| Home Prev |  cOS Stream 4.00.03 Administration Guide
|
Next |
|---|
Supported Types of IPS Signature Files
The IPS subsystem can make use of the following types of IPS signature files:Vendor Signatures
These are provided by Clavister as a set of predefined signatures in a single file. No vendor signature files are installed in the default configuration and they must be uploaded using SCP. These files can be downloaded from https://my.clavister.com.
There can be any number of vendor signature files present in cOS Stream storage at any one time. However, there can be only one active vendor file at any one time. Inactive vendor files will be deleted automatically after a firewall restart.
Unlike custom signature files, vendor signature files cannot be edited by the administrator.
Custom Signatures
These are files in the Snort format that can be created or edited by the administrator and they can be sourced from third parties. More than one can be installed onto the firewall by uploading with SCP. These files can be used with or instead of the vendor signatures.
A custom file must be activated through the CLI before it is used by IPS. Multiple custom files can be active at the same time. Inactive custom files will be automatically deleted after a firewall restart.
The Snort conventions supported by cOS Stream are described in Section 27.4, Snort File Usage.
Intrusion Protection Signatures (IPS)
The category of these signatures has the IPS_ prefix. They are highly accurate and a match is almost certainly an indicator of a threat. Using the Protect action is recommended. These signatures can detect administrative actions and security scanners.
Intrusion Detection Signatures (IDP)
The category of these signatures has the IDP_ prefix. They can detect events that may be intrusions. They have lower accuracy than the IPS_ signatures and may give some false positives so it is recommended that the Audit action is always used. Using them with the Protect action may interrupt normal traffic.
> scp custom.sig admin@192.168.26.200:ipssigs/
Note that SSH access should be enabled for SCP to function.
The following should be noted about signature file uploading:
There are no naming conventions expected by cOS Stream for the signature files and any filetype can be used. cOS Stream will recognize that the file is a vendor or custom signature file from its contents. For clarity in this section, the filetype '.sig' will be used for example signature filenames.
cOS Stream can automatically recognize signature files and it can distinguish between a vendor signature file and a custom file.
Uploaded custom signature files will remain in firewall storage until they are removed but only currently active files can be removed manually by the administrator. However, all inactive signature files will be removed if cOS Stream restarts and only the active ones will remain.
An uploaded signature file will only overwrite an existing file if it has the same name. If a file is uploaded that has the same name as an active file, the old file will continue to be active until the new file is activated, in which case the old file will be discarded.
The ips command is used to activate a vendor or custom signature file:
System:/> ips -activate my_file.sigA signature file is only used by IPS when it goes from an inactive state to an active state by being activated.
At least one signature file must be active for IPS to function.
Only one vendor file can be active at any one time but one or more custom files can be active simultaneously.
Vendor and custom files can be active at the same time but the active vendor file will be scanned first when looking for a signature match against traffic.
Signature File Validation
cOS Stream verifies the validity of signature files used with the IPS subsystem when they are activated. Files that are found to be invalid will produce an explanatory message on the console. Below is an example console message that indicates activation of the file my_file.sig has failed because it is invalid:File 'my_file.sig' is not a valid signature file.
When activating custom signature files only, the following additional steps are performed first, before trying to validate the file further:
cOS Stream verifies that timestamp information is present in the file. In other words, there must be a line that has a form similar to the following example:
# Date 202403180603
If a timestamp is found, further validation proceeds.
If a timestamp is not found, the first non-commented line in the file will be parsed looking for a rule header. If a rule header is not found, the file will be deemed invalid and further validation will not occur. If a rule header is found, further validation proceeds.
Note that if a signature file is invalid at activation time, it is not deleted and continues to appear in the list of available signature files.
Any active signature file, vendor or custom, can be deleted using the ips -remove command:System:/> ips -remove my_file.sigSystem:/> ips -show=file
File Origin Status
---------- ------ ------
vendor.sig Vendor Active
custom.sig Custom ActiveTo display all the categories available in the signature files:
System:/> ips -show=category
IPS Signature categories
Category # of signatures
------------------------- ---------------
custom.sig 1
IPS_WEB_POLICY 43
IPS_WEB_PACKAGES 7
IPS_WEB_ACTIVEX 1Note here that all the signatures in the custom.sig file are listed as one single category that has the same name as the file. The other categories are found in the active vendor file.
To now view the signatures in one of the categories, name the category and use the -verbose option:
System:/> ips -show=category IPS_WEB_ACTIVEX -verbose
Category Origin SID Signature
------------------ ------ -------- ------------------------------------
IPS_WEB_ACTIVEX Vendor 20041463 VerifyPackageCatalog.SiteMgr.ActiveX
Vendor 20047813 npdivx.DivX.ActiveX.A.Policy
The following command shows all the signatures in categories that begin with IPS_WEB_:
System:/> ips -show=category IPS_WEB_* -num=50 -verboseThe -verbose option must be used to show the whole signature instead of just the number of matching signatures. The -num option will cause only 50 matching signatures to be shown at a time. The -num option has a default value of 20. Note that the signature search is always through the active vendor file first and then any active custom files.
Displaying Currently Active Signatures
The ips -show=rule command can be used to display the number of signatures that all currently configured IPSRule objects can trigger during IPS processing:System:/> ips -show=rule
IPS Rules
Rule Ignore Audit Protect
------------ ------ ----- -------
1(IPSRule_1) 0 1 42System:/> ips -show=rule IntrusionPrevention/1System:/> ips -show=rule IntrusionPrevention/1 -verbose
IPS Signatures by Rule IPSRule_1
Rule Action Origin SID Signature
------------ ------- ------ -------- ------------------------------
1(IPSRule_1) PROTECT Vendor 20049377 CAB.File.Policy
PROTECT Vendor 20031289 CONNECT.HTTP-TUNNEL.POLICY
PROTECT Vendor 20046620 content.UUSee.PolicySimilarly, the -show=group option can show the number of signatures that are included in IPSSIgnatureGroup objects:
System:/> ips -show=group IntrusionPrevention/my_grp
IPS Signature Groups
Group # of signatures
------ ---------------
my_grp 1Adding the -verbose option will list the signatures:
System:/> ips -show=group IntrusionPrevention/my_grp -verbose
IPS Signatures by group my_grp
Group Origin SID Signature Category
------ ------ -------- --------------- -----------------
my_grp Vendor 20049378 ZIP.File.Policy IPS_WEB_POLICYAs mentioned, a custom signature file is in Snort format and these can be created by third parties or by the system administrator. Snort is described in depth at https://snort.org. The standard form of Snort signatures is a filter followed by options:
action protocol src-net src-ports direction dest-net dest-ports ( options )However, it is important to be aware of how some Snort file conventions are interpreted by cOS Stream and what limitations exist. This is described next.
