Signature and Intrusion Detection Configuration


Презентация изнутри:

Слайд 0

Chapter 9 Signature and Intrusion Detection Configuration


Слайд 1

Objectives Upon completion of this chapter, you will be able to perform the following tasks: View Signature settings and configure their severities and actions. Enable or disable signatures. Configure connection and string signatures. Create signature templates and change which one is used by a Sensor. Configure the minimum alarm severity level a Sensor sends to the Director.


Слайд 2

Objectives (cont.) Configure signature filtering to reduce false positives and tune signature triggering in the user environment. Configure signature tuning parameters to customize triggers for the user environment. Configure signature port mapping to customize it for the user environment. Create ACL signatures that generate alarms when ACL violations are detected in a Cisco IOS router.


Слайд 3

Basic Signature Configuration


Слайд 4

Viewing the Signature Settings Select Signature Template


Слайд 5

Signature Names and Severities Severity Signature Name Select Signature Template


Слайд 6

Enabling and Disabling Signatures Enable Checkbox Select Signature Template


Слайд 7

Setting Signature Actions Double-click Action Select Signature Template


Слайд 8

Connection Signature Type and Port Configuration TCP or UDP Port number Select Signature Template


Слайд 9

String Signatures Configuration Number of Occurrences String pattern TCP Port Traffic Direction Select Signature Template


Слайд 10

Signature Templates


Слайд 11

What is a Signature Template? Sensor Signatures Templates


Слайд 12

Creating a New Signature Template Select and Right Click Sensor Signatures Select New>Sensor Signature


Слайд 13

Assigning the Signature Template Used by the Sensor Choose the Signature Template Select the Sensor Select the Sensing tab


Слайд 14

Applying the Signature Template to the Sensor Select the Sensor Select the Command tab Check for errors Click Approve Now


Слайд 15

Signature Filtering


Слайд 16

Setting the Minimum Level to Send to the Director Minimum Event Level Select the Sensor Select the Filtering tab


Слайд 17

Simple Signature Filtering Sub-signature Signature Address role IP address and netmask Select the Sensor Select the Filtering tab Select the Simple Filtering tab


Слайд 18

Advanced Signature Filtering Source Address Signature Subsignature Destination Address Select the Sensor Select the Filtering tab Select the Advanced Filtering tab


Слайд 19

Advanced Signature Configuration


Слайд 20

Signature Tuning Parameter names Parameter values Select the Sensor Select the Sensing tab Select the Signature Tuning Parameters tab


Слайд 21

Signature Port Mapping Select the Sensor Select the Sensing tab Select the Port Mapping tab Click OK


Слайд 22

ACL Signatures Configuration


Слайд 23

Creating ACL Signatures Click OK Click Add Select Signature Template Select the ACL Signatures Tab


Слайд 24

Defining Syslog Sources Select the Sensor Select the Monitoring Tab Click Add Click OK


Слайд 25

Summary All signature severities and actions are modified in the signature template in CSPM. Signatures can be enabled or disabled. Connection and string signatures are configured in the signature template in CSPM. Many signature templates can be created. A given signature template is applied to one or many Sensors. The minimum alarm severity level can be configured on a Sensor to limit the alarms sent to the Director. Signature filtering reduces false positives and other undesired alarms. Signature parameter tuning is used to customize signature triggers in the user environment. Signature port mapping is used to customize port to signature settings in the user environment. ACL signatures generate alarms when ACL violations are detected in a Cisco IOS router.


Слайд 26

Lab Signatures Configuration


Слайд 27

Pod P Your Pod Pod Q Peer Pod CSPM Lab Visual Objective rP e0/0 e0/1 10.0.P.0 /24 .P .1 .4 rQ e0/0 e0/1 .Q .1 .4 10.0.Q.0 /24 172.30.1.0 /24 10.0.P.3 CSPM 10.0.Q.3 Host ID = 3, Org ID = P Host Name = directorP, Org Name = podP Host ID = 3, Org ID = Q Host Name = directorQ, Org Name = podQ .6 .6 sensorP idsmP sensorQ idsmQ


×

HTML:





Ссылка: