Idp signature groups – Amer Networks E5Web GUI User Manual
Page 475
Attackers who build new intrusions often reuse older code. This means their new attacks can
appear in circulation quickly. To counter this, Clavister IDP uses an approach where cOS Core
scans for these reusable components, with pattern matching looking for building blocks rather
than a completed program. This means that known threats as well as new, previously unknown
threats, built with the same reusable components, can be protected against.
Signature Advisories
An advisory is an explanatory textual description of a signature. Reading a signature's advisory
will explain to the administrator what the signature will search for. Due to the changing nature of
the signature database, advisories are not included in Clavister documentation but instead, are
available on the Clavister website at:
IDP Signature types
IDP offers three signature types which offer differing levels of certainty with regard to threats:
•
Intrusion Protection Signatures (IPS)
These are highly accurate and a match is almost certainly an indicator of a threat. Using the
Protect action is recommended. These signatures can detect administrative actions and
security scanners.
•
Intrusion Detection Signatures (IDS)
These can detect events that may be intrusions. They have lower accuracy than IPS and may
give some false positives so it is recommended that the Audit action is always used. Using
them with Protect may interrupt normal traffic.
•
Policy Signatures
These detect different types of application traffic. They can be used to block certain
applications such as file sharing applications and instant messaging.
6.5.6. IDP Signature Groups
Using Groups
Usually, several lines of attacks exist for a specific protocol, and it is best to search for all of them
at the same time when analyzing network traffic. To do this, signatures related to a particular
protocol are grouped together. For example, all signatures that refer to the FTP protocol form a
group. It is best to specify a group that relates to the traffic being searched than be concerned
about individual signatures. For performance purposes, the aim should be to have cOS Core
search data using the least possible number of signatures.
Specifying Signature Groups
IDP Signature Groups fall into a three level hierarchical structure. The top level of this hierarchy is
the signature Type, the second level the Category and the third level the Sub-Category. The
signature group called POLICY_DB_MSSQL illustrates this principle where Policy is the Type, DB
is the Category and MSSQL is the Sub-Category. These 3 signature components are explained
below:
1. Signature Group Type
Chapter 6: Security Mechanisms
475