Cisco Cisco IPS 4255 Sensor Weißbuch
Overview
© 2008 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Page 4 of 7
●
During the scans, the 10.1.1.1 or 10.1.1.2 attack devices will generate both high- and low-
priority attacks to help demonstrate some high-level security analysis used to decide how to
respond to these attacks.
5. After this scan and attack traffic is generated, there will be a few hundred alerts fired by the
IPS. All of these alerts are not what would be considered actionable alerts, so harmless
events need to be eliminated.
Begin the Filtering Process
The first step is to filter out known benign events from your network caused by specialized
software such as vulnerability scanners and load balancers.
In this case study, we know the source IP address for our scanner is 172.16.50.40. The first thing
you will probably notice when scrolling through the events is that there are 681 events.
Note:
Just scanning a single target for three minutes generated almost 700 events. That’s 233
events per minute per scanner on your network. It’s not unusual for a company to run multiple
scanners: consider that if you have five scanners on your network, you will generate 1,006,5560
benign events per day!
Using Cisco IPS solutions, it’s easy to filter out these events. There are two methods you can use
to achieve this.
a. Configure the Cisco IPS device to ignore these alerts in the future.
b. Allow the Cisco IPS device to fire the alerts and then use Cisco IPS Manager Express to
only filter the benign events.
There are legitimate reasons to use either method. Generally speaking, it’s best to use Cisco IPS
Manager Express to filter the events: you’ll have a historical record to go back and view if you ever
need to do backdated forensics. If your company is under any regulations to protect customer data
or financial data, it’s recommended to meet the compliance regulations that you do not filter the
event from the IPS itself. In this case study, we have elected to use Cisco IPS Manager Express to
filter benign events and research critical events.
Because you know your network, you will know the source IP addresses of these devices, and you
can simply use a filter in the IPS device to create a policy whereby if scan data is sourced from
these IP addresses, the alert should not be shown.
1. To filter all events from the scanner, enter (not equal) != 172.16.50.40 into the attacker IP
address field. This will immediately get rid of all the primary alerts generated by the scanner
and significantly reduce the number of alerts you need to work with. We’ve gone from 800
alerts to 14.
2. The next step is to look at the remaining attacks and see if anything jumps out. The most
obvious is the attacks that are destined for an IP address of 0.0.0.0. Enter !=0.0.0.0 in the
destination IP address field. We are now down to 7 alerts.