Presentation is loading. Please wait.

Presentation is loading. Please wait.

Signature Actions Non Aggressive Actions Produce Alert Produce Verbose Alert Log Attacker Packets Log Victim Packets Log pair Packets Request SNMP trap.

Published byAyanna Bleakley Modified over 9 years ago

Similar presentations

Presentation on theme: "Signature Actions Non Aggressive Actions Produce Alert Produce Verbose Alert Log Attacker Packets Log Victim Packets Log pair Packets Request SNMP trap."— Presentation transcript:

1 Signature Actions Non Aggressive Actions Produce Alert Produce Verbose Alert Log Attacker Packets Log Victim Packets Log pair Packets Request SNMP trap Aggressive Actions Deny Packet Inline (Single) Deny Connection Inline (udp/tcp) Deny Attacker Inline (S/IP) Deny Attacker-Victim pair Inline (S/IP & D/IP) Deny Attacker-service pair Inline (S/IP to D/Port) Reset TCP Connection Request Block Connection Request Block Host Request rate Limit Modify Packet Inline Risk Rating Potential Damage Target Asset value Signature Accuracy Attack Relevancy Clues from Others ASR TVR SFR/PD ARR/OS WLR (CSA) ASR = Attack Severity rating Info (25) Low (50) Med (75) High (100) TVR = Target Value rating Zero (50) Low (75) Med (100) High (150) Critical (200) SFR = Signature Fidelity rating (0-100) PD = Promiscuous delta (0-30) minus value ARR = Attack Relevancy Rating Relevant (10) unknown (0) Not relevant (-10) WLR = watch List rating (0-100) RR= (ASR*TVR*SFR/10000) +ARR –PD +WLR Signature Parameters Event Action Overides Based on RR category Add actions Event Action Filters Based on RR category & others Delete actions Common Signature Parameters Signature ID SubSig ID Alert Severity (H,M,L,I) Sig Fidelity (0-100) Promis delta (0-30) Sig Name TO FIRE THE SIG Event Count Event count Key AaBb Interval TO GENERATE ALERT Summary Mode Summary Key AaBb Summary Threshold Global Summary Threshold Summary Interval Enabled/Retired Specific Signature Parameters Atomic IP Engine Parameters IP Addr Options IP Payload length TCP Mask urg,ack,psh,rst,syn,fin TCP flags urg,ack,psh,rst,syn,fin

2 Summary Key XXXX AaBb Aa=Attack Bb=Victim Uppercase=IP Lowercase=port 0 60 secs TRAFFIC 1 0 60 secs TRAFFIC 2 0 60 secs TRAFFIC 3 100 Matches = 100 alerts 160 Matches = 150 alerts 320 matches = 150 alerts @60 sec Generate Summary @60 sec Generate Global Summary Criteria Sig ID = 60000 Summary Mode: Fire All Summary Threshold: 150 Global Summary Threshold: 300 Summary Interval: 60

3 TCP Header U A SF MASK = ASF Flags = SF11

4 False Positive = TOO SENSITIVE (Increase accuracy../cmd.exe rather than../) False Negative = INSENSITIVE (Decrease accuracy../ rather than../fred.txt/home/)

Download ppt "Signature Actions Non Aggressive Actions Produce Alert Produce Verbose Alert Log Attacker Packets Log Victim Packets Log pair Packets Request SNMP trap."

Similar presentations

Loss-Sensitive Decision Rules for Intrusion Detection and Response Linda Zhao Statistics Department University of Pennsylvania Joint work with I. Lee,

Loss-Sensitive Decision Rules for Intrusion Detection and Response Linda Zhao Statistics Department University of Pennsylvania Joint work with I. Lee,
TCP Flooding. TCP handshake C S SYN C SYN S, ACK C ACK S Listening Store data Wait Connected.

TCP Flooding. TCP handshake C S SYN C SYN S, ACK C ACK S Listening Store data Wait Connected.
Implementing a Highly Available Network

Implementing a Highly Available Network
Network Layer Security: IPSec

Network Layer Security: IPSec
IP Security IPSec 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.

IP Security IPSec 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.
Access Control for Networks Problems: –Enforce an access control policy Allow trust relationships among machines –Protect local internet from outsiders.

Access Control for Networks Problems: –Enforce an access control policy Allow trust relationships among machines –Protect local internet from outsiders.
Intrusion Detection Systems and Practices

Intrusion Detection Systems and Practices
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
IDS Colloquium 2001John Kristoff - DePaul University1 Intrusion Detection Systems (IDS) John Kristoff +1 312 362-5878 DePaul University.

IDS Colloquium 2001John Kristoff - DePaul University1 Intrusion Detection Systems (IDS) John Kristoff DePaul University.
1 Some TCP/IP Basics....NFSDNSTELNETSMTPFTP UDPTCP IP and ICMP Ethernet, serial line,..etc. Application Layer Transport Layer Network Layer Low-level &

1 Some TCP/IP Basics....NFSDNSTELNETSMTPFTP UDPTCP IP and ICMP Ethernet, serial line,..etc. Application Layer Transport Layer Network Layer Low-level &
Beyond the perimeter: the need for early detection of Denial of Service Attacks John Haggerty,Qi Shi,Madjid Merabti Presented by Abhijit Pandey.

Beyond the perimeter: the need for early detection of Denial of Service Attacks John Haggerty,Qi Shi,Madjid Merabti Presented by Abhijit Pandey.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.

Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
Students:Gilad Goldman Lior Kamran Supervisor:Mony Orbach Mid-Semester Presentation Spring 2005 Network Sniffer.

Students:Gilad Goldman Lior Kamran Supervisor:Mony Orbach Mid-Semester Presentation Spring 2005 Network Sniffer.
Report on statistical Intrusion Detection systems By Ganesh Godavari.

Report on statistical Intrusion Detection systems By Ganesh Godavari.
Intrusion Detection - Arun Hodigere. Intrusion and Intrusion Detection Intrusion : Attempting to break into or misuse your system. Intruders may be from.

Intrusion Detection - Arun Hodigere. Intrusion and Intrusion Detection Intrusion : Attempting to break into or misuse your system. Intruders may be from.
Intrusion Detection Systems CS391. Overview  Define the types of Intrusion Detection Systems (IDS).  Set up an IDS.  Manage an IDS.  Understand intrusion.

Intrusion Detection Systems CS391. Overview  Define the types of Intrusion Detection Systems (IDS).  Set up an IDS.  Manage an IDS.  Understand intrusion.
Lecture 11 Intrusion Detection (cont)

Lecture 11 Intrusion Detection (cont)
Network Intrusion Prevention CSCI 5235.01 Network Security Amruta Gurav.

Network Intrusion Prevention CSCI Network Security Amruta Gurav.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.

Similar presentations

Ads by Google