IPS - Event Action Rules - ASA AIP-SSM

 

 Event action rules on ASA AIP-SSM have some limitation:

  • Connection blocks and network blocks are not supported.
  • ASA only support host blocks with additional connection information

 Default event action rule is "rules0".

The event action processing component is responsible for the following functions:

  • Calculating the risk rating
  • Adding event action overrides
  • Filtering event action
  • Executing the resulting event action
  • Summarizing and aggregating events
  • Maintaining a list of denied attackers

 

We can distinguish the following actions:

Alerts and Log actions

  • produce-alert

Write even to Event Store.Enabling Alerts for signature does not automatically produce alert.You have to enable it manually.

Produce-alert is also generated even if you do not enable it manually.It happens when the following actions are enabled:

produce-verbose-alert,request-snmp-trap, log-attacker-packets, log-victim-packets, and log-pair-packets.

Produce-event is also added to signature  when gglobal correlation has increased the

risk rating of an event, and has added either the deny-packet-inline or deny-attacker-inline
event action.


  •  produce-verbose-alert
Includes an encoded dump of the offending packet in the alert.

  • log-attacker-packets

 Starts IP logging on packets that contain the attacker address and sends an

alert.

 

  •  log-victim-packets
Starts IP logging on packets that contain the victim address and sends an alert.
 
 
 
  •  log-pair-packets
Starts IP logging on packets that contain the attacker/victim address pair.
 
 
  •  request-snmp-trap

Sends a request to the Notification Application component of the sensor to
perform SNMP notification.

You must have SNMP configured on the sensor to implement this
action.

 Deny Actions

  • deny-packet-inline
Terminate packet inline(one).

You cannot delete the event action override for deny-packet-inline directly however you can disable override for this entry.

 

  • deny-connection-inline
Terminate current and future packets of TCP flow
 
  
  •  deny-attacker-victim-pair-inline

Does not transmit this packet and future packets on the attacker/victim address pair for a specified period of time.

 
  •  deny-attacker-service-pair-inline

Does not transmit this packet and future packets on the attacker address victim port pair for a specified period of time.


  •  deny-attacker-inline

Terminates the current packet and future packets from this attacker address for a specified period of time.

 
  •  modify-packet-inline

Modifies packet data to remove ambiguity about what the end point might do with the packet. 

You cannot use modify-packet-inline as an action when adding event action filters or overrides.


IPS sensor keeps table of denied attacker.To remove attacker from the list you have to clear the entire list or wait for the  timer to expire.

If list is full and new entry cannot be added attacker is still denied.

 

Other actions

  • request-block-connection

Sends a request to ARC to block this connection. You must have blocking devices configured to implement this action.

Connection blocks and network blocks are not supported on ASA.
ASA  only support host blocks with additional connection information.

 

  • request-block-host
 
  • request-rate-limit

Sends a rate limit request to ARC to perform rate limiting. You must have rate limiting devices configured to implement this action.


  •    reset-tcp-connection

Sends TCP resets to hijack and terminate the TCP flow. The reset-tcp-connection action only works on TCP signatures that analyze a single connection. It does not work for sweeps or floods.

 

 ASA AIM-SSM module sends a TCP reset packet only to the victim(not attacker like IPS 4260/4270) under the following circumstances:

  • When a deny-packet-inline or deny-connection-inline is selected
  • When TCP-based signatures and reset-tcp-connection have NOT been selected

In the case of the ASA IPS module, the TCP reset request is sent to the ASA, and the ASA then sends
the TCP reset packets. The ASA sends TCP reset packets to both the attacker and victim when the
reset-tcp-connection is selected. When deny-packet-inline or deny-connection-inline is selected, the
ASA sends the TCP reset packet to either the attacker or victim depending on the configuration of the
signature. Signatures configured to swap the attacker and victim when reporting the alert can cause the ASA to send the TCP reset packet to the attacker.

 

ips-event-action-rules-1.PNG

Actions(GUI)

 

CONFIGURATION

 

Below default settings for event-action-rules

(config-eve)# show settings
variables (min: 0, max: 256, current: 0)
-----------------------------------------------
-----------------------------------------------
overrides (min: 0, max: 15, current: 1)
-----------------------------------------------
<protected entry>
action-to-add: deny-packet-inline <defaulted>
-----------------------------------------------
override-item-status: Enabled <defaulted>
risk-rating-range: 90-100 <defaulted>
-----------------------------------------------
-----------------------------------------------
filters (ordered min: 0, max: 4096, current: 0 - 0 active, 0 inactive)
-----------------------------------------------
general
-----------------------------------------------
global-overrides-status: Enabled <defaulted>
global-filters-status: Enabled <defaulted>
global-summarization-status: Enabled <defaulted>
global-metaevent-status: Enabled <defaulted>
threat-rating-adjustment-status: Enabled <defaulted>
global-deny-timeout: 3600 <defaulted>
global-block-timeout: 30 <defaulted>
max-denied-attackers: 10000 <defaulted>
one-way-tcp-reset-status: Enabled <defaulted>
-----------------------------------------------
target-value (min: 0, max: 5, current: 0)
-----------------------------------------------
-----------------------------------------------
ipv6-target-value (min: 0, max: 5, current: 0)
-----------------------------------------------
-----------------------------------------------
os-identification
-----------------------------------------------
calc-arr-for-ip-range: 0.0.0.0-255.255.255.255 <defaulted>
configured-os-map (ordered min: 0, max: 50, current: 0 - 0 active, 0 inactive)
-----------------------------------------------
passive-traffic-analysis: Enabled <defaulted>
-----------------------------------------------
risk-categories
-----------------------------------------------
red-threat-threshold: 90 <defaulted>
yellow-threat-threshold: 70 <defaulted>
green-threat-threshold: 1 <defaulted>
risk-levels (ordered min: 0, max: 32, current: 3 - 3 active, 0 inactive)
-----------------------------------------------
ACTIVE list-contents
-----------------------------------------------
<protected entry>
NAME: _r1
-----------------------------------------------
risk-name: HIGHRISK <defaulted>
threshold: 90 <defaulted>
-----------------------------------------------
-----------------------------------------------
<protected entry>
NAME: _r2
-----------------------------------------------
risk-name: MEDIUMRISK <defaulted>
threshold: 70 <defaulted>
-----------------------------------------------
-----------------------------------------------
<protected entry>
NAME: _r3
-----------------------------------------------
risk-name: LOWRISK <defaulted>
threshold: 1 <defaulted>
-----------------------------------------------
-----------------------------------------------
-----------------------------------------------
-----------------------------------------------

 (config)# service event-action-rules danpol-rules

You can also do copy of other event-action-rules

GENERAL

Below are default setting which are OK and  we do not change them.

general
-----------------------------------------------
global-overrides-status: Enabled <defaulted>
global-filters-status: Enabled <defaulted>
global-summarization-status: Enabled <defaulted>
global-metaevent-status: Enabled <defaulted>
threat-rating-adjustment-status: Enabled <defaulted>
global-deny-timeout: 3600 <defaulted>
global-block-timeout: 30 <defaulted>
max-denied-attackers: 10000 <defaulted>
one-way-tcp-reset-status: Enabled <defaulted>
-----------------------------------------------

 

OVERRIDES

Below default settings:

overrides (min: 0, max: 15, current: 1)
-----------------------------------------------
<protected entry>
action-to-add: deny-packet-inline <defaulted>
-----------------------------------------------
override-item-status: Enabled <defaulted>
risk-rating-range: 90-100 <defaulted>
-----------------------------------------------

global-overrides-status: Enabled <defaulted>

OVERRIDES is a good method to globally configure action based on RR(Risk Rating) instead of configuring each signature.

(config-eve)# overrides log-pair-packets

(config-eve-ove)# override-item-status enabled

(config-eve-ove)# risk-rating-range 60-100

(config-eve-ove)# exit

ips-event-action-rules-3.PNG


 FILTERS

Filters are great for removing action for group of addresses or even single IP,e.g.  remove deny-packet-inline action for our monitoring-scan station(119.121.230.101

(config-eve)# filters insert Monitoring_station begin

(config-eve-fil)# actions-to-remove deny-packet-inline

(config-eve-fil)# attacker-address-range 149.121.230.101

 (config-eve-fil)# user-comment Host responsible for scanning network

(config-eve-fil)# exit

 We can add a lot of filters and change their order as well as behaviour when filter is matched(stop processing the rest of filter or not).

We can also configure action what percentage of  removed action should be done.


ips-even-action-rules-4.png

 

 

VARIABLES

Variables is a great future to allow us create configuration more user friendly,e.g. create variable of all polish network

(config-eve)# variables PL_LAN address 192.168.100.0-192.168.200.255

 ips-event-action-rules-5.PNG

TVR(Target Value Risk)

TVR is part of Risk Rating. It allows administrator to define importance of network resources.

You can define the following target-value

  • zerovalue 
  • low 
  • medium 
  • high .
  • mission-critical
 

(config-eve)# target-value mission-critical target-address 119.121.230.11

(config-eve)# target-value high target-address 149.121.230.10

 ips-event-action-rules-6.PNG

RISK-CATEGORIES

Default are OK so we do not change them

config-eve-ris)# show settings
risk-categories
-----------------------------------------------
red-threat-threshold: 90 <defaulted>
yellow-threat-threshold: 70 <defaulted>
green-threat-threshold: 1 <defaulted>
risk-levels (ordered min: 0, max: 32, current: 3 - 3 active, 0 inactive)
-----------------------------------------------
ACTIVE list-contents
-----------------------------------------------
<protected entry>
NAME: _r1
-----------------------------------------------
risk-name: HIGHRISK <defaulted>
threshold: 90 <defaulted>
-----------------------------------------------
-----------------------------------------------
<protected entry>
NAME: _r2
-----------------------------------------------
risk-name: MEDIUMRISK <defaulted>
threshold: 70 <defaulted>
-----------------------------------------------
-----------------------------------------------
<protected entry>
NAME: _r3
-----------------------------------------------
risk-name: LOWRISK <defaulted>
threshold: 1 <defaulted>
-----------------------------------------------
-----------------------------------------------
-----------------------------------------------
-----------------------------------------------


OS IDENTIFICATION

(config-eve)# os-identification

Default os-identification
-----------------------------------------------
calc-arr-for-ip-range: 0.0.0.0-255.255.255.255 <defaulted>
configured-os-map (ordered min: 0, max: 50, current: 0 - 0 active, 0 inactive)
-----------------------------------------------
passive-traffic-analysis: Enabled <defaulted>
-----------------------------------------------

(config-eve-os)# configured-os-map insert FileServer begin

(config-eve-os-con)# os win-nt

(config-eve-os-con)# ip 119.121.230.11

(config-eve-os)# configured-os-map insert SMTP_Server after FileServer

(config-eve-os-con)# os linux

(config-eve-os-con)# ip 119.121.230.10

(config-eve-os-con)# exit

We assigned OS to IP,e.g.119.121.230.11 we assigned Windows-NT system and 119.121.230.10 we assigned Linux OS.

 

PASSIVE-TRAFFIC-ANALYSIS

Default value are OK

  ips-event-action-rules-7.PNG

DENY LIST

This list is build automatically by system however we can add list of unwanted host on the fly,e.g.:

# deny attacker ip-address 4.4.44.4 victim 1.2.3.4
Warning: Executing this command will add deny attacker address on all virtual sensors.
Continue? [yes]: yes

ips-event-action-rules-2.PNG

 ASSIGNING EVENT-ACTION-RULES TO VIRTUAL SENSOR

 

(config)# service analysis-engine

(config-ana)# virtual-sensor danpol

(config-ana-vir)# event-action-rules danpol-rules

(config-ana-vir)# exit

(config-ana)# exit
Apply Changes?[yes]: yes

  

  •  save configuration

# copy current-config backup-config

 dzbanek 2013-03-03

This site uses cookies. Some of the cookies we use are essential for parts of the site to operate and have already been set. You may delete and block all cookies from this site, but parts of the site will not work.