20.3. IPS Signature Management

Home Prev	InCenter 2.2.5 On-Premises Administration Guide	Next

The IPS feature relies on signature files which must be first uploaded to InCenter and which are then deployed to a node.

There are two kinds of IPS signature files:

Vendor Signature Files

These are provided by Clavister as a set of predefined signatures in a single file which cannot be changed by the administrator. Updated versions of the vendor signature file are provided by Clavister.

When a vendor file is activated for a node, it is automatically uploaded to that node, overwriting any previously activated vendor file. There can be only one active vendor file on a node at any one time.
Custom Signature Files

These are files in the SNORT format that can be created or edited by the administrator and they can be sourced from third parties. More than one can be active on a node at the same time. These files can be used with or instead of an active vendor signature file.

When a custom file is activated for a node, it is automatically uploaded to that node, overwriting any activated file with the same name. Multiple custom files can be active on a node at the same time.

The SNORT conventions supported are described in Section 20.4, SNORT File Usage.

The following should be noted about the management of IPS signature files using InCenter:

No signature files exist in the default InCenter configuration.
Signature files are uploaded to the InCenter server using SCP/SFTP/REST. They are kept in the folder called ipsSignatures.
Multiple files of both the vendor and custom signature type can reside in InCenter storage at the same time.
Signature files residing on the InCenter server can be deployed to nodes by activating them.
Signature files residing on nodes by deactivating them.

Vendor Signature Types

The signatures in the vendor file can be further broken down into the following types:

Intrusion Protection Signatures (IPS)

The category of these signatures has the IPS_ prefix. They are highly accurate and a match is almost certainly an indicator of a threat. Using the Protect action is recommended. These signatures can detect administrative actions and security scanners.
Intrusion Detection Signatures (IDP)

The category of these signatures has the IDS_ prefix. They can detect events that may be intrusions. They have lower accuracy than the IPS signatures and may give some false positives so it is recommended that the Audit action is always used. Using them with the Protect action may interrupt normal traffic.

Activating Signature Files

Once the IPS objects are configured, IPS will not process any traffic until at least one signature file in the ipsSignatures folder is activated via the InCenter CLI using the ips -activate command. For example:

admin@InCenter:/> ips -activate my-sigs.dat my-node1,my-node2

This command will upload the signature file my-sigs.dat to the nodes my-node1 and my-node2 from InCenter and also makes the file active on the nodes so that the IPS subsystem can use them.

Deactivating Signature Files

Deactivating signature files removes the file from a node and so it will no longer be used for IPS processing.

The ips Command

The InCenter CLI command ips provides a set of options for managing and viewing the signature files kept in the ipsSignatures folder. It is similar to, but not exactly the same as, the ips command found in the node's CLI.

When browsing and displaying IPS signatures, the InCenter ips command will only look at the local signature files in InCenter storage unless a node name is specified then only the signature files on that node will be looked at.

Displaying the IPS Status

The ips -status command shows the signature files that are available in InCenter storage. For example:

admin@InCenter:/> ips -status
File                     Origin   Issued      Last Loaded  Status
------------------------ -------  ----------  -----------  ------
ipssigs_2017101109.dat   Custom               2017-10-19   Loaded
ipssigs_2017101715.dat   Custom               2017-10-19   Failed
ipssigs_2017101805.dat   Factory  2017-10-18  2017-10-19   Loaded

The Status column indicates if the file was successfully recognized as a signature file. A status of Failed means that it is either empty or invalid.

Displaying a Signature

The ips -show=signature command will display information about signatures:

admin@InCenter:/> ips -show=signature <sig_id> [-num=<num>]

Where <num> is the maximum number of lines to display. This option can be added to nearly all the forms of the ips command.

admin@InCenter:/> ips -show=signature 20040717
Property      Value
------------  -------------------------------------------------
         ID:  20040717
       Name:  Auth.SambaWebAdminTool.Buffer.Overflow
Description:  A buffer overflow vulnerability in the Samba Tool
   Category:  IDS_SMB_EXPLOIT
   Severity:  Scan
       File:  ipssigs_201710180526.dat
        CVE:  2004-0600
    Created:  2007-10-18
    Updated:  2010-11-30
Used in IPS signature group(s): my-node1/group2

Displaying a Group

The ips -show=group command will display information about a IPSSignatureGroup object on a node:

admin@InCenter:/> ips -show=group <node>/<group>

For example:

admin@InCenter:/> ips -show=group my-node1/group2 -num=2
Property         Value
---------------  -------
          Name:  group2
      Comments:  <empty>
Items in Group:  6
Type       ID        Name
---------  --------  --------------------------------------
Category             IDS_SMB_EXPLOIT
Signature  20040717  Auth.SambaWebAdminTool.Buffer.Overflow
Showing 2 out of 6.

Displaying a Category

The ips -show=category command will display information about the categories in the signature files in InCenter storage:

admin@InCenter:/> ips -show=category <category>

For example:

admin@InCenter:/>  ips -show=category IDS_SMB_EXPLOIT -num=1
Property     Value
-----------  ---------------
      Name:  IDS_SMB_EXPLOIT
Signatures:  5
Used in IPS signature group(s): my-node1/group2
Members:
ID        Name                                    Category
--------  --------------------------------------  ---------------
20040717  Auth.SambaWebAdminTool.Buffer.Overflow  IDS_SMB_EXPLOIT
Showing 1 out of 5.

Listing Signatures

The ips -list=signature will list signatures matching a query value:

admin@InCenter:/> ips -list=signature [query=<value>]

The value entered for any query for this and subsequent command is case insensitive and can use the wildcards asterisk '*' for any characters and question mark '?' for any single character.

For example:

admin@InCenter:/> ips -list=signature -query=attack -num=3
ID        Name                         Category
--------  ---------------------------  ----------------------- 
20057242  Trojan.DDoS.OrbitDownloader  IPS_MALWARE_COMMCONTROL
20057565  Trojan.p3rlbot.irc.ddos      IPS_MALWARE_COMMCONTROL
20057513  Trojan.psPerlBot.CnC.DDoS    IPS_MALWARE_COMMCONTROL
Showing 3 out of 15.

If the query= option is left out for this or subsequent commands then individual signatures are not listed but a summary of signature numbers instead.

Listing Groups

The ips -list=group command will list groups matching a query value:

admin@InCenter:/> ips -list=group [query=<value>]

For example:

admin@InCenter:/> ips -list=group -query=dev?/gr*2
Name              Comments
----------------  --------
my-node1/my-grp1
my-node1/my-grp2
Showing 2 out of 2.

Listing Categories

The ips -list=category command will list categories matching a query value:

admin@InCenter:/> ips -list=category [query=<value>]

For example:

admin@InCenter:/> ips -list=category -query=IDS -num=3
Name                    Signatures
----------------------  ----------
IDS_ANTIVIRUS_CLAMAV    2
IDS_ANTIVIRUS_SYMANTEC  2
IDS_APP_ADOBE           1
Showing 3 out of 110.