Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Creating a Signature Attack Object

    A signature attack object is a pattern you want the system to detect. You use a DFA expression to represent the pattern. All of the other signature properties you can set (such as service or protocol context, direction, and other constraints) are provided so you can optimize performance of the system in detecting the pattern and eliminate false positives. In general, you want to tune settings of a signature attack object so that the system looks for it in every context where it might occur and in no other context.

    To configure a signature attack object:

    1. In the Object Manager, select Attack Objects > IDP Objects.
    2. Click the Custom Attacks tab.
    3. Click the + icon to display the Custom Attack dialog box.
    4. Configure attack object settings. Figure 1 shows the General tab. Table 1 provides guidelines for completing the settings.

      Figure 1: Custom Attack Object: General Tab

      Image s036775.gif

      Table 1: Custom Attack Dialog Box: General Tab Settings

      Setting

      Description

      Name

      The name displayed in the UI.

      Tip: Include the protocol the attack uses as part of the attack name.

      Description

      (Optional) Information about the attack. Although a description is optional when you create a new attack object, it can help you remember important information about the attack. For examples, view the attack descriptions for predefined attacks.

      Severity

      Info, Warning, Minor, Major, or Critical. Critical attacks are attempts to crash your server or gain control of your network. Informational attacks are the least dangerous and typically are used by network administrators to discover holes in their own security system.

      Category

      A predefined or new category.

      Keywords

      Unique identifiers that can be used to search and sort log records.

      Recommended

      Indicates that this attack object is among your highest-risk set of attack objects. Later, when you add this attack object to dynamic groups, you can specify whether to include only recommended attack objects.

      Attack Versions

      Skip this for now.

      Detection Performance

      Select High, Medium, Low, or Not Defined.

    5. Configure additional attack details on the Extended tab. Figure 2 shows the Extended tab. Table 2 provides guidelines for completing the settings.

      Figure 2: Custom Attack Object: Extended Tab

      Image s036774.gif

      Table 2: Custom Attack Dialog Box: Extended Tab Settings

      Setting

      Description

      Primary URL

      Secondary URL

      Tertiary URL

      Up to three URLs (primary, secondary, tertiary) to external references you used to research the attack.

      CVE

      The Common Vulnerabilities and Exposures (CVE) ID that the attack object addresses. CVE is a standardized list of vulnerabilities and other information security exposures. The CVE number is an alphanumeric code, such as CVE-2209.

      BugTraq

      The BugTraq ID number that the attack object addresses. BugTraq is a moderated mailing list that discusses and announces computer security vulnerabilities. The BugTraq ID number is a three-digit code, such as 831 or 120.

      Impact

      Information about the impact of a successful attack, including information about system crashes and access granted to the attacker.

      Description

      Additional information.

      Tech Info

      Information about the vulnerability, the commands used to execute the attack, which files are attacked, registry edits, and other low-level information.

      Patches

      Any patches available from the product vendor, as well as information about how to prevent the attack.

    6. Click the General tab.
    7. Under Attack Versions, click the + icon to display the New Attack wizard.
    8. On the Target Platform and Type page, select a device platform and attack type. Figure 3 shows the Target Platform and Type page. Table 3 describes the attack types.

      Figure 3: Custom Attack: Target Platform and Type Page

      Image s036776.gif

      Table 3: Attack Object Types

      Type

      Description

      Signature

      Uses a stateful attack signature (a pattern that always exists within a specific section of the attack) to detect known attacks.

      Stateful signature attack objects also include the protocol or service used to perpetrate the attack and the context in which the attack occurs.

      If you know the exact attack signature, the protocol, and the attack context used for a known attack, select this option.

      Compound Attack

      Detects attacks that use multiple methods to exploit a vulnerability. This object combines multiple signatures or protocol anomalies into a single attack object, forcing traffic to match all combined signatures or anomalies within the compound attack object before traffic is identified as an attack.

      By combining and even specifying the order in which signatures or anomalies must match, you can be very specific about the events that must place before the IDP engine identifies traffic as an attack.

      If you need to detect an attack that uses several benign activities to attack your network, or if you want to enforce a specific sequence of events to occur before the attack is considered malicious, select this option.

    9. Select Signature and click Next.
    10. On the Custom Attack – General Properties page, configure constraints and other settings. Figure 4 shows the Custom Attack – General Properties page. Table 4 provides guidelines for completing the settings.

      Figure 4: Custom Attack - General Properties Page

      Image s036782.gif

      Table 4: Custom Attack – General Properties

      Property

      Description

      Info

      False Positives

      Select the frequency that the attack object produces a false positive on your network: Unknown, Rarely, Occasionally, Frequently.

      Typically, you do not initially know the frequency of false positives. You can update this setting as your observations change.

      Service Binding

      Protocol Type

      Service–If you were able to determine the service through your research, select Service. Later in the wizard, you can specify a service context.

      IP–If you are not sure of the service but you know IP details, select IP and specify a protocol type number.

      TCP, UDP, or ICMP–If you do not know the service context but you know protocol details, select the protocol.

      For TCP and UDP protocol types, specify the port ranges.

      RPC–If you are detecting threats over remote procedure call (RPC) protocol, select this option and specify the program ID.

      RPC is used by distributed processing applications to handle interaction between processes remotely. When a client makes a remote procedure call to an RPC server, the server replies with a remote program. Each remote program uses a different program number.

      IPv6 or ICMPv6–Do not select these options. IDP Series devices do not support inspection of IPv6.

      Any–If you are unsure of the correct service, select Any to match the signature in all services. Matching any service essentially turns off service binding and has a significant performance impact. Specify Any when you know that attacks are using multiple services to attack your network.

      Note: You must select a service binding other than Any if you want to select a context for the attack.

      Time Binding

      Enable

      Time binding attributes track how many times a signature is repeated. By configuring the scope and count of an attack, you can detect a sequence of the same attacks over a period of time (one minute) across sessions. This method is useful for detecting brute force attacks that attempt to guess authentication credentials or overwhelm system capacity to handle data.

      Scope

      Select the scope within which the count occurs:

      • Source–Detects the signature in traffic from the source IP address for the specified number of times, regardless of the destination IP address.
      • Destination–Detects the signature in traffic from the destination IP address for the specified number of times, regardless of the source IP address.
      • Peer–Detects the signature in traffic between source and destination IP addresses of the sessions for the specified number of times.

      Count/Min

      Enter the number of times per minute that the signature must be detected within the specified scope before the device identifies the traffic as a match.

      The minute timer starts when the signature first matches the event. If the signature matches the same event for the specific count or higher within the next 60 seconds, the traffic is a match.

      The system increments the count each time it detects the signature, either regardless of port (application identification) or according to your port binding settings. For example, when the system detects the signature on TCP/80 and then on TCP/8080, the count is 2.

      Constraints

      Within Bytes Constraint

      Use this constraint to require that the pattern be found within a byte range:

      • Lower limit–Specify the beginning of the range.
      • Upper limit–Specify the end of the range.
      • Start point–Your selection must be consistent with your pattern context setting. For example, if you configured one of the service contexts, select Context. If you configured one of the packet contexts, select Packet. If you configured one of the stream contexts, select Stream.

        In NSM, it is possible to select a start point that is inconsistent with the pattern context setting. For example, the NSM object editor allows you to configure a pattern context http-variable and then set a within bytes start point that is start-of-packet. However, the within bytes match logic will be resolved to the start point you should have selected: context.

      Inspection for this object terminates when the range limit is reached.

      Example: If you know a threat can be identified either completely within the first 20 bytes of the http-variable context or not identified at all, you set the context to http-variable and use the within-bytes constraint to terminate inspection after bytes 1-20 of the generated http-variable context are processed.

      You can set multiple constraints. The constraints are evaluated as a Boolean OR.

      Example: You configure two start-of-stream constraints with byte ranges of 20-40 and 80-100. The constraint rules out matches unless found within either byte range.

      Within Packets Constraint

      Use this constraint to require that the pattern be found completely within a packet range:

      • Lower limit–Specify the beginning of the range.
      • Upper limit–Specify the end of the range.

      Inspection (for this object) terminates when the range limit is reached.

      Example: If you know a threat can be identified either in the first 2 packets or not identified at all, you set a stream context and use the within packets constraint to terminate inspection after 2 packets.

      Context Check

      Use this constraint to require the matching context be of a specified byte length to be a hit:

      • Constraint–Select length.
      • Comparison operator–Select =, !, >, or <.
      • Operand–Select a byte length.

      Example: You can use the context check constraint as a tuning device to limit processing for harmless traffic. For example, if you know that a certain class of attack, like a buffer overflow attack, always has an unusually large byte length in a given context, you can use this constraint to ignore contexts of normal length. If you set the FTP username context length requirement to be > 18, you would only see signature hits if the FTP username context is longer than 18 bytes.

      You can specify multiple constraints. For example, if you add a < 25 constraint to the previous example, you would only see hits if the username context is between 18 and 25 bytes.

      Click Next.

    11. On the Custom Attack – Attack Pattern page, configure pattern settings. Figure 5shows the Custom Attack – Attack Pattern page. Table 5 provides guidelines for completing the settings.

      Figure 5: Custom Attack – Attack Pattern Page

      Image s036777.gif

      Table 5: Custom Attack – Attack Pattern

      Setting

      Description

      Pattern

      A DFA expression. The following rows summarize DFA syntax conventions. For detailed information, consult a standard source on programming with regular expressions.

       

      \B.0.1..00\B

      Bit-level matching for binary protocols. The length of the bitmask must be in multiples of 8.

      The first \B denotes the start of the bitmask. The last \B denotes the end of the bitmask.

      The decimal (.) indicates the bit can be either 0 or 1.

      A 0 or 1 indicates the bit at that position must be 0, or must be 1.

      \0 <octal_number>

      For a direct binary match.

      \X<hexadecimal-number>\X

      For a direct binary match.

      \[<character-set>\]

      For case-insensitive matches.

      .

      To match any symbol.

      *

      To match 0 or more symbols.

      +

      To match 1 or more symbols.

      ?

      To match 0 or 1 symbol.

      ()

      Grouping of expressions.

      |

      Alternation. Typically used with ().

      Example: The following expression matches dog or cat: (dog | cat).

      []

      Character class. Any explicit value within the bracket at the position matches.

      Example: [Dd]ay matches Day and day.

      [<start>-<end>]

      Character range. Any value within the range (denoted with a hyphen). You can mix character class and a hexadecimal range.

      Example: [AaBbCcDdEeFf0-9].

      [^<start>-<end>]

      Negation of character range.

      Example: [^Dd]ay matches Hay and ray, but not Day or day.

      Note: To negate an entire signature pattern, select the Negate option under the pattern text box.

      \u<string>\u

      Unicode insensitive matches.

      \s

      Whitespace.

       

      \

      Use a backslash to escape special characters so that they are matched and not processed as regular expression operators.

      CharacterEscaped

      *

      \*

      (

      \(

      )

      \)

      .

      \.

      +

      \+

      \

      \\

      [

      \0133

      ]

      \0135

      Note: Because the combination of the backslash and the open and close square brackets are used in the case-insensitive expression, you must use the backslash with the octal code for the bracket characters.

      Negate

      Negates the attack pattern.

      Context

      Binds pattern matching to a context.

      For known services, such as HTTP, select the service in the first box, and select the HTTP context you discovered with scio ccap, such as HTTP POST Parsed Param, in the second box.

      If you were unable to discover the context, select Other in the first box, and select one of the following contexts in the second box:

      • Packet–Detects the pattern in any packet.
      • First Packet–Inspects only the first packet of a stream. When the flow direction is set to any, the detector engine checks the first packet of both the server-to-client (STC) and client-to-server (CTS) flows. Less processing means greater performance. If you know that the pattern appears in the first packet of a session, select First Packet.
      • First Data Packet–Inspection ends after the first packet of a stream. Select this option to detect the attack in only the first data packet of a stream. If you know that the pattern appears in the first data packet of a stream, select First Data Packet.
      • Stream 256–Reassembles packets and searches for a pattern match within the first 256 bytes of a traffic stream. Stream 256 is often the best choice for non-UDP attacks. When the flow direction is set to any, the detector engine checks the first 256 bytes of both the STC and CTS flows. If you know that the pattern will appear in the first 256 bytes of a session, select Stream 256.
      • Stream 8K–Like Stream 256 except reassembles packets and searches for a pattern match within the first 8192 bytes of a traffic stream.
      • Stream 1K–Like Stream 256 except reassembles packets and searches for a pattern match within the first 1024 bytes of a traffic stream.
      • Line–Detects a pattern within a specific line. Use this context for line-oriented applications or protocols (such as FTP).
      • Stream–Reassembles packets and extracts the data to search for a pattern match. However, the IDP engine does not recognize packet boundaries for stream contexts, so data for multiple packets is combined. Select this option only when no other context option contains the attack.

      Note: If you select a line, stream, or service context, you do not configure match criteria for IP settings and protocol header fields.

      Direction

      Select the direction in which to detect the pattern:

      • Client to Server–Detects the pattern only in client-to-server traffic.
      • Server to Client–Detects the pattern only in server-to-client traffic.
      • Any–Detects the pattern in either direction.

      The session initiator is considered the client, even if that source IP is a server.

      Flow

      Select the flow in which to detect the attack:

      • Control–Detects the pattern in the initial connection that is established to issue commands, requests, and so on. Ninety-nine percent of signatures use control.
      • Auxiliary–Detects the pattern in the response connection that is established intermittently to transfer requested data. This option supports a small number of protocols, such as PTP.
      • Both–Detects the pattern in the initial and response connections.

      Tip: Using a single flow (instead of Both) improves performance and increases detection accuracy.

      Click Next to display the Custom Attack – IP Settings and Header Matches page. Figure 6 shows the Custom Attack – IP Settings and Header Matches page. Table 6 provides guidelines for completing the settings.

      Figure 6: Custom Attack – IP Settings and Header Matches Page

      Image s036779.gif
    12. If you have selected a line, stream, stream 256, or service context, do not configure match criteria for IP settings and protocol header fields. Click Finish.

      If you are using a packet context, you can refine matching by adding criteria for IP flags and packet headers, as described in the following tables.

      Tip: If you are unsure of the IP flags and IP fields you want to match, leave all fields blank. If no values are set, the IDP engine attempts to match the signature for all header contents.

      Table 6: Custom Attack – IP Settings and Header Matches Page

      Setting

      Description

      IP Version

      Select IPv4. IDP Series devices do not support inspection of IPv6.

      Type of Service

      Service type. Common service types are:

      • 0000 Default
      • 0001 Minimize Cost
      • 0002 Maximize Reliability
      • 0003 Maximize Throughput
      • 0004 Minimize Delay
      • 0005 Maximize Security

      Packet Length

      Number of bytes in the packet, including all header fields and the data payload.

      ID

      Unique value used by the destination system to reassemble a fragmented packet.

      Time-to-live

      Time-to-live (TTL) value of the packet. This value represents the number of routers the packet can pass through. Each router that processes the packet decrements the TTL by 1; when the TTL reaches 0, the packet is discarded.

      Protocol

      Protocol used in the attack.

      Source

      IP address of the attacking device.

      Destination

      P address of the attack target.

      RB

      Reserved bit. This bit is not used.

      MF

      More fragments. When set (1), this option indicates that the packet contains more fragments. When unset (0), it indicates that no more fragments remain.

      DF

      Don’t fragment. When set (1), this option indicates that the packet cannot be fragmented for transmission.

      Figure 7 shows the Custom Attack – IP Settings and Header Matches page. Table 7 provides guidelines for completing the settings.

      Figure 7: Custom Attack Object: TCP Packet Header Fields

      Image s036780.gif

      Table 7: Custom Attack Object: TCP Packet Header Fields

      Setting

      Description

      Source Port

      Port number on the attacking device.

      Destination Port

      Port number of the attack target.

      Sequence Number

      Sequence number of the packet. This number identifies the location of the data in relation to the entire data sequence.

      ACK Number

      ACK number of the packet. This number identifies the next sequence number; the ACK flag must be set to activate this field.

      Header Length

      Number of bytes in the TCP header.

      Window Size

      Number of bytes in the TCP window size.

      Data Length

      Number of bytes in the data payload. For SYN, ACK, and FIN packets, this field should be empty.

      Urgent Pointer

      Data in the packet is urgent; the URG flag must be set to activate this field.

      URG Bit

      When set, the urgent flag indicates that the packet data is urgent.

      ACK Bit

      Acknowledgment flag. When set, acknowledges receipt of a packet.

      PSH Bit

      Push flag. When set, indicates that the receiver should push all data in the current sequence to the destination application (identified by the port number) without waiting for the remaining packets in the sequence.

      RST Bit

      Reset flag. When set, resets the TCP connection, discarding all packets in an existing sequence.

      FIN Bit

      Final flag. When set, indicates that the packet transfer is complete and the connection can be closed.

      R1 Bit, R2 Bit

      Reserved bit. Unused.

      Figure 8 shows the Custom Attack – IP Settings and Header Matches page. Table 8 provides guidelines for completing the settings.

      Figure 8: Custom Attack Object: UDP Packet Header Fields

      Image s036781.gif

      Table 8: Custom Attack Object: UDP Header Fields

      Setting

      Description

      Source Port

      Port number on the attacking device.

      Destination Port

      Port number of the attack target.

      Data Length

      Number of bytes in the data payload.

      Figure 9 shows the Custom Attack – IP Settings and Header Matches page. Table 9 provides guidelines for completing the settings.

      Figure 9: Custom Attack Object: ICMP Packet Header Fields

      Image s036778.gif

      Table 9: Custom Attack Object: ICMP Packet Header Fields

      Setting

      Description

      ICMP

      ICMP Type

      Primary code that identifies the function of the request or reply.

      ICMP Code

      Secondary code that identifies the function of the request or reply within a given type.

      Sequence Number

      Sequence number of the packet. This number identifies the location of the request/reply in relation to the entire sequence.

      ICMP ID

      Identification number, which is a unique value used by the destination system to associate requests and replies.

      Data length

      Number of bytes in the data payload.

      Note: ICMPv6 header fields are not applicable. IDP Series devices do not support inspection of IPv6.

    13. Click Finish.

    Published: 2011-02-08