44
ix
Appendix A: Keywords/XML Attributes
6.x to 7.x Mappings ........................................................................................................................................A-1
Network Sensor Signature Fields .................................................................................................................A-60
Host Sensor Mappings .................................................................................................................................A-61
Agent Mappings ............................................................................................................................................A-61
Index
x
Creating Network Sensor Policies and Signatures xi
About This Guide
The Enterasys Intrusion Prevention System (IPS) is a solution consisting of an Intrusion Detection
System (IDS), active response, and intrusion prevention. Enterasys IPS administrators can
configure a variety of elements. Administrators are responsible for configuring Network Sensors,
Host Sensors, and the management tools of the Enterprise Management Server (EMS). Depending
on your administrative role, you have access to the root of the operating system, XML, and/or the
GUI configuration methods. It is recommended that all configuration available through the GUI
be performed using the GUI. XML configuration is described in the Configuration Guide.
This guide describes how to create network sensor policies and signatures. This guide does not
describe how to add network sensor nodes or virtual sensors to your managed Enterasys IPS
environment. Refer to the Configuration Guide for information about using the EMS client GUI to
set up and manage your Enterasys IPS environment. Refer to Creating Host Sensor Policies for
information on creating host sensor policies.
Intended Audience
This document is intended for experienced network administrators who are responsible for
implementing and maintaining an Intrusion Prevention System.
Version Support
This guide supports Enterasys Intrusion Prevention System Version 7.4, and higher.
Related Documents
The Enterasys IPS user documentation listed below is available from
https://extranet.enterasys.com/downloads.
Enterasys IPS Document Title Description
Appliance Hardware Installation Guide Describes how to set up the Enterasys IPS appliances.
Configuration Guide Describes how to configure Enterasys IPS using GUI
management tools. It also describes the placement of Enterasys
IPS components within your network.
Creating Host Sensor Policies Describes how to create custom Host Sensor policies.
Creating Network Sensor Policies and
Signatures
Describes how to create custom Network Sensor policies and
signatures.
Analysis and Reporting Guide Describes the Enterasys IPS reporting tools. Reporting tools
available from the command line are described in the Command
Line Tools Reference.
Command Line Tools Reference Describes the forensics command line tools you can use to
analyze the events database or a single dragon.db file.
xii About This Guide
Conventions
The following conventions are used in this document.
Getting Help
For additional support, contact Enterasys Networks using one of the following methods:
Before contacting Enterasys Networks for technical support, have the following information
ready:
• Your Enterasys Networks service contract number
• A description of the failure
• A description of any action(s) already taken to resolve the problem (for example, changing
mode switches, and rebooting the unit.)
• The serial and revision numbers of all involved Enterasys Networks products in the network
• A description of your network environment (for example, layout, and cable type)
• Network load and frame size at the time of trouble (if known)
• The device history (for example, have you returned the device before, is this a recurring
problem)
• Any previous Return Material Authorization (RMA) numbers
<installdir> Indicates to enter the path were you installed Enterasys IPS. The default directory is
/usr/dragon.
bold type Actual user input values or names of screens and commands.
blue type Indicates a hypertext link. When reading this document online, click the text in blue to
go to the referenced figure, table, or section.
italic type User input value required.
courier Used for command-level input or output.
World Wide Web http://www.enterasys.com/support
Phone 1-800-872-8440 (toll-free in U.S. and Canada)
or 1-978-684-1888
For the Enterasys Networks Support toll-free number in your country:
http://www.enterasys.com/support
Email [email protected]
To expedite your message, please type [dragon] in the subject line.
Creating Network Sensor Policies and Signatures 1-1
1
Network Sensor Overview
This chapter provides an overview of Network Sensor operation and explains what network
sensor policies and signatures are. This chapter also includes information about configuring port
macros, which can be used in network sensor policies and signatures.
Enterasys IPS Network Sensors
The Enterasys IPS Network Sensor is a packet-based Network Intrusion Detection System (NIDS)
and response system. It collects network packets and analyzes them for a variety of suspicious
activities. Suspicious activity may indicate network abuse, probes, intrusions, or vulnerabilities.
The Network Sensor also monitors network packets for computer criminals, hackers, employee
misuse, and network anomalies. Multiple Network Sensors can operate jointly to provide
enterprise coverage of complex networks that are managed by the Enterprise Management Server
(EMS). Network Sensor can send pages and email alerts when it detects suspicious events while
taking action to stop the event and record the event for future forensic analysis. It can take action
to shut down the connection to avoid further damage.
Network Sensors typically are deployed at network aggregation points and ensure the validity of
traffic in layers two, three, and four. The sensors can reassemble fragmented frames and
reconstruct TCP and UDP streams to counteract detection evasion tools. Network Sensors use
signature-based pattern matching, protocol analysis and decoding, and anomaly detection
techniques.
When an attack is detected, Network Sensor employs a variety of active response techniques to
block the would-be intruder, including taking action to stop the sessions and reconfiguring
firewall policies or switch and router Access Control Lists. Network Sensor offers deep forensic
capabilities, including flexible packet capture and complete session information (such as
information about HTTP, FTP, POP, and certain IPs or networks) needed to analyze network-based
attacks.
For information about... Refer to page...
Enterasys IPS Network Sensors 1-1
Network Sensor Policies 1-2
Network Sensor Signatures 1-9
Configuring Port Macros 1-14
Network Sensor Policies
1-2 Network Sensor Overview
Network Sensor features include:
• Open tunable signatures which allow implementation, modification, and custom creation of a
set of signatures designed to detect the attacks that apply to each unique environment
• Multi-interface monitoring that combines multiple network interfaces into a single traffic
stream for analysis, enabling a dual-tap solution
• IP defragmentation and TCP/UDP stream reassembly that identifies attackers who attempt to
evade an IDS by distributing attacks over multiple packets
• Protocol decoding for most commonly targeted protocols that identifies attackers who
attempt to hide an attack within the protocol
• IDS Denial of Service (DoS) countermeasures that defeat tools such as “stick” and “snot” that
attempt to DoS an intrusion detection system
• Event sniping which terminates an attack session via a TCP reset or ICMP unreachable
message, stopping the attack before real damage can occur
• Probe prevention that defeats or confuses many scanning techniques by issuing false
responses to the probe, misleading attackers about the true nature of the network and/or
target system
• Backdoor and rogue server detection using varied techniques
Virtual Network Sensors
Up to four virtual sensors can be created on each physical Network Sensor. Virtualization can be
based on such things as VLAN ID, IP subnet, IP protocol number, TCP/UDP port number, or
physical network interface card. Each virtual sensor can then be configured with individual
policies and signatures suitable for the specific role of that sensor.
Note that at least one virtual sensor must be configured on a Network Sensor device, because
policies and signatures can only be assigned to virtual network sensors.
Network Sensor Policies
Network Sensor policies control aspects of the sensors which do not directly rely on or require
signatures. For example, a policy may include protocol decoders and checks on the header portion
of packets. Signatures, on the other hand, look specifically at the data portion of packets for certain
patterns.
A Network Sensor policy is comprised of “modules” that define the operation of the virtual sensor
to which the policy is applied. Each module provides the parameters to configure the behavior of
the sensor relative to a logical grouping of sensor tasks.
Enterasys provides you with a set of “master” policy modules which, although they cannot be
modified, can be used to create your own custom policies that are associated with a virtual sensor.
You create your custom policies from within the Network Policy view, which is displayed by
clicking on the Network Policy View and Signature Libraries icon in the main EMS window.
Figure 1-1 shows the Network Policies tab within the Network Policy view, with the list of default
master policy modules expanded.
Network Sensor Policies
Creating Network Sensor Policies and Signatures 1-3
Figure 1-1 Network Policy View
When you create your own custom policies, Enterasys IPS automatically adds four basic master
policy modules that must be included in any policy in order to be deployed:
• Dynamic Module
• Logging Module
• Network Layer Module
• Transport Layer Module
In addition, you can also select any of the other master policy modules to be included in your
custom policy, as shown in Figure 1-2.
Network Sensor Policies
1-4 Network Sensor Overview
Figure 1-2 Adding Master Modules to a Custom Policy
Once you have added the desired modules to your custom policy, you configure the module
parameters for the particular virtual sensor to which that policy will be applied. Procedures for
creating and configuring custom policies are provided in Chapter 2, Creating Network Sensor
Policies.
Network Sensor Policy Modules
Your choice of policy modules to include in a custom policy depends on the configuration of the
virtual sensor to which the policy will be applied. You should consider:
• the types of traffic and packets that will be received by the virtual sensor,
• the address of the network the sensor is protecting (its protected network)
• in order to create policies that generate or suppress (filter) the desired events by the sensor
and configure the desired logging/SNMP trap behavior by the sensor.
That is, you must know the types of traffic and packets that will be received by the virtual sensor,
as well as the address of the network the sensor is protecting (its protected network) in order to
create policies that generate or suppress (filter) the desired events by the sensor and configure the
desired logging/SNMP trap behavior by the sensor.
The following sections briefly describe the high-level behaviors that can be configured by each of
the policy modules. More details are provided in Chapter 2, Creating Network Sensor Policies.
Network Sensor Policies
Creating Network Sensor Policies and Signatures 1-5
Application Filter Module
This module defines traffic criteria that can be ignored by the sensor. Use this module to refine the
data which the sensor analyzes, by telling the sensor what types of traffic and packets to ignore.
By reducing the amount of data that the sensor has to look at, and therefore the number of events
generated, you can often improve the performance of the sensor as well as the analysis process.
Application filters are applied before any inspection of data occurs. Therefore, if a filter is
matched, the sensor does not do any further processing of the data — that is what is meant by
saying that the data is “ignored.” In general, if you know of a particular class of traffic that can be
ignored (for example, from a particular IP address or VLAN), then you should use a filter, since
this will generally lessen the load on the sensor.
You can tell the sensor to ignore traffic based on the following criteria:
• Direction with Respect to the Sensor’s Protected Network, set using the General Settings tab.
• IP Address and Direction, set using the IP Settings tab.
• TCP and UDP Port Number and Direction, set using the Port Settings tab.
• IP Protocol Number, set in the Protocol Settings tab.
• Specific VLAN or range of VLAN numbers, set in the VLAN Settings tab.
• Traffic That Looks Like a Port Scan or Port Sweep, set using the Probe Settings tab.
• IP Address, Port, and Protocol Rule combinations, set in the Rule Settings tab.
• Signatures, set using the Signature Settings tab.
Covert Channel Analysis Module
Many hackers use ICMP echo request and echo reply packets to communicate covertly.
Specialized ICMP client and servers such as Back Orifice 2000 and LOKI are good examples. The
Covert Channel Analysis module provides parameters to configure three types of analysis:
• Backdoor Settings, which enable discovery of streams of unsolicited ICMP replies or ICMP
streams with static sequence numbers.
• Fast ICMP Settings, which also catch backdoors that utilize ICMP.
• Enable Loki Check Setting, which catches Loki traffic.
DoS Check Module
This module allows you to add Denial of Service checking to a Network Sensor policy. When
Denial of Service checking is enabled, the Network Sensor searches packets for distinct
trademarks of specific denial of service tools that are in use and freely available. The sensor will
generate different DoS internal events, depending on the tool. If a Denial of Service attack is
observed, the event data will contain the attack information.
Network Sensor Policies
1-6 Network Sensor Overview
Dragon Filter Module
The Dragon Filter module allows you to eliminate the reporting of events that you know are not
significant on your network—that is, are just “background noise” that can safely be ignored. For
example, you may use the SNMP public community for your network management. When you
use the Enterasys IPS reporting tools to view Enterasys IPS events being generated on your
network, you may notice that there are thousands of SNMP:PUBLIC events being generated from
a source IP address that matches the address of your management station. In such a case, you can
safely ignore those events, so you would write a Dragon filter that would drop (not report)
SNMP:PUBLIC events if the source IP address equals the IP address of your management station.
The events that can be filtered with Dragon filters include those generated by signatures applied
to a sensor (for example, the signature with the name SNMP:PUBLIC) as well as internal events
generated by a network policy applied to a sensor (for example, the ICMP:BD-REPLY event is
generated by backdoor analysis configured with the Covert Channel Analysis module).
Dragon filters are applied after data has been inspected, unlike Application filters that are applied
before data has been inspected. Therefore, Dragon Filter statements could be considered more
CPU intensive, in the sense that they can only be applied after the pattern matching operations are
completed. However, since both Dragon Filters and Application Filters are fairly quick operations,
neither greatly impacts the sensor’s performance (unless there are hundreds of them).
Dynamic Module
The Dynamic Module is one of the default modules added to every custom policy. It enables the
sensor to record packets from IP addresses that are involved in events. When an event occurs, the
Network Sensor makes a best effort to grab subsequent packets from the source and destination IP
addresses of the event packet. The number of recorded packets is determined by the specific alarm
or signature. Additional Dynamic packet logging can be set for all events, by specifying the
number of Cushion packets the Network Sensor should collect in addition to the normal number
of packets specified by the signature or alarm.
For example, if a PHF attack signature has a Dynamic packet capture level of 10 packets and the
Cushion value is set to 5 packets in this module, the Network Sensor will attempt to collect 15
packets. This parameter is meant as an easy way to quickly turn up the sensitivity of a Network
Sensor. The extra logging may have a negative impact on system performance or on Network
Sensor hard drive space.
Header Search Module
The Header Search module allows you to configure the Network Sensor to search IP and TCP
headers for a specific string of data. When you configure a Header Search rule, you identify:
• A start byte and a stop byte in the header of either IP or TCP traffic. These bytes specify the
part of the header to check.
• The frequency, in packets, of the check. A frequency of 0 means check all packets.
• The pattern to search for.
• The name of the event to generate when the rule is matched.
Refer to “Specifying Search Strings” on page 2-29 for information about how to specify the pattern
to search for.
Other manuals for Intrusion Prevention System
1
Table of contents
Other Enterasys Software manuals
Enterasys
Enterasys SmartSwitch 6000 User manual
Enterasys
Enterasys ANG-1100 Series Instruction Manual
Enterasys
Enterasys Vertical Horizon VH-2402S Programming manual
Enterasys
Enterasys 700 User manual
Enterasys
Enterasys 2000 User manual
Enterasys
Enterasys Security Information and Event Manager... User manual
Enterasys
Enterasys Intrusion Prevention System User manual
Enterasys
Enterasys 9034385 Guide
Enterasys
Enterasys ANG-1100 Series Instruction Manual
Enterasys
Enterasys Aurorean ANG-3000 How to use
