The Cisco IOS IPS now identifies more than 700 of the most common
attacks using signatures to detect patterns of misuse in network traffic. The
intrusion prevention signatures were chosen from a broad cross-section of
intrusion prevention signatures. The signatures represent severe breaches of
security and the most common network attacks and information-gathering
scans.
Signatures
As of Release 12.3(8)T, Cisco IOS IPS has
132 built-in signatures available in the Cisco IOS Software image. The built-in
signatures are hard-coded into the Cisco IOS Software image for backward
compatibility. Each signature can be set to send an alarm, drop the connection,
or reset the connection
. Each action is
enabled on a per-signature basis. Each signature has an action assigned by
default, based on the severity of the signature.
Additionally, Cisco IOS
IPS has the ability to download IPS signatures without the need for a Cisco IOS
Software image update
. At the
time of this writing, Cisco IOS IPS supports more than 740 signatures.
Typically, new signatures are released every two weeks, with emergency
signature updates posted as needed. The signatures are posted to Cisco.com at
the web link below. A valid CCO login is required to access the site.
The
Nimda virus, for example, can be detected by loading and enabling signatures
shown in Figure
.
The
Signature Definition File
The signature definition file (SDF) is
integral to Cisco IOS IPS. The SDF is an Extensible Markup Language (XML) file
with a definition of each signature along with relevant configurable actions.
Cisco IOS IPS reads in the SDF, parses the XML, and populates its internal
tables with the information necessary to detect each signature. The SDF
contains the signature definition and configuration. Actions such as alarm,
drop, or reset can be selected for individual signatures within the SDF. The
SDF can be modified so the router will only detect specific signatures. As a
result, it can contain all or a subset of the signatures supported in Cisco IOS
IPS. The administrator specifies the location of the SDF. The SDF can reside on
the local Flash file system, this is the recommended option, or on a remote
server. Remote servers can be accessed via TFTP, FTP, Secure Copy Protocol
(SCP), or Remote Copy Protocol (RCP). After signatures are loaded and complied
onto a router running Cisco IOS IPS, the IPS can begin detecting the new
signatures immediately.
Signature Micro-engines
Cisco IOS IPS
uses signature micro-engines (SMEs) to load the SDF and scan signatures. Each
engine categorizes a group of signatures, and each signature detects patterns
of misuse in network traffic. For example, all HTTP signatures are grouped
under the HTTP engine. Currently, Cisco IOS IPS supports more than 740
signatures. These signatures are part of the common set of signatures that
Cisco IDS sensors support, helping to ensure that all Cisco products use a
common resource and are available for download from Cisco.com.
Signatures
contained within the SDF are handled by a variety of SMEs. The SDF typically
contains signature definitions for multiple engines. The SME typically
corresponds to the protocol in which the signature occurs and looks for
malicious activity in that protocol. A packet is processed by several SMEs.
Each SME scans for various conditions that can lead to a signature pattern
match. When an SME scans the packets, it extracts certain values, searching for
patterns within the packet via the regular expression engine.
attack-drop.sdf
The attack-drop.sdf file is available in flash on
all Cisco access routers that are shipped with Cisco IOS Release 12.3(8)T or
later. The attack-drop.sdf file can then be loaded directly from flash into the
Cisco IOS IPS system. If flash is erased, the attack-drop.sdf file may also be
erased. This may happen when erasing the contents of flash memory before
copying a new Cisco IOS image to flash. If this occurs, the router will refer
to the built-in signatures within the Cisco IOS image. The attack-drop.sdf file
can also be downloaded onto the router from the weblink below.