Tip – Cisco Network Analysis and Intrusion Policies

Tip
Some Telnet servers may return a different failure message, such as Login Failed. To detect this string, a different Snort rule, 1:492, is available.

Depending on the settings for rule action, interface mode, and inspection mode, the threat defense can act differently on the same Snort rule. The management center also indicates it with different types of events. For example, if the interface mode is set to inline mode, the inspection mode is set to Prevention, and the rule action is set to block packets, a threat defense drops any matching packets. However, if the inspection mode is set to Detection, or if the interface mode is set to inline tap or passive mode, the management center shows a “would have dropped” event.
When a connection is blocked by an intrusion rule, you can find the corresponding events on both the Connection Events page and Intrusion Events page. The Connection Events page distinguishes an intrusion attempt by displaying the Reason field of the associated connection event. You can view it by navigating to Analysis > Connections > Events (see Figure 15-33).

Figure 15-33 Connection Events for Traffic Matching an Intrusion Rule
To find the intrusion events only, you can navigate to Analysis > Intrusions > Events. Figure 15-34 illustrates different types of intrusion events triggered by the same Snort rule 1:718.

Figure 15-34 Snort Rule 1:718 Generating Intrusion Events in Different Settings
The management center supports the download of a packet that triggered an intrusion event. The downloaded packet can be used for offline analysis on third-party software. By navigating to Analysis > Intrusions > Events, you can select the events that you want to download and click the Download Packets button to download them (see Figure 15-34). The packets are saved in .pcap file format, which is supported by most packet analyzer tools. Figure 15-35 displays packet data in the Wireshark packet analyzer tool. This packet is captured when you enter an incorrect credential to connect to a Telnet server. Snort rule 1:718 can detect the payload of this packet.

Figure 15-35 Packet Analyzer Showing Detail Information About an Event and a Packet
The Intrusion Events dashboard is also a great place to view a summary of all the intrusion activities by your threat defense. As you can see in Figure 15-36, you can use the built-in widgets and add custom widgets to monitor various critical data points of your intrusion detection and prevention system.

Figure 15-36 Summary Dashboard Showing Intrusion Events

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *