BRKSEC-3030 Advanced - From Alerts to Tuning with Cisco IPS Thursday, February 2: 09:00 Rating *****
This was to be the first session of the pentultmate day. Not as early a start as the first session of yesterday, but the smallest number of attendees I have seen for any of the sessions, so my expectations were not high. As everyone filed in and sat down another session had already started and was clearly audible through what was only curtain fabric seperating each break out session., not a good start
The presenter started the session with no introduction but what looked like a home video of his kids on the big screen. It turned out that his daughter was quitely crafting a PDF document (with embedded .exe) probably using metasploit, in her bedroom to deliver to an unsuspecting 6 year old boy.The big arm of the law in the form of her father saved the day by capturing her activity and blocking with IPS once detected.
The session then started and the presenter introduced himself as Fabien Gandola from France. It was clear that there was going to be some fun content as well as useful information, take a look at the first few slides. and you will see what I mean.
There was a short description of term noise, which was explained, as understood it to be benign (not a danger to you) background traffic in your network, other people consider noise to be false postives. Mostly the session was going to be about eliminating or al least reducing anything false in your network as far as IPS was concerned. The tuning of the signatures to reduce, eliminate false positives or false negatives was going to be the main content.
Unlike some of the other sessions I have attended there was no big new feature to annouce in any up and coming release. The session was just about confirming and illustrating the best practices to tune signatures in IPS. Event action overides and filters are the main way in which you should be tuning the sensor. The creation of any custom signatures should be done with care and full testing before deployment.
I picked up a couple of tips from the session one to do with disabled and retired signatures the other was to do with normalising buffer size. It is always difiicult to get specific values from Cisco in thier documentation or the web site, about performance buffer sizes etc. At events like CiscoLive where you have direct access to the engineers and detailed information numbers thye information is more free flowing. I have never been able to confirm exactly what the normalising engine uses in resources to recreate flows to present to the sensor for inspection. There was in the room a guy from Cisco who finally confirmed what the buffer size is for normalising and it is a whooping 4 gig.
To retire a signature means it is not loaded and therefore consumes no memory or CPU processing. A disabled signature only disables any actions against it, traffic is still examined against the signature.
It was also highly recomended that the default signatures in the default sensor should be left as is. A virtual sensor should be created as a working sensor. There should be no concern over resource use with the additional virtual sesnor as each virtual sensor only consumes 72 meg.
There is no support for the "OR" condiftion in Meta Events, this is being worked on in future releases.
The nornaliser engine can drop without alerting and this is the only engine to do this. When you are troubleshooting it was recomended that because of this behaviour you should turn the normaliser engine off.
In the TCP string engine is was recommended that you need look no deeper than 250 bytes.
HTTP signatures have the ability to be configured with direction.
Some great real world examples where given, including a bank that had had problems and through IPS was identified and solved. The identification of a string "ru;" picked up through the sesnsor in the format of PCAP identified the issue as being sourced from a Russian site that could be blocked.
Supporting Links Register with Cisco Live 2012 its free and gives you access to all the PDF's
BRKSEC-3030 Advanced - From Alerts to Tuning with Cisco IPS
