Cisco Cisco IPS 4255 Sensor Weißbuch

Overview

Page 5 of 7

3. The next step is to filter attacks that have been dropped. Scroll though the list and you can

easily see those alerts. Keep in mind that even though these are high-level alerts, they are not

overly concerning because they have been blocked. No forensics need to be performed on

these alerts unless you want to check the attacking IP address.

If the attacking address is outside your IP address range, you can contact the owner of the IP

address range, which you can find by using the Cisco IPS Manager Express “whois” tool. To do

this, highlight the event, click on the tool icon, and select “whois.” Results may vary because when

you are attacked, the machine that attacked you has often been exploited and the operator of that

machine may be unaware of any problems.

If it’s an internal address, you will want to run security scans to try and repair the infected machine

or reinstall the OS and applications to fix the problem. It’s important to remember that there is an

outside chance that the owner of the machine is responsible for the attack.

To filter dropped signatures, select the “Action” field, click on the popup button at the right, and

select all the actions that drop or reset packets or flows.

4. The next step is to filter information alerts. Uncheck the box labeled “Informational.” Even

though these events are filtered out, they could warrant investigation. In many cases,

including this example, the low-priority events may indicate that another device is doing

reconnaissance on a device protected by the IPS.. Network administrators should research

these source addresses to see if the reconnaissance on those machines is being caused by

malware or an employee. If it’s an infected machine, remove the malware or restore the

infected device to a known good condition. There are now five alerts remaining.

5. At this point, the tuning process is essentially complete: all the benign scanning events, alerts

for invalid destination address, informational alerts, and stopped attacks have been filtered.

The remaining alerts are considered actionable information. They represent the greatest

threat to your network and therefore must be analyzed. Researching these events with Cisco

IPS Manager Express is a straightforward process.

Following is a step-by-step explanation of how to process the remaining events. In this case study,

forensics analysis will be performed only on one of the remaining alerts. If this were a live network,

you would take the same steps for the remaining events.

1. The event in the case study to be analyzed is Cisco sig ID 5867/0. The following steps must

be taken.

Research the alert: Right-click on the event and select the “Explanation” tab. The description
says, “The signature fires on attempts to instantiate the WinZip ActiveX control. A vulnerability
exists in the ActiveX control that was never intended to be used in Internet Explorer.” A
second section in the explanation tab tells you if other actions besides an attack can cause
this signature to fire. In this case, it says “Individuals browsing proof of concept code may
cause this signature to trigger.” This description is telling us that either someone browsed to a
Webpage and looked at proof of concept code or there was an actual attack. We are going to
assume that an attack was attempted because if it was an incident during browsing, the port