Cisco Cisco IPS 4255 Sensor Weißbuch
Overview
© 2008 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Page 3 of 7
signature set will provide you with a high security protection posture. You can view all the IPS
signatures on your sensor using Cisco IPS Manager Express and browsing to Configuration >
IPS-Name > Policies > IPS Policies > All Signatures. You can view only your active signatures
by browsing to Configuration > IPS-Name > Policies > IPS Policies > Active Signatures.
Note:
This case study uses the default Cisco IPS signature set. The Cisco IPS signature team
has spent thousands of person hours determining the most secure default signature settings. If
you think you may have inadvertently changed some signature values, select all signatures, click
the button “Restore default” and then click “Apply.”
3. Set the event action override to drop packets with a risk rating greater than 90. This is the
default configuration and will help ensure that high risk alerts will be stopped immediately.
Note:
By default, the sophisticated Cisco IPS risk rating calculation feature will accurately
identify risks and report a risk rating value for each alert that is fired. The higher the risk rating, the
more dangerous the attack.
Check your default event action override by using Cisco IPS Manager Express and browsing
to Configuration > IPS-Name > Policies > IPS Policies. Following is the screen capture for this
case study.
to Configuration > IPS-Name > Policies > IPS Policies. Following is the screen capture for this
case study.
Click the “Edit” icon and then the Advanced tab to view the current override settings.
HIGHRISK should be set to 90.
HIGHRISK should be set to 90.
4. Now that the IPS device is set to a default signature set located correctly in the network and
overrides are set correctly, we can start the case study. The following steps will be taken to
generate both benign and real alerts on the IPS device.
●
The scanning device (172.16.50.40) will run one NMAP scan to the data center server
(172.16.50.70).
●
Using the same IP addresses, the scanning device will run one default Nessus scan to the
data center server.
●
During these scans, the attack servers (172.16.50.60 and 10.1.1.1) will launch several real
attacks against the data center servers.