Module 12:

IPS Operation and

Implementation

Pr C. Leghris
Networking Security v1.0
Module Objectives
Module Title: IPS Operation and Implementation

Module Objective: Explain how signatures are used to detect malicious network traffic.

Topic Title Topic Objective

IPS Signatures Describe IPS signatures.
Cisco Snort IPS Explain how the Cisco Snort IPS provides network security services.
Configure Snort IPS Explain how to configure Snort IPS on a Cisco ISR G2.

2
12.1 IPS Signatures

3
IPS Signatures
IPS Signature Attributes

 The network must be able to identify incoming malicious traffic in order to stop it.
Fortunately, malicious traffic displays distinct characteristics or “signatures”. Signatures
uniquely identify specific viruses, worms, protocol anomalies, and malicious traffic ;
 IPS sensors must be tuned to look for matching signatures or abnormal traffic patterns. As
sensors scan network packets, they use signatures to detect known attacks and respond
with predefined actions. An IDS or IPS sensor examines the data flow using many different
signatures ;
 Signatures have three distinctive attributes :
• Type - Atomic or Composite ;
• Trigger - Also called the alarm ;
• Action - What the IPS will do ;

4
IPS Signatures
Types of Signatures
 Some threats can be identified in one packet while other threats may require many
packets and their state information (i.e., IP addresses, port numbers, and more) to identify
a threat ;
 There are two types of signatures:
• Atomic Signature - This is the simplest type of signature because a single packet, activity, or event
identifies an attack. The IPS does not need to maintain state information and traffic analysis can
usually be performed very quickly and efficiently ;
• Composite Signature - Also called a stateful signature because the IPS requires several pieces of
data to match an attack signature. The IPS must also maintain state information which is referred to
as the event horizon. The length of an event horizon varies from one signature to the next ;
 The heart of any IPS signature is the signature alarm, which is often referred to as the
signature trigger.

5
IPS Signatures
IPS Signature Alarms
 Every IPS incorporates signatures that use one or more of these basic triggering mechanisms
to trigger signature actions. There are four general IPS signature trigger categories as listed in
the table ;
Detection Type Advantages
Pattern-Based Detection • Also known as signature-based detection.
• Simplest triggering mechanism as it searches for a specific and pre-defined atomic or composite pattern.
• A IPS sensor compares the network traffic to a database of known attacks, and triggers an alarm or prevents
communication if a match is found.
Anomaly-Based • Also known as profile-based detection.
Detection • Involves first defining a profile of what is considered normal network or host activity.
• This normal profile is usually defined by monitoring traffic and establishing a baseline.
• Once defined, any activity beyond a specified threshold in the normal profile will generate a signature trigger and
action.
Policy-Based Detection • Also known as behavior-based detection.
• Although similar to pattern-based detection, an administrator manually defines behaviors that are suspicious based
on historical analysis.
• The use of behaviors enables a single signature to cover an entire class of activities without having to specify each
individual situation.
Honey Pot-Based • Honey pot-based detection uses a server as a decoy server to attract attacks.
Detection • The purpose of a decoy server is to lure attacks away from production devices. 6

• Allows administrators time to analyze incoming attacks and malicious traffic patterns to tune their sensor signatures.
IPS Signatures
IPS Signature Actions
Alert Category Specific Action Description
Generate an alert Produce alert The IPS sends events as alerts.
Generate an alert Produce verbose alert The IPS sends a detailed event alert.

Log the activity Log attacker packets Logs packets from the attacker IP address and sends an alert.
Log the activity Log pair packets Logs packets from the victim and attacker IP addresses and sends an alert.

Log the activity Log victim packets Logs packets from the victim IP address and sends an alert.

Deny the activity Deny attacker inline Terminates the current packet and future packets from this attacker address for a
specified period of time.
Deny the activity Deny connection inline Logs packets from the victim IP address and sends an alert.

Deny the activity Deny packet inline Terminates the current packet and future packets from this attacker address for a
specified period of time.

7
IPS Signatures
IPS Signature Actions (Cont.)

Alert Category Specific Action Description

Reset the TCP connection Reset TCP connection Sends TCP resets to hijack and terminate the
TCP flow.
Block future activity Request block connection Sends a request to a blocking device to block
this connection.
Block future activity Request block host Sends a request to a blocking device to block
this attacker host.
Block future activity Request SNMP trap Sends a request to the notification application
component of the sensor to perform SNMP
notification.

8
IPS Signatures
Evaluating Alerts
 The table summarizes the following four types of alarms.

Alarm Type Network Activity IPS Activity Outcome

True positive Attack traffic Alarm generated Ideal setting
True negative Normal user traffic No alarm generated Ideal setting
False positive Normal user traffic Alarm generated Tune alarm
False negative Attack traffic No alarm generated Tune alarm

9
IPS Signatures
Evaluating Alerts (Cont.)
 Alerts can be classified as follows:
• True positive - (Desirable) This is used when the IPS generates an alarm because it detected know
attack traffic. The alert has been verified to be an actual security incident and also indicates that
the IPS rule worked correctly ;
• True negative - (Desirable) This is used when normal network traffic does not generate an alarm. No
alerts are issued because the traffic that is passing through the system is clear of threats ;
• False positive - (Undesirable) This is used when an IPS generates an alarm after processing normal
user traffic that should not have triggered an alarm. The IPS must be tuned to change these alarm
types to true negatives. The alert does not indicate an actual security incident. Benign activity that
results in a false positive is sometimes referred to as a benign trigger. False positives are costly
because they must be investigated ;
• False negative - (Dangerous) This is used when an IPS fails to generate an alarm and known attacks
are not being detected. This means that exploits are not being detected by the security systems
that are in place. These incidents could go undetected for a long time, and ongoing data loss and
damage could result. The goal is for these alarm types to generate true positive alarms.
10
12.2 Cisco Snort IPS

11
Cisco Snort IPS
Cisco IPS

 Organizations now have three options available to provide intrusion prevention services.
• Cisco Firepower Next-Generation IPS (NGIPS) - These are dedicated in-line threat prevention
appliances that provide industry leading effectiveness against both known and unknown threats ;
• Cisco Snort IPS - This is an IPS service that can be enabled on a second generation ISR (ISR G2) (i.e.,
ISR 4000s). Note that Cisco 4000 ISRs no longer support Cisco IOS IPS ;
• External Snort IPS Server - This is similar to the Cisco Snort IPS solution but requires a promiscuous
(i.e., a SPAN switch port) port and an external Snort IDS/IPS.

12
Cisco Snort IPS
NGIPS
 NGIPS are dedicated IPS appliances. They are built on the core open technology of Snort
and use vulnerability-focused IPS rules and embedded IP-, URL-, and DNS-based security
intelligence that is provided by Cisco’s Talos Security Intelligence and Research Group ;
 NGIPS features include:
• IPS rules that identify and block attack traffic that target network vulnerabilities ;
• Tightly integrated defense against advanced malware incorporating advanced analysis of network
and endpoint activity ;
• Sandboxing technology that uses hundreds of behavioral indicators to identify zero-day and
evasive attacks ;
• Also includes Application Visibility and Control (AVC), Cisco Advanced Malware Protection (AMP)
for Networks, and URL Filtering.

13
Cisco Snort IPS
Snort IPS

 Snort is an open source network IPS that performs real-time traffic analysis and generates
alerts when threats are detected on IP networks. It can also perform protocol analysis,
content searching or matching, and detect a variety of attacks and probes, such as buffer
overflows, stealth port scans, and so on ;
 Snort IPS on the 4000 Series ISR provides the following functionalities:
• Intrusion detection system (IDS) and IPS mode ;
• Three signature levels ;
• An allowed list ;
• Snort health monitoring ;
• Fail open and close ;
• Signature update ;
• Event logging. 14
Cisco Snort IPS
Snort Components and Rules
 Snort IPS for 4000 Series ISRs consists of two components:
• Snort engine - This is the IPS detection and enforcement engine that is included in the SEC license for
4000 Series ISRs ;
• Snort rule software subscriptions for signature updates - Snort rule sets to keep current with the
latest threat protection are term-based subscriptions, available for one or three years ;
 To address the rapidly evolving threat landscape, it is important to ensure that signatures
are as up-to-date as possible.
 There are two types of term-based subscriptions:
• Community Rule Set - Available for free, the rules that are provided offer limited coverage against threats. The
community rule set focuses on reactive response to security threats versus proactive research work. There is also a
30-day delayed access to updated signatures meaning that newest rule will be a minimum of 30 days old. In
addition, there is no Cisco customer support available.
• Subscriber Rule Set - Available for a fee, this service provides the best protection against threats. It includes coverage
of advance of exploits by using the research work of the Cisco Talos security experts. The Subscriber Rule Set also
provides the fastest access to updated signatures in response to a security incident or the proactive discovery of15a
new threat. This subscription is fully supported by Cisco.
Cisco Snort IPS
ISR Container Applications

 Routers were initially packet processing devices. Routers have acquired so much processing
power that server applications can now be hosted inside the router using service containers.

 Service containers are virtual machines that run on the routers. Applications such as Snort IPS
can be uploaded and hosted on these routers. Service containers are supported on most IOS
XE platforms. IOS XE is based on the Linux architecture and supports virtual machine hosting.

 The Snort engine runs as a Linux Service Container application on the ISR 4000. This provides
it with dedicated computing resources that run independently of the data plane CPU load. It
also makes it easier for the Snort engine to be regularly updated.

16
Cisco Snort IPS
Snort IPS Rule Alarms

 In Snort IPS, signatures are configured using “rules”. These rules serve as the signature
alarms by comparing incoming traffic to the Snort rules. Traffic matching a rule header
generates an action. A rule header is conceptually similar to an access control list (ACL)
statement (i.e., ACE). It is a one line statement that identifies malicious traffic.
 The basic rule header
command syntax is:

[action] [protocol] [sourceIP]

[sourceport] -> [destIP]
[destport] ([Rule options])

 Refer to the figure for more

information regarding the rule
header command syntax. 17
Cisco Snort IPS
Snort IPS Rule Actions
 Snort can be enabled in IDS mode or in IPS mode.
 Snort IDS mode can perform the following three actions:
• Alert - Generate an alert using the selected alert method, and then log the packet.
• Log - Log the packet.
• Pass - Ignore the packet.

 Snort IPS mode can perform all of the IDS actions plus the following:
• Drop - Block and log the packet.
• Reject - Block the packet, log it, and then send a TCP reset if the protocol is TCP or an ICMP port
unreachable message if the protocol is UDP.
• Sdrop - Block the packet but do not log it.

18
Cisco Snort IPS
Snort IPS Header Rule Options
 A Snort rule header also contains rule options (fields) to provide additional information for the
rule. Options are separated by semicolons (;) and the rule option keywords are separated from
their arguments using colons (:) ;
 The table describes the common general rule and the detection rule options in the sample
rule header ;

Rule Option Specific Action

msg: This is a simple text string that provides a meaningful message to output when the rule matches.
flow: Specifies the direction of network traffic.
content: A detection rule option that allows the user to set rules that search for specific content in the packet
payload and trigger response based on that data. The option data can contain mixed text and binary data
distance: / offset: Detection rule keywords that allow the rule writer to specify where to start searching relative to the
beginning of the payload or the beginning of a content match.
within: / depth: Detection rule keywords that allow the rule write to specify how far forward to search relative to the end of
a previous content match and, once that content match is found, how far to search for it.
pcre A detection rule keyword that allows rules to be written using “perl compatible regular expressions” which
allows for more complex matches. 19
Cisco Snort IPS
Snort IPS Header Rule Options (Cont.)

 The table describes the common general rule and the detection rule options in the
sample rule header.

Rule Option Specific Action

byte_test A detection rule keyword that allows a rule to test a number of bytes
against a specific value in binary.
metadata: Allows a rule writer to embed additional information about the rule.
reference: Allows rules to include references to external sources of information.
classtype: Identifies the potential effect of what a successful attack would be.
sid / rev The sid is a unique identifier for each rule making them easy to
identify. It should be used with the rev (revision) keyword.

20
Cisco Snort IPS
Snort IPS Operation

 Packets arriving on Snort enabled interfaces are inspected as follows:

1. Cisco IOS Software forwards the packets to be inspected to the Snort IPS engine using an internal
virtual port group (VPG) interface ;
2. Snort IPS inspects the traffic and takes necessary action ;
3. Snort drops the packets associated with bad flows (IPS mode). Good flow packets are returned back
to the router for further processing ;

 Packet exchange between the container applications and the IOS data plane is done using
VPG interfaces. These routed interfaces are connected through the router back plane. The
corresponding interface on the container side will appear as virtual Ethernet ports.

21
Cisco Snort IPS
Snort IPS Operation

 Snort IPS requires two VPG interfaces:

• Management interface - This is the interface
that is used to source logs to the log collector
and for retrieving signature updates from
Cisco.com. For this reason, this interface
requires a routable IP address.
• Data interface - This is the interface that is
used to send user traffic between the Snort
virtual container service and the router
forwarding plane.

 In the figure, VPG0 is used for Snort management traffic while VPG1 is used for user traffic
to be inspected. User traffic to be inspected is forwarded to the Snort engine using VPG1
as shown. Traffic is then inspected and either rejected (dropped) or forwarded back to the
router. 22
12.3 Configure Snort IPS

23
Configure Snort IPS
Snort IPS Configuration Steps

 To deploy Snort IPS on supported devices, perform the following tasks:

1. Download the Snort OVA file ;
2. Install the OVA file ;
3. Configure VirtualPortGroup interfaces ;
4. Activate the virtual services ;
5. Configure Snort specifics (e.g., IPS or IDS mode, policy, reporting of events to an external
alert/log server or IOS syslog or both, and the Signature update method ;
6. Enable IPS globally or on desired interfaces ;
7. Verify Snort.

24
Configure Snort IPS
Step 1. Download the Snort OVA File

 An Open Virtualization Archive (OVA) is a file that contains a compressed, installable

version of a virtual machine.

 The service OVA file is not bundled with the Cisco IOS XE Release images installed on the
router. although the OVA files may be preinstalled in the flash of the router, it is
recommended that the latest OVA file be downloaded from Cisco.com.

25
Configure Snort IPS
Step 2. Install the Snort OVA File
 The OVA file must be downloaded and saved in a file location available to the ISR router (e.g.,
Flash).
 To install, the OVA file, use the virtual-service install name virtual-service-name package file-
url media file-system privilege EXEC command to install the OVA file to the router. The length
of the name is 20 characters and the complete path to the OVA file must be specified.
 An example configuration is shown below.

 Use the show virtual-service list command to display the status of the installation of all 26
applications installed on the virtual service container.
Configure Snort IPS
Step 3. Configure Virtual Port Group Interfaces
 Two VirtualPortGroup (VPG) interfaces must then be configured along with their
guest IP addresses.
 In our example, the VPG interfaces will be configured as follows:
• VGP0 - This is for management traffic to exchange information with IPS servers. The guest IP
address needs to be routable to connect to the signature update server and external log
server. It is also used to log traffic to log collectors ;
• VPG1 - This is for user traffic marked that should be inspected. This should not be routable
and therefore use a non-routable private IP address.

 This is a sample configuration

of VPG0 and VPG1.

27
Configure Snort IPS
Step 4. Activate Virtual Services
 The next step is to configure guest IPs on the same
subnet for the container side and activate the
virtual service.
• The virtual-service MYIPS command configures the
logical name that is used to identify the virtual
container service ;
• The vnic gateway VirtualPortGroup interface-number
command creates a virtual network interface card
(vNIC) gateway interface for the virtual container
service ;
• The guest ip address command configures a guest vNIC
address for the vNIC gateway interface ;
• Finally, the activate command activates the application
installed in a virtual container service.
28
Configure Snort IPS
Step 5. Configure Snort Specifics
 The utd engine standard command
configures the united threat defense (UTD)
standard engine and enters UTD standard
engine configuration mode ;
 The logging host and logging syslog
commands enable the logging of
emergency messages to a server.
 The threat-inspection command configures
threat inspection for the Snort engine.
From here you can specify which mode
Snort will be in:
• threat protection - Snort will be in IPS mode ;
• threat detection - Snort will be in IDS mode.
29
Configure Snort IPS
Step 5. Configure Snort Specifics (Cont.)

 The utd engine standard command configures the united threat defense (UTD) standard
engine and enters UTD standard engine configuration mode ;
 The logging host and logging syslog commands enable the logging of emergency messages
to a server ;
 The threat-inspection command configures threat inspection for the Snort engine. From
here you can specify which mode Snort will be in :
• threat protection - Snort will be in IPS mode ;
• threat detection - Snort will be in IDS mode.

30
Configure Snort IPS
Step 5. Configure Snort Specifics (Cont.)
 The policy command specifies three security policies that can be used by Snort. These are
base policies provided by Cisco Talos. The three policy settings in order from least
protection to most protection are :
• Connectivity - This provides the least protection as it prioritizes connectivity over security.
Approximately 1,000 rules are pre-loaded using this policy ;
• Balanced - This is the default policy. It is recommended for initial deployments. This policy attempts
to balance security needs and performance characteristics of the network. Approximately 8,000 rules
are pre-loaded using this policy ;
• Security - This provides the most protection. It is designed for organizations that are exceptionally
concerned about security. Customers deploy this policy in protected networks, that have a lower
bandwidth requirements, but much higher security requirements. Approximately 12,000 rules are
pre-loaded using this policy.

31
Configure Snort IPS
Step 6. Enable IPS Globally or on Desired Interfaces

 You can enable UTD Globally Selected Interfaces

globally on all
interfaces or on
selected interface.

 You can also enable

the UTD allowed list
feature. This enables
you to identify IPS
signature IDs to be
suppressed (not
used)
32
Configure Snort IPS
Step 7. Verify Snort IPS

 After Snort IPS is implemented, it is necessary to verify the configuration to ensure correct
operation.
 There are several show commands that can be used to verify the Snort IPS configuration
and operation :
• show virtual-service list - The command displays an overview of resources that are utilized by the
applications ;
• show virtual-service detail - The command displays a list of resources that are committed to a
specified application, including attached devices ;
• show utd engine standard config - The command displays the UTD configuration ;
• show utd engine standard status - The command displays the status of the UTD engine ;
• show platform hardware qfp active feature utd stats - The command checks the data plane. It verifies
increments for encap, decap, redirect, and reinject and displays a health of "Green".
33
12.4 IPS Operation and
Implementation Summary

34
IPS Operation and Implementation Summary
What Did I Learn in this Module?
• IPS signatures have three attributes: type, trigger, and action.
• The signature type can be atomic or composite.
• The signature alarms can use pattern-based detection, anomaly-based detection, policy-
based detection, or honey pot-based detection.
• The are a variety of IPS signature actions including generate an alert, log the activity, deny
the activity, and others.
• Triggering mechanisms can generate results such as true positive, true positive, false
negatives, and false negatives.
• Snort IPS on ISR device can provide both IDS or IPS services.
• Snort IPS consists of a Snort engine and Snort rule set.
• To configure Snort IPS, configure VPG interfaces, activate the virtual services, configure
Snort IPS specifics, and enable UTD.
• Use show commands to verify its operation.

35
IPS Operation and Implementation
New Terms and Commands
• atomic signature • virtual-service install name virtual-service-name
• composite signature package file-url media file-system
• pattern-based detection • virtual-service virtual-service-name
• anomaly-based detection • vnic gateway VirtualPortGroup interface-number
• policy-based detection • guest ip address ip-address
• honey pot-based detection • utd engine standard, and then logging host ip-address,
and logging syslog
• true positive
• threat-inspection, and then threat protection, policy
• true negative
balanced, signature update, and signature update
• false positive server
• false negative • utd, and then all-interfaces
• Snort community rule set • engine standard, and then fail close
• Snort subscriber rule set • utd enable
• virtual port group (VPG) interface • utd threat-inspection whitelist, and then signature
• Open Virtualization Archive (OVA)

36
IPS Operation and Implementation
New Terms and Commands (cont.)
• show virtual-service list
• show virtual-service detail
• show utd engine standard config
• show utd engine standard status
• show platform hardware qfp active feature utd
stats

37