Archive for July, 2003

Extending the functionality of Cisco IDS 4.x

Published by bobgerman on July 8, 2003 in Information Technology. Comments

My first impression of Cisco’s latest IDS release (IDS 4.x) was “this is annoying.” IDS 3.x was deployed as a set of applications running on a Solaris/Intel platform on the sensor. I liked this, because it was relatively easy to extend functionality by writing web-enabled apps on a separate web server which I installed on the sensor. With the IDS 4.x release, they took away the OS, deploying IDS as an IOS product running on top of Linux, with no access to the underlying Linux OS. Actually, it was whispered to me that there is a secret, undocumented way to get access to the OS, but I figured I’d cross that bridge when I came to it.

Also, since it was a complete re-image, users start out fresh with 4.x, there appears to be no way to migrate your configuration from 3.x to 4.x. All custom signatures, gone. All tuned signatures, gone. All shun/tcp reset settings, gone. Plan for extra time in your upgrade to compensate for this.

I was told that this major OS platform change was necessary due to Sun support and due to desired speed enhancements to the product.

So, I buckled down, re-imaged my sensor and got cracking on tuning signatures. I had printed out my previous configuration so I would at least have some guidelines.

Cisco offers a host of tools for the new IDS software.

  • Cisco Secure Policy Manager (CSPM) is no longer supported with IDS 4.x. This is a good thing, because in my experience, CSPM was buggy and unreliable.

  • The IDM developed for 3.x was retained, and is perfectly acceptable for tuning signatures and adding event filters, two of the most common management tasks. What it lacks, for abuse desks hard pressed for time, is a quick, efficient means of getting a list of who is shunned, and why.

  • There is also the IDS Event Viewer, a Windows app that connects to the sensor, and provides a nice browsable interface to all sensor data, and allows you to keep archives and even delete entries.

  • The most recent addition to the IDS management suite is Cisco Threat Response. Threat Response seems to take IEV a step further, by allowing you to classify items by OS and even assign passwords to them, so that Threat Response can help quickly determine whether a system is vulnerable to the type of signature detected, and even if it was successful. All of this sounds nice in theory, but the interface was too slow for me, and it was a trial version. I know my bosses, and after what they paid for IDS, they won’t be paying for Threat Response. Perhaps if it was free, I’d be more interested in investing time and energy into configuring it. Oh, also, it won’t install on the same server as IEV.

    Now maybe I’m not the typical IDS user. I am 75% of the abuse department of an ISP and web hosting company. It’s my job to set the policies, to enforce them, and to troubleshoot them when I enforce them too rigorously. It’s also my duty to address complaints received from other organizations about abuse. But I can’t believe that other users don’t need the ability to generate a quick list of who is blocked and why.

    With IDS 3.x, I had written a set of scripts that parsed the text files generated by the IDS applications, and presented them meaningfully. I also extended it to archive past data by frequent FTPing from another server and depositing into a MySQL database.

    With IDS 4.x, this job was made much easier. The geniuses at Cisco secretly used a MySQL backend on IDS Event Viewer. Once I realized this, I quickly granted myself remote access to the DB, familiarized myself with the table constructs, and bingo. Instant access.

    The first thing I did was to generate a quick listing of who is blocked at any given time. Simple — select all signatures within the past half hour with “shun_requested” set and display them as distinct IP addresses, with the signature ID and name.

    Then I got really busy. I created views by severity and source address, similar to those provided in IEV, but much quicker, using PHP to access MySQL. Then I added notification functionality, creating a new “notifications” table to keep track of them. I can now display all signatures received by an attacking IP, and quickly report them to the appropriate party (abuse contact or IP administrator, from ARIN, LACNIC, RIPE, or other regional registry). I also archive the data so that I can quickly generate reports of top 20 attackers, repeat customers and most frequently detected signatures. I archive it separately and delete it from the actual IDS tables so that the Event Viewer keeps chugging along without being overloaded.

    One unfortunate reality is that it’s still not possible, that I know of, to automate retrieval of abuse contacts for IP addresses. I was doing a pretty good job of it at one point, but ARIN disallowed automated querying. If enough people buy into notifications as a valid tool to curb abuse, perhaps one will be developed. Or perhaps abuse.net, which offers a whois server to determine abuse contacts for domains, will expand to cover IP addresses as well.

    In the past two days, just from notifying on known signatures, such as Code Red/NIMDA and SQL worm-related signatures, and larger attacks such as Satan scans, I’ve notified over 230 times, covering over 9,000 alarms. Imagine how many more alarms I would see if I didn’t have router-based blocking (shunning) enabled.

    My bosses love the enhanced visibility, and as a security administrator, I love the ability to streamline abuse notifications. It’s one thing to deflect attacks. It’s another entirely to be an active good citizen on the Internet and report them. Sure, occasionally I get an angry message from someone saying they never asked for these reports, but the way I see it, if they don’t want the reports, they shouldn’t have a compromised server on the Internet. Bandwidth costs all of us money, and I know I’m making a dent with this system.

    I’ve got my CCIE-Security Lab Exam scheduled for December. Maybe Cisco will hire me to join their IDS team. I’ve got lots more ideas.