Denying devices from inspection

20 Mar

Listing 4.25: Denying devices from inspection.

ip audit smtp spam 42
ip audit notify nr−Director
ip audit notify log
ip audit po local hostid 1 orgid 34
ip audit po remote hostid 5 orgid 34 rmtaddress 192.168.10.8 −
localaddress 192.168.10.1
!
ip audit name testrule info list 10 action alarm
ip audit name testrule attack list 10 action alarm drop reset
!
interface FastEthernet0/0
ip address 192.168.10.1 255.255.255.0
ip audit testrule in
!
access−list 10 deny 192.168.10.50
access−list 10 deny 192.168.10.30
access−list 10 permit any

The configuration in Listing 4.25 is very similar to the configuration that was displayed in Listing 4.22. The only significant changes to this configuration are the addition of the access list. The access list is bound to the audit rule named testrule. The access list in Listing 4.25 is not denying traffic from the hosts with IP addresses of 192.168.10.50 and 192.168.10.30. Instead, the two hosts are not filtered through the signatures because they are considered to be trusted hosts; all other hosts as defined by the permit any command are subjected to filtering through the signatures.

Viewing the output of the show ip audit interface command, you can see that access list 10 is bound to audit rule testrule for info signatures and attack signatures and the rule is bound to interface FastEthernet0/0. Listing 4.26 displays the output of the show ip audit interface command.

Listing 4.26: Access list configuration.

Router−3# show ip audit interface
Interface Configuration
Interface FastEthernet0/0
Inbound IDS audit rule is testrule
info acl list 10 actions alarm
attack acl list 10 actions alarm drop reset
Outgoing IDS audit rule is not set
Router−3#

Attack signatures can also be disabled if a device is using a legitimate program on the network and generating false positive results to the IOS Firewall IDS. To disable attack signatures, use the ip audit signature command and specify the specific attack signature that needs to be disabled. Continuing with the example in Listing 4.26, the security administrator would like to disable attack signatures with values in the range of 1000 to 1004 and the signature with the value of 3040. To disable these signatures use the following commands:

ip audit signature 1000 disable
ip audit signature 1001 disable
ip audit signature 1002 disable
ip audit signature 1003 disable
ip audit signature 1004 disable
ip audit signature 3040 disable

To verify that the attack signatures listed above have indeed been disabled, you must issue the show ip audit config command. Listing 4.27 displays the output of issuing the command after disabling the signatures.

Listing 4.27: Verification of disabled attack signatures.

Router−3#show ip audit config
Event notification through syslog is enabled
Event notification through Net Director is enabled
Default action(s) for info signatures is alarm
Default action(s) for attack signatures is alarm
Default threshold of recipients for spam signature is 42
Signature 1000 disable
Signature 1001 disable
Signature 1002 disable
Signature 1003 disable
Signature 1004 disable
Signature 3040 disable
PostOffice:HostID:5 OrgID:34 Msg dropped:0
:Curr Event Buf Size:100 Configured:100
HID:13 OID:34 S:1 A:2 H:82 HA:49 DA:0 R:0 Q:0
ID:1 Dest:192.168.10.8:45000 Loc:1192.168.10.1:45000 T:5 −
S:ESTAB
Audit Rule Configuration
Audit name testrule
info actions alarm
attack actions alarm drop reset
Router−3#

It can be risky to disable the signature globally on the router because in the event another device begins to create traffic that is not legitimate and that matches the characteristics of the signature(s) that have been disabled, there will no way to detect the attack signature. So the IOS Firewall IDS gives you the power to disable attack signatures on a per−host basis with the use of a standard access list. To disable attack signatures, use the configuration displayed in Listing 4.28.

Listing 4.28: Disabling attack signatures on a per−host basis.

access−list 20 deny 192.168.10.51
access−list 20 deny 192.168.10.66
access−list 20 deny 192.168.10.212
access−list 20 permit any
!
ip audit signature 2150 list 20
ip audit signature 2151 list 20
ip audit signature 3150 list 20

Listing 4.28 configures an access list, which matches according to the source address listed within the access list. The access list is then bound to each attack signature. The access list logic for this configuration does not deny the host access as in a typical access list configuration, but the configuration states that the hosts that are in the access list configuration with a deny statement are not subject to filtering through the audit process for the attack signature in which the access list is applied. The complete intrusion detection configuration of Router 3 is shown in Listing 4.29.

Listing 4.29: Complete intrusion detection configuration.

ip audit smtp spam 42
ip audit notify nr−Director
ip audit notify log
ip audit po local hostid 1 orgid 34
ip audit po remote hostid 5 orgid 34 rmtaddress 192.168.10.8
localaddress 192.168.10.1
!
ip audit name testrule info list 10 action alarm
ip audit name testrule attack list 10 action alarm drop reset
ip audit signature 1000 disable
ip audit signature 1001 disable
ip audit signature 1002 disable
ip audit signature 1003 disable
ip audit signature 1004 disable
ip audit signature 3040 disable
ip audit signature 2150 list 20
ip audit signature 2151 list 20
ip audit signature 3150 list 20
!
interface FastEthernet0/0
ip address 192.168.10.1 255.255.255.0
ip audit testrule in
!
access−list 10 deny 192.168.10.50
access−list 10 deny 192.168.10.30
access−list 10 permit any
access−list 20 deny 192.168.10.51
access−list 20 deny 192.168.10.66
access−list 20 deny 192.168.10.212
access−list 20 permit any


Related solution: See page:
Attack Signatures 368

Random Posts

No comments yet

Leave a Reply

You must be logged in to post a comment.