Presentation is loading. Please wait.

Presentation is loading. Please wait.

Signature Actions Non Aggressive Actions Produce Alert Produce Verbose Alert Log Attacker Packets Log Victim Packets Log pair Packets Request SNMP trap.

Similar presentations


Presentation on theme: "Signature Actions Non Aggressive Actions Produce Alert Produce Verbose Alert Log Attacker Packets Log Victim Packets Log pair Packets Request SNMP trap."— Presentation transcript:

1 Signature Actions Non Aggressive Actions Produce Alert Produce Verbose Alert Log Attacker Packets Log Victim Packets Log pair Packets Request SNMP trap Aggressive Actions Deny Packet Inline (Single) Deny Connection Inline (udp/tcp) Deny Attacker Inline (S/IP) Deny Attacker-Victim pair Inline (S/IP & D/IP) Deny Attacker-service pair Inline (S/IP to D/Port) Reset TCP Connection Request Block Connection Request Block Host Request rate Limit Modify Packet Inline Risk Rating Potential Damage Target Asset value Signature Accuracy Attack Relevancy Clues from Others ASR TVR SFR/PD ARR/OS WLR (CSA) ASR = Attack Severity rating Info (25) Low (50) Med (75) High (100) TVR = Target Value rating Zero (50) Low (75) Med (100) High (150) Critical (200) SFR = Signature Fidelity rating (0-100) PD = Promiscuous delta (0-30) minus value ARR = Attack Relevancy Rating Relevant (10) unknown (0) Not relevant (-10) WLR = watch List rating (0-100) RR= (ASR*TVR*SFR/10000) +ARR –PD +WLR Signature Parameters Event Action Overides Based on RR category Add actions Event Action Filters Based on RR category & others Delete actions Common Signature Parameters Signature ID SubSig ID Alert Severity (H,M,L,I) Sig Fidelity (0-100) Promis delta (0-30) Sig Name TO FIRE THE SIG Event Count Event count Key AaBb Interval TO GENERATE ALERT Summary Mode Summary Key AaBb Summary Threshold Global Summary Threshold Summary Interval Enabled/Retired Specific Signature Parameters Atomic IP Engine Parameters IP Addr Options IP Payload length TCP Mask urg,ack,psh,rst,syn,fin TCP flags urg,ack,psh,rst,syn,fin

2 Summary Key XXXX AaBb Aa=Attack Bb=Victim Uppercase=IP Lowercase=port 0 60 secs TRAFFIC secs TRAFFIC secs TRAFFIC Matches = 100 alerts 160 Matches = 150 alerts 320 matches = 150 sec Generate sec Generate Global Summary Criteria Sig ID = Summary Mode: Fire All Summary Threshold: 150 Global Summary Threshold: 300 Summary Interval: 60

3 TCP Header U A SF MASK = ASF Flags = SF11

4 False Positive = TOO SENSITIVE (Increase accuracy../cmd.exe rather than../) False Negative = INSENSITIVE (Decrease accuracy../ rather than../fred.txt/home/)


Download ppt "Signature Actions Non Aggressive Actions Produce Alert Produce Verbose Alert Log Attacker Packets Log Victim Packets Log pair Packets Request SNMP trap."

Similar presentations


Ads by Google