Tuning Cisco IPS. Session BRKSEC Fabien Gandola Consulting System Engineer

Transcription

1

2 Tuning Cisco IPS Session Fabien Gandola Consulting System Engineer

3 Is this session about NGIPS? NO BRKSEC-2761 BRKSEC-2762 Cisco and Sourcefire: A Threat-Centric Security Approach FirePOWER Network Security Platform

4 Is this session about is a deep dive on how to develop new Signatures? NO BRKSEC-3031 Advanced - To Catch A Thief: Intrusion Prevention, Signature Development, and the Modern Mouse Trap

5 I am Receiving Events! Job s done!

6 But Are you sure the default policy provided by Cisco matches exactly your needs?

7 And Even if it Does Do you want the same policy everywhere?

8 Agenda Introduction Reduce Noise Reduce False Positive Reduce False Negative 09:00 Exemple with IME Service String TCP Choose the Engine Create Custom Signature Service HTTP Choose the Action Risk Rating Parameters Case Studies Conclusion 11:00

9 Abstract My IPS is up and running with the default configuration, I start receiving events... WHAT'S NEXT?" In 2 hours, no way to transform you in an experimented incident analyst but i can give you the different questions to ask yourself in order to orient the policy of your sensors, the different options to tune your IPS and via practical examples what you can do in order to reduce noise or false positive while limiting the risk of false negative. This breakout is intended for security administrators currently using Cisco IPS or planning to use them. In order to get the best of this session, it is recommended to have basic understanding of IPS/IDS technologies, it is a plus to know Cisco IPS solution. 9

10 Here is a set of Questions : Do you mind risking to block valid transactions in order to get better protection? Do you mind having a noisy IPS to be able to see all alerts? Do you want to be notified for every events? Do you have the skills and time to investigate?

11 Policies Examples : Internet Edge To monitor traffic and get statistics Before the firewall In IDS mode Large spectrum of signatures No action for protection To protect from internet After firewall In IPS mode Signature focusing on allowed traffic by FW Aggressive actions using Global correlation

12 Policies examples : Datacenter Transactions are critical After FW In IDS mode Focused signatures on allowed traffic by FW as well as the type of servers and applications (OS, Web servers, Database, Unified Communication ) No protection actions just alerting Assets are critical After FW In IPS mode Focused signatures on allowed traffic by FW as well as the type of servers and applications (OS, Web servers, Database, Unified Communication ) Actions only for very high risk rating event

13 Policies Examples : Campus To monitor internal traffic and get statistics In IDS mode Focus on well-known current alerts for end user applications as well not authorized applications (P2P, IM..) No action for protection but reporting To protect internally and enforce good use policy In IPS mode Focus on well-known current alerts for end user applications as well not authorized applications (P2P, IM,..) Aggressive actions

14 You may need to tune your policy

15 Why Tuning IPS Sensors Traffic is from a trusted source High rate of alarms High rate of false positive Not the ideal action response to event Tuning is a key part of IPS deployments The data reduction that results from proper tuning is essential for a fully functional system Not every sensor needs to alert on every event Implementing environment specific configurations increases scalability of the entire system

16 How to Tune By direction of traffic By severity level By retiring/disabling a signature By summarizing the alarm to reduce the rate at which it triggers. By filtering signatures based on traffic By creating environment variable to easily identify the source and the destination

17 Where to Start If you can t afford the risk of impacting valid traffic, use IDS mode during the tuning phase. IDS Mode Sensing Interface received copies of network traffic from a SPAN port, hub, tap, or VACL Capture. It does not sit in the flow of traffic. It is possible to deploy an IPS in-line but to use it only as a detection system without impacting the traffic.

18 IPS Physically Inline IPS sits in the flow of the traffic. It is inspecting the the real traffic in real time receiving packets from it physical or virtual interfaces Management Network Internet Host

19 Deployment: IPS Working as IDS (1) Disable Deny Packet Action in HIGHRISK Set Normalizer to asymmetric mode

20 Deployment: IPS Working as IDS (2) Create a Event Action Filter, for all Signatures and all Sources / Destinations...

21 Deployment: IPS Working as IDS (3)...that removes all DENY Actions

22 ASA Service Policy Selects Virtual Sensor ASA service policy can select traffic based on incoming interface, source/destination etc and direct different flows to different virtual sensors. It is possible to mix IDS and IPS Virtual Sensor so critical traffic will not be impacted by Sensor

23 Monitoring with the Default Signatures Start by monitoring the default configuration Monitor for up to 2 weeks your traffic to get a baseline Regroup alerts per signature to detect the most noisy ones Regroup per host to detect potential trusted sources to filter out Regroup per severity to investigate the most serious ones It s all about the risk Use risk rating values to help drive your security policy We can t use threat rating as in tuning phase we usually don t take any actions and Risk Rating = Threat Rating It is recommended to create VS1 and Sig1 so you can revert easily to default settings without loosing your changes.

24 It s All About Balance

25 Three Main Targets The Noise : A set of alarms which is legitimate but of low priority (port scan from internet) is considered as Noise The False Positive: An alarm is considered a false positive if it is triggered by legitimate traffic The False Negative: An attack which has not been detected (evasion technique used) is called a False negative

26 Agenda Introduction Reduce Noise 13:00 15:00

27 Reduction of Noise

28 Noise Reduction There are 3 effective simple strategies A simple way to reduce the noise is to limit alerting to high severity alerts only using the policy tuning Use summarization for the noisy signature Create directional filters

29 How do I Limit Alerting?

30 Summarization Purpose: Provide solution to manage the amount of alerts and mitigate the risk of Denial-of-Service by saturating IPS or human operator by creating excess number of IPS alarms... Summary mode: FireAll, FireOnce, Summarize, Globalsummarize Using Specify-summary-threshold parameter, it is possible to dynamically change to summary mode if a specific signature is firing to many alerts Summary-Key helps define the criteria for summarization (Axxx AxBx - Axxb xxbx AaBb) Summary-interval is the time in seconds used for each summary alert.

31 Summarization Example

32 Directional Filters Some signature are only relevant when fired in a specific direction or from a specific location. Reporting all exploit attempts coming from Internet might not be relevant BUT Reporting the same exploit coming from Inside your network could be One of your machine might be infected and is trying to infect other machines Use filters based on Signature and IP address source or destination Example: Sig 4703 MSSQL Resolution Service Stack Overflow Effective to catch Slammer Directional tuning to detect internal infected host

33 Create Event Variables

34 Agenda 13:00 Introduction Reduce Noise Reduce False Positive 15:00

35 Reduction of False Positive

36 Reduction of False Positives There are 4 main strategies to deal with false positives: Alarm and signature filtering, where the resulting alarm or signature is (selectively) disabled Signature tuning, where the triggering signature is altered and tuned to the environment Use Meta engine, in order to correlate several events to increase the confidence and fidelity Use Global Correlation in order to increase confidence that the traffic is a real attack

37 Alarm and Signature Filtering Retire the signature Disable the signature Change the default severity of the signature Filter the signature for specific ports Filter the signature for specific hosts or networks

38 Signature Tuning 1/2 Tunable thresholds Number/rate of events to form a set in a specific amount of time: Decrease the limits if they are exceeded too often. Increase the time interval Could be modified per-host Very different from summarization! Exemples : 3 failed attempts to authenticate More than 100 embryonic connections from the same host

39 Signature Tuning 2/2 Tunable content Change the range of allowed parameters (for example, exclude a destination port) With string matching, tighten the pattern to match fewer instances of legitimate data More information in the section Create a new signature

40 META Engine Purpose: The Meta engine defines events that occur in a related manner within a sliding time interval. It processes events rather than packets. The Meta engine generates a signature event after all requirements for the event are met. Summarization and event action are processed after the Meta engine has processed the component events.

41 Process for Accurate Threat Mitigation Integrated Event Correlation If SIG IDs 6768/1 fires 80 times and 6768/2 fire once within a 60 sec interval, then the Meta Engine will trigger an event -> 6768/0 TIME INTERVAL = 60 SECS. SIG 6768/1 80 times SIG 6768/2 once SAMBA WINS Remote Code Execution Sign 6768/0

42 META Engine Parameters We have recently added the NOT operation for events that we do not want to happen in a specific sequence. Setting the parameter Allcomponents-requires to NO allow you to combine several meta simulating the operator OR Objective: Trigger alert if you see E1 followed by E2 or E3 Meta1 = E2 + E3 with All-components-requires to NO Meta2= E1 + meta1

43 Global Correlation IPS Reputation Filters block access to IP s on stolen zombie networks or networks controlled entirely by malicious organizations. Global Correlation Inspection raises the Risk Rating of events when the attacker has a negative reputation allowing those events to be blocked more confidently and more often than an event without negative reputation.

44 Defeating SQL Injection The Challenge of Traditional Signature-Based IPS What SIGNATURES Find Verdict: UNKNOWN What? SQL Command Fragments in Web Traffic This could be your billing system talking to your customer database. Or..

45 Defeating SQL Injection Collaborate with Confidence What GLOBAL CORRELATION Knows: Verdict: BLOCK What? Who? SQL Command Fragments in Web Traffic from Untrusted Client Dynamic IP Address Dynamic DNS History of Web Attacks How? Where? 4 th Packet of HTTP Connection Within Heavily Compromised Network History of Botnet Activity

46 IRC Connections The Challenge of Traditional Signature-Based IPS What SIGNATURES Find Verdict: UNKNOWN What? IRC Join This looks like a typical IRC connection request..

47 IRC Connections Collaborate with Confidence Traditional Signature only IPS view without Reputation Global Correlation Enabled IPS allows Confident Deny Action

48 Malware over Bittorrent The Challenge of Traditional Signature-Based IPS What SIGNATURES Find Verdict: UNKNOWN What? Bittorrent Connections This looks like standard Bittorent connections

49 Reconnaissance Activities The Challenge of Traditional Signature-Based IPS What SIGNATURES See Verdict: NO CONFIDENCE What? ICMP Timestamp Request packets The packets, being nonconnection oriented, are spoofable. Do you have the confidence to implement a Deny Attacker to prevent future recon activities?

50 False Positive Examples Signature Possible Heap Payload Construction Originally High severity Triggered heavily by the Ad-Revolver web application Considered for retired? - What is the potential impact on victim? Low - Is it part of a Meta signature? Yes => Decrease the severity to informational

51 False Positive Examples Signature SNMP Protocol Violation. Originally High severity Fires when any error in decoding SNMPis detected Considered for retired? - What is the potential impact on victim? High - Are the management station known? YES Decrease the severity to informational so you have traces for forensic analysis Filter out trusted sources Check the application SNMP implementation

52 Questions? 56

53 Agenda Introduction Reduce Noise Reduce False Positive Reduce False Negative 13:00 15:00

54 Reduction of False Negative

55 Reduction of False Negatives False negatives are alarms that should have been triggered but were not. The false negatives are usually detected through secondary means (HIDS/HIPS, server/firewall logs). False negative could be due to : - IPS health status - Evasion techniques successfully used - Existing signature need to be tuned - It is an unknown attack

56 Reduction of False Negatives (Cont.) How to reduce False Negative Check the state of the IPS (resources and processes) Check for signature update from CCO Ensure anti-evasion mechanisms are activated (Normalizer) Ensure the traffic flow through the IPS Alter a signature s numeric thresholds Tune a signature s content Create a new custom signature For all last three solutions there is a risk of increasing false positives

57 False Negative Tuning Examples Signature HTTP Authorization Failure Signature Telnet Authorization Failure Signature SMB Authorization Failure Signature FTP Authorization Failure This signature has since been retired due to its high rate of false positive and replaced with which uses as a meta component. These would typically require tuning counter so that it only triggers after triggered a number of times.

58 Agenda Introduction Reduce Noise Reduce False Positive Reduce False Negative 13:00 Exemple with IME 15:00

59 Real Life example with IME

60 How to Tune IPS Using IME Example taken from one of our lab using an appliance 4260 Some tips are shown but many other options are possible/available

61 Events during the past 24 hours

62 Let s group them together per signature

63 Notice the time

64 Use available tools

65 Know your enemy

66 Signature Explanation

67 Verbose alert and IP logging are the best friends of the Analyst

68 So This Was Noise What now? Filter that kind of traffic on firewall? Change behavior of server? Disable signature? Tune signature? Disable actions? Create rule?

69 Edit signature?

70

71 Create rule

72 and apply it to the correct virtual sensor

73

74 Shall we delete event from database?

75 Let s expand window last 48 hours

76

77 This is noise created by trusted host, I would create a rule for this vulnerability scanner

78 After reducing the noise, I group per severity and start investigating

79 And now something completely different

80 Agenda Introduction Reduce Noise Reduce False Positive Reduce False Negative 13:00 Exemple with IME Create Custom Signature 15:00

81 Create Custom Signatures

82 How to Create New Signature Choice of the engine Write regular expression Choose the default action Decide of the risk rating parameters Check performance impact

83 Agenda Introduction Reduce Noise Reduce False Positive Reduce False Negative Exemple with IME Choose the Engine Create Custom Signature

84 Choose the Engine

85 The different engine families Atomic engine looking at attacks in a single packet. Flooding Specialized in attacks that involve flooding of hosts with packets. String Looking for Patterns across several packets. Sweep Specialized in attacks that involve scanning of hosts and ports. Anomaly detection Baselining the traffic first and looking for threshholds. Services Engines Specialized engines looking at services like DNS, HTTP, FTP, And many others...

86 Service Engine: Service Types Service DNS Engine Service FTP Engine Service Generic Engine Service H225 Engine Service HTTP Engine Service IDENT Engine Service MSRPC Engine Service MSSQL Engine Service NTP Engine Service P2P Engine Service RPC Engine Service SMB Adv. Engine Service SNMP Engine Service SSH Engine Service TNS Engine

87 HTTP v2 engines Who did call those engines V2????? Read v2= Only for IOS IPS!!!

88 Agenda Introduction Reduce Noise Reduce False Positive Reduce False Negative 13:00 Exemple with IME Service String TCP Choose the Engine Create Custom Signature 15:00

89 Service String TCP

90 TCP String : Explanation The string engine is a generic based pattern matching engine for ICMP, UDP but mainly TCP. The string engine uses a regular expression engine that can combine multiple patterns into a single pattern table allowing for a single search through the data. String-tcp offers the ability to inspect each tcp connection as one long stream of data

91 Some people, when confronted with a problem, think 'I know, I ll use regular expressions.' Now they have two problems. Jamie Zawinski

92 Example (?:(?:\r\n)?[ \000-\031]+(?:(?:(?:\r\n)?[ \t] )+ \Z "(?:[^\"\r\\] \\. (?:(?:\r\n)?[ \t]))*"(?:(?: \r\n)?[ \t])*)(?:\.(?:(?:\r\n)?[ \000-\031]+(?:(?:(?:\r\n)?[ \t])+ \Z "(?:[^\"\r\\] \\. (?:(?:\r\n)?[ \t]))*"(?:(?:\r\n)?[ \000-\0 31]+(?:(?:(?:\r\n)?[ \t])+ \Z \[([^\[\]\r\\] \\.)*\ ](?:(?:\r\n)?[ \t])*)(?:\.(?:(?:\r\n)?[ \000-\031]+ (?:(?:(?:\r\n)?[ \t])+ \Z \[([^\[\]\r\\] \\.)*\](?: (?:\r\n)?[ \t])*))* \000-\031]+(?:(?:(?:\r\n)?[ \t])+ \Z "(?:[^\"\r\\] \\. (?:(?:\r\n)?[ \t]))*"(?:(?:\r\n)?[ \t])*)*\<(?:(?:\r\n)?[ \000-\031]+(?:(?:(?:\ r\n)?[ \t])+ \Z \[([^\[\]\r\\] \\.)*\](?:(?:\r\n)?[ \t])*)(?:\.(?:(?:\r\n)?[ \000-\031]+(?:(?:(?:\r\n)?[ \t])+ \Z \[([^\[\]\r\\] \\.)*\](?:(?:\r\n)?[ \t] \000-\031]+(?:(?:(?:\r\n)?[ \t])+ \Z \[([^\[\]\r\\] \\.)*\](?:(?:\r\n)?[ \t])* )(?:\.(?:(?:\r\n)?[ \000-\031]+(?:(?:(?:\r\n)?[ \t] )+ \Z \[([^\[\]\r\\] \\.)*\](?:(?:\r\n)?[ \t])*))*) *:(?:(?:\r\n)?[ \000-\031]+(?:(?:(?:\r\n)?[ \t])+ \Z "(?:[^\"\r\\] \\. (?:(?:\r\n)?[ \t]))*"(?:(?:\r \n)?[ \t])*)(?:\.(?:(?:\r\n)?[ \000-\031]+(?:(?:(?: \r\n)?[ \t])+ \Z "(?:[^\"\r\\] \\. (?:(?:\r\n)?[ \t ]))*"(?:(?:\r\n)?[ \000-\031 ]+(?:(?:(?:\r\n)?[ \t])+ \Z \[([^\[\]\r\\] \\.)*\](?:(?:\r\n)?[ \t])*)(?:\.(?:(?:\r\n)?[ \000-\031]+(? :(?:(?:\r\n)?[ \t])+ \Z \[([^\[\]\r\\] \\.)*\](?:(? :\r\n)?[ \t])*))*\>(?:(?:\r\n)?[ \t])*) \000-\031]+(?:(? :(?:\r\n)?[ \t])+ \Z "(?:[^\"\r\\] \\. (?:(?:\r\n)? [ \t]))*"(?:(?:\r\n)?[ \t])*)*:(?:(?:\r\n)?[ \t])*(?:(?:(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+ \Z (?=[\["()<>@,;:\\".\[\]])) "(?:[^\"\r\\] \\. (?:(?:\r\n)?[ \t]))*"(?:(?:\r\n)?[ \t])*)(?:\.(?:(?:\r\n)?[ \000-\031]+(?:(?:(?:\r\n)?[ \t])+ \Z (?=[\["()<>@,;:\\".\[\]])) " (?:[^\"\r\\] \\. (?:(?:\r\n)?[ \t]))*"(?:(?:\r\n)?[ \t])*))*@(?:(?:\r\n)?[ \t] )*(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+ \Z (?=[\["()<>@,;:\\ ".\[\]])) \[([^\[\]\r\\] \\.)*\](?:(?:\r\n)?[ \t])*)(?:\.(?:(?:\r\n)?[ \t])*(? :[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+ \Z (?=[\["()<>@,;:\\".\[ \]])) \[([^\[\]\r\\] \\.)*\](?:(?:\r\n)?[ \t])*))* (?:[^()<>@,;:\\".\[\] \000- \031]+(?:(?:(?:\r\n)?[ \t])+ \Z (?=[\["()<>@,;:\\".\[\]])) "(?:[^\"\r\\] \\. (?:(?:\r\n)?[ \t]))*"(?:(?:\r\n)?[ \t])*)*\<(?:(?:\r\n)?[ \t])*(?:@(?:[^()<>@,; :\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+ \Z (?=[\["()<>@,;:\\".\[\]])) \[([ ^\[\]\r\\] \\.)*\](?:(?:\r\n)?[ \t])*)(?:\.(?:(?:\r\n)?[ \t])*(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+ \Z (?=[\["()<>@,;:\\".\[\]])) \[([^\[\ ]\r\\] \\.)*\](?:(?:\r\n)?[ \t])*))*(?:,@(?:(?:\r\n)?[ \t])*(?:[^()<>@,;:\\".\ [\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+ \Z (?=[\["()<>@,;:\\".\[\]])) \[([^\[\]\ r\\] \\.)*\](?:(?:\r\n)?[ \t])*)(?:\.(?:(?:\r\n)?[ \t])*(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+ \Z (?=[\["()<>@,;:\\".\[\]])) \[([^\[\]\r\\] \\.)*\](?:(?:\r\n)?[ \t])*))*)*:(?:(?:\r\n)?[ \t])*)?(?:[^()<>@,;:\\".\[\] \0 00-\031]+(?:(?:(?:\r\n)?[ \t])+ \Z (?=[\["()<>@,;:\\".\[\]])) "(?:[^\"\r\\] \\. (?:(?:\r\n)?[ \t]))*"(?:(?:\r\n)?[ \t])*)(?:\.(?:(?:\r\n)?[ \t])*(?:[^()<>@, ;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+ \Z (?=[\["()<>@,;:\\".\[\]])) "(? :[^\"\r\\] \\. (?:(?:\r\n)?[ \t]))*"(?:(?:\r\n)?[ \t])*))*@(?:(?:\r\n)?[ \t])* (?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+ \Z (?=[\["()<>@,;:\\". \[\]])) \[([^\[\]\r\\] \\.)*\](?:(?:\r\n)?[ \t])*)(?:\.(?:(?:\r\n)?[ \t])*(?:[ ^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+ \Z (?=[\["()<>@,;:\\".\[\] ])) \[([^\[\]\r\\] \\.)*\](?:(?:\r\n)?[ \t])*))*\>(?:(?:\r\n)?[ \t])*)(?:,\s*(?:(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+ \Z (?=[\["()<>@,;:\\ ".\[\]])) "(?:[^\"\r\\] \\. (?:(?:\r\n)?[ \t]))*"(?:(?:\r\n)?[ \t])*)(?:\.(?:(?:\r\n)?[ \t])*(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+ \Z (?=[ \["()<>@,;:\\".\[\]])) "(?:[^\"\r\\] \\. (?:(?:\r\n)?[ \t]))*"(?:(?:\r\n)?[ \t ])*))*@(?:(?:\r\n)?[ \t])*(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t ])+ \Z (?=[\["()<>@,;:\\".\[\]])) \[([^\[\]\r\\] \\.)*\](?:(?:\r\n)?[ \t])*)(? :\.(?:(?:\r\n)?[ \t])*(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+ \Z (?=[\["()<>@,;:\\".\[\]])) \[([^\[\]\r\\] \\.)*\](?:(?:\r\n)?[ \t])*))* (?: [^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+ \Z (?=[\["()<>@,;:\\".\[\ ]])) "(?:[^\"\r\\] \\. (?:(?:\r\n)?[ \t]))*"(?:(?:\r\n)?[ \t])*)*\<(?:(?:\r\n)?[ \t])*(?:@(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+ \Z (?=[\[" ()<>@,;:\\".\[\]])) \[([^\[\]\r\\] \\.)*\](?:(?:\r\n)?[ \t])*)(?:\.(?:(?:\r\n)?[ \t])*(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+ \Z \[([^\[\]\r\\] \\.)*\](?:(?:\r\n)?[ \t])*))*(?:,@(?:(?:\r\n)?[ \t])*(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+ \Z (?=[\["()<>@, ;:\\".\[\]])) \[([^\[\]\r\\] \\.)*\](?:(?:\r\n)?[ \t])*)(?:\.(?:(?:\r\n)?[ \t] )*(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+ \Z (?=[\["()<>@,;:\\ ".\[\]])) \[([^\[\]\r\\] \\.)*\](?:(?:\r\n)?[ \t])*))*)*:(?:(?:\r\n)?[ \t])*)? (?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+ \Z (?=[\["()<>@,;:\\". \[\]])) "(?:[^\"\r\\] \\. (?:(?:\r\n)?[ \t]))*"(?:(?:\r\n)?[ \t])*)(?:\.(?:(?: \r\n)?[ \t])*(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+ \Z (?=[\[ "()<>@,;:\\".\[\]])) "(?:[^\"\r\\] \\. (?:(?:\r\n)?[ \t]))*"(?:(?:\r\n)?[ \t]) *))*@(?:(?:\r\n)?[ \t])*(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t]) + \Z (?=[\["()<>@,;:\\".\[\]])) \[([^\[\]\r\\] \\.)*\](?:(?:\r\n)?[ \t])*)(?:\.(?:(?:\r\n)?[ \t])*(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+ \Z (?=[\["()<>@,;:\\".\[\]])) \[([^\[\]\r\\] \\.)*\](?:(?:\r\n)?[ \t])*))*\>(?:(?:\r\n)?[ \t])*))*)?;\s*)

93 Almost Real Case Scenario The situation Consider the case of a theoretical vulnerability with a buffer overflow in an application listening on port The application is expecting the string LOGIN followed by a space, the password and finished with a carriage-return/newline combination, but if the password is longer than 256 characters, a buffer-overflow condition is met. First attempt: Engine TCP.String to service Regex need to start with "[ll][oo][gg][ii][nn] [\x20-\x7f]*[\x0a\x0d] Problem: This will trigger any login, even the legitimate one.

94 Almost Real Case Scenario Second attempt: A length parameter has to be introduced. The MinMatchLength is the best parameter. Example: Assume a regex of "A*B" and an mml of 6. Here's when this signature will fire: AAAB Will not fire AAAAB Will not fire AAAAAB Will fire AAAAAAB Will fire So MML has to be set to 265. Problem: If the word login appears in the middle of the connection, the signature will match and start monitoring, waiting for a carriage return. If not met in the next 264 characters, the alarm will fire

95 Almost Real Case Scenario Third attempt: It is possible to make the engine stop inspecting a stream after a certain length with the "Max Match Offset"(mmo). In this case, as the regex needs to start at the first byte of the session, an mmo of 265 will make sure the engine stops inspecting sessions to this port after 265 bytes. Problem: If the attacker don t use normal characters like letters. Fourth attempt: Instead of looking for a specific range of characters, we can look for anything but a carriage return. regex = [ll][oo][gg][ii][nn] [^\x0a\x0d]*[\x0a\x0d]"

96 Almost Real Case Scenario Final enhancement: As the server will refuse anything not starting with login, we can do the same with the signature using the ^ character at the beginning regex = ^[ll][oo][gg][ii][nn] [^\x0a\x0d]*[\x0a\x0d] MinMatchLength = 265 Max Match Offset = 265

97 Fixed Engines : Explanation Purpose: Detect stealth application using high ports Similar to String.TCP UDP ICMP engines (but up to 250 bytes) Can listen on ALL TCP, UDP ports and ICMP types Ideal for tracking down stealthy P2P and botnet traffic

98 Agenda Introduction Reduce Noise Reduce False Positive Reduce False Negative 13:00 Exemple with IME Service String TCP Choose the Engine Create Custom Signature Service HTTP 15:00

99 Service HTTP

100 Service HTTP : Explanation The Service HTTP engine is a service-specific string-based pattern-matching inspection engine This engine searches traffic directed to web ports. You cannot inspect return traffic (responses) from the server to the client with this engine. You can specify separate web ports of interest in each signature in this engine Before an HTTP packet can be inspected, the data MUST be deobfuscated or normalized to the same representation that the target system sees when it processes the data

101 Service HTTP : Parameters For Your Reference de-obfuscate regex Applies anti-evasive deobfuscation before searching. Regular expression grouping. specify-header-regex Enables searching the Header field for a specific regular expression true false specify-arg-nameregex Enables searching the Arguments field for a specific regular expression

102 Service HTTP : Signature Examples For Your Reference

103 Regular Expressions for Service HTTP Signatures Regular Expressions (REGEX) can be used in signatures to match a packets against a configured expression With the Service HTTP engine you can specify regular expressions to match specific locations inside the HTTP packets:

104 HTTP Parameters 1. URI Regex: Regular expression to search in the URI field. The URI field is defined as after the HTTP method (i.e. GET, POST) and before the first CRLF ((\r\n). 2. Arg Name Regex: Regular expression to search in the HTTP arguments field (variable names within form input, for instance). This is defined as after the '?' and in the entity body as defined by Content-Length. 3. Arg Value Regex: Regular expression to search in the HTTP arguments field after Arg Name Regex is matched. This is searching on the value defined by the variable name, above. 4. Header Regex: Regular expression to search in the HTTP header. The header is defined as after the first CRLF(\r\n) but before CRLFCRLF (\r\n\r\n). 5. Request Regex: Regular expression to search in both the HTTP URI and HTTP header.

105 Example 1: Create a new Custom Signature to Deny Access to the Admin Page This signature will match on a HTTP GET with URI string containing admin and the header host field matching or We are matching on both the IP and FQDN options for the host field to ensure that we the page cannot be accessed using either. Custom Signature Signature Name Engine Event Action Specify URI Regex URI Regex Specify Header Regex Header Regex Attempt to access Admin page Service HTTP Deny Packet inline Product Alert Yes [Aa][Dd][Mm][Ii][Nn] Yes Service ports 80 Summary mode [Hh][Oo][Ss][Tt][:]\x20[(10\.10\.110\.60) (www\.threatdlabs\.test)] Fire all

106 Example 1: Create a new Custom Signature to Deny Access to the Admin Page

107 Example2: Create a new Custom Signature to Restrict Browser Types This signature will match on a HTTP GET with the header user-agent field matching Firefox or Safari. Custom Signature Signature Name Engine Event Action Specify Header Regex Header Regex Attempt to use Firefox or Safari Service HTTP Deny Packet inline Product Alert Yes Service ports 80,443 Summary mode [Uu][Ss][Ee][Rr][- ][Aa][Gg][Ee][Nn][Tt][:][\x20][^\x0d\x0a]* (Firefox Safari) Fire all

108 Example2: Create a new Custom Signature to Restrict Browser Types Complete these steps: Step1 Step 2 Step 3 In CSM Configuration Manager, select ny-ips-pri and click signatures signatures Add a new custom signature with the parameters listed on the next slide. Click Save to save the changes.

109 Questions? 114

110 Agenda Introduction Reduce Noise Reduce False Positive Reduce False Negative 13:00 Exemple with IME Service String TCP Choose the Engine Create Custom Signature Service HTTP 15:00 Choose the Action

111 Choose the Default action

112 Master Engine : Event Actions Deny Attacker Inline Deny Attacker Victim Pair Inline Deny Attacker Service Pair Inline Deny Connection Inline Deny Packet Inline Produce Alert Produce Verbose Alert Request SNMP Trap Log Attacker Packets Log Pair Packets Log Victim Packets Request Block Connection Request Block Host Reset TCP Connection Request Rate Limit Modify Packet Inline * * } } } Inline Actions Alert Actions Logging Actions *} IP Blocking } Others Actions * Action not supported for IPv6

113 Where do I Configure Actions? Actions are configured in 3 different places : The signature itself where you define the default response if this signature is triggered The Event overwrite will allow the system to add events depending of the risk rating The Event action filters where the system will be able to remove actions depending of several parameters like the sig ID, the addresses of the attacker or victims

114 Cisco IPS Response Logging Actions Very different from alerting IP logging enables you to capture the actual packets that an attacking host is sending to your network. Packets stored on the hard drive or in memory (for sensors without hard drives). Very useful for forensic using a packet analysis tool, such as Wireshark, to determine exactly what an attacker is doing. There are 4 possibilities: Log Attacker Packets Log Pair Packets Log Victim Packets Manual logging Configure carefully the length of time you intend to record traffic, especially if the sensor store it in memory

115 Cisco IPS Response Others Actions Modify packet in-line Goal: Modify packet data to remove ambiguity about what the end point might do with the packet. This is only used by the Normaliser against obfuscation techniques. Cannot be used for Event Action Override or Event Action Filters It is not valid in Promiscuous mode

116 Cisco IPS Response Others Actions Request Rate Limit Goal: Rate limit is an action used to mitigate the effect of a flood, usually caused by a Denial of Service attack or a misbehaving application Rate limiting lets sensors restrict the rate of specified traffic classes on network devices. Rate limit responses are supported for the Host Flood and Net Flood engines, and the TCP half-open SYN signature.

117 Agenda Introduction Reduce Noise Reduce False Positive Reduce False Negative 13:00 Exemple with IME Service String TCP Choose the Engine Create Custom Signature Service HTTP 15:00 Choose the Action Risk Rating Parameters

118 Decide of the Risk Rating Parameters

119 Risk-Management-Based Security Policy Alert Severity (ASR) Informational = 25, Low = 50 Medium = 75, High = 100 Target Value (TVR) Low value = 75, Medium = 100 High value = 150, Mission Critical = 200 Risk Rating Signature Fidelity (SFR) Attack Relevancy (ARR) Given by Cisco per signature If relevant added by 10 If irrelevant reduced by 10 only in promiscuous Watch List Rating Between 0 and 35 Promiscuous Delta Between 0 and 30 RR ( ASR TVR SFR) 100 ARR PD WLR

120 Check New Signature Impact Performance Check the impact on the memory before and after the activation of the new signature Check the impact on CPU and memory with traffic flowing Try to optmize the regular expression Avoid inspecting to many ports or use engine dedicated for that Effectiveness Is the signature matching what it should? Is the signature generating false positive?

121 Agenda Introduction Reduce Noise Reduce False Positive Reduce False Negative Exemple with IME Service String TCP Choose the Engine Create Custom Signature Service HTTP Choose the Action Risk Rating Parameters Case Studies

122 Some Case Study

123 The problem Customer is experiencing a DDOS on his server He is already using a Cisco Security Appliance (Ironport) The ESA is able to filter out the bad s but is overloaded by the amount of s The customer is using a Cisco IPS at the internet perimeter mainly to monitor what is going out their network. The obvious solution is to scale their ESA to a bigger platform or

124 Second Option: Tune Signature 3106

125 Let s be Creative The ESA is leveraging the reputation to filter . After short investigation, it is clear that most used for the DDOS are having a bad reputation. What other device could use reputation? Global correlation kicks in when an event triggers a signature. -> We need to find the signature that will trigger when we receive s We can reuse 3106 or try a potentially less resource intensive solution. Just match when a session opens on port 25 to the server. First step we checked that reputation on ESA and IPS was matching as both devices do not use the same criteria for reputation.

126 Use Reputation Reputation Effect on Risk Rating Standard Mode Reputation of Attacker Blue Deny Packet Red Deny Attacker Initial Risk Rating If reputation is -1 or worst then we want the to be blocked Current policy of customer block when Risk rating > 90 Severity of event set to 86 with fidelity set to 100 and Target value set to Medium for the server address Only alert set with summarization With RR = 86 and reputation = -1 the Global Correlation ADD Deny Packet As we don t see same address within few minutes window, we decide not to use Deny Attacker

127 Some Results

128 The Problem Retail company in UK is experiencing DDOS attack bringing the web side down. They were protected by Cisco ASA and Cisco IPS Attackers used what seemed legitimate HTTP GET request Contacted Service provider but the requests were coming from all over the world probably zombies remotly activated

129 Let s Be Creative First idea was to use Global Correlation but the reputation of the clients were neutral We decided to inspect the request itself All requests looked the same and legitimate but let s have a closer look at the PCAP. User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv: ) Gecko/ Firefox/ ]r\n Can you spot anything interesting for us?

130 Use Http Engine We have a way to identify with good fidelity the malicious traffic We use the http Engine with 2 main parameters : To a specific Host Request with language set to Russian engine: service-http header-regex: [Uu][Ss][Ee][Rr][-][Aa][Gg][Ee][Nn][Tt][:][\x20][^\x0d\x0a]*(ru) request-regex: [Hh][Oo][Ss][Tt][:]\x20[Ww][Ww][Ww][.][Nn][xx][xx][xx][xx][xx][Kk][.][Cc][Oo][Mm]

131

132 IPv6 compliance and just blocking all Routing Header is not granular enough.

133 Atomic IP Advanced Engine So let s write a signature for our Segments Left issue

134 Now We are Compliant

135 Cisco IPS and IPv6 Cisco IPS is fully IPv6 enabled since 2008 Detection and analysis of native IPv6 Traffic Is IPv6 in my network? Which devices send IPv6 packets? RA-Packets? Detection of IPv6 tunnels Which hosts are trying to tunnel IPv6 over IPv4? Detection of attacks over IPv6 All Signatures detect attacks on both, IPv4 and IPv6

136 Cisco IPS and IPv6 Cisco IPS can filter and trigger on all fields in the IPv6 Packet Highly customizable Example: Check MTU size in ICMPTooBIg Check if Traffic Class is <> zero Check if Flow Label is <> zero Check for specific DestHeader Options Check for specific Hop-by-Hop Options Check for reserved field in fragment and routing header...

137 Signature 1620: Route Advertisement 142

138 Signature 1630 Check MTU size 143

139 Signature 1701 : Look for Destination option Header 144

140 Signature 1728: Routing Header type 0 145

141 Signature 1727: Router Alert Option Set in DoH 146

142 Agenda Introduction Reduce Noise Reduce False Positive Reduce False Negative 13:00 Exemple with IME Service String TCP Choose the Engine Create Custom Signature Service HTTP Choose the Action Risk Rating Parameters Case Studies Conclusion 15:00

143 Conclusion

144 General Tips Orient yourself know your enviroment Use IP logging for forensic Understand signature and why it did trigger Always balance risks against benefits

145 Summary : Available Techniques Tune the Virtual Sensor Policies ranges and actions Disable/Enable or Activate/Retire signature Event Action Filters Summarization and Event Counter Leverage Global Correlation Use Meta-Engine when possible Use Directional Filters when applicable Adjust Risk Rating variables attack relevancy asset value of target

146 Time for questions.

147 Complete Your Online Session Evaluation Complete your online session evaluation Complete four session evaluations and the overall conference evaluation to receive your Cisco Live T-shirt 152

148 MERCI - THANK YOU