An IPS/IDS sensor may report the following:
The IDS/IPS sensor may be configured based on any one or more of the following methods:
1. Signature-based IPS/IDS - check for any specific pattern (or signature) in the traffic entering or leaving the network and stops if when encountered (in case of IPS) and reports it. Note that IDS can only identify such traffic only after the traffic actually passed the network.
2. Policy-based IPS/IDS - Here, a policy is configured according to a set of rules using policy map. An example is to stop any traffic on port 80 using an ACL and policy map.
3. Anomaly-based IPS/IDS - here the sensor looks for any anomaly in the traffic. One example is the requests for log-ins sessions from a specific IP. If the requests exceed a predetermined number, then the IDS may trigger an alert.
4. Reputation-based IPS/IDS - here the IDS/IPS sensor looks for the reputation of the sender or originator. It is something like comparing the senders IP address with that of known malicious IPs. If a match occurs, the packets from that particular IP may be stopped.
Traffic substitution and insertion: Here the attacker substitutes characters in the data using different formats that have the same final meaning. An example is Unicode strings, which an end station could interpret but perhaps a lesser IPS/IDS might not.
This type of evasive technique may be countered by data normalization and de-obfuscation method.
IPS/IDS sensors send out alerts if any suspicious event occurs. There are three main ways that are used widely for this purpose. These are:
IPS Manager Express (IME) and Cisco Security Manager (CSM) are two methods where you get alerts via SDEE. IME can support up to 10 sensors, where as CSM can support up to 25 sensors.
An active IDS responds to an intrusion by taking pre-configured steps to prevent the intruder doing any further damage. Such steps may include preventing the IP address from accessing the network or disabling the intruded port, etc.
The steps involved in configuring Cisco IOS IPS are :
There are several key terms that one needs to be familiar.
Alert: An alert is a message from the analyzer indicating that an event of interest has occurred. Alerts occur when activities of a predefined type exceed a threshold. value set by the operator.
Analyzer: The analyzer processes the data collected by the sensor. Analyzer monitors the events and determines any unusual activities. They can also use a rule-based process and send alerts when a rule is met or not met.
Data Source: Data source is the raw information available to the analyzer. Data source is used by an analyzer to analyze any suspicious activity.
Event: An event is an occurrence in a data source that indicates that a suspicious activity has occurred. Analyzer processes any such events and may generate an alert.
Manager: The manager is the interface that an operator uses to manage the IDS. An operator uses IDS manager to configure the IDS.
Notification: Notification is the process by which the IDS manager makes the operator aware of an alert.
Operator: The operator is the human interface responsible for configuring and managing the IDS.
Sensor: A sensor is the IDS component that collects data from the data source and passes it on to the analyzer.