mod4 C02_M04 NIDS Rule Optimization links ../C02_M04/assets/coursemap.swf courseMenuBtn Course menu Course menu. Select this button to access the course menu. MainMenuButtonClicked moduleMapBtn Lesson Map Lesson Map. Select this button to access the lesson map. CourseMapButtonClicked glossaryBtn Glossary Glossary. Select this button open the glossary. GlossaryButtonClicked resourcesBtn Resources Resources. Select this button open the resources. ResourcesButtonClicked exitBtn Exit Exit. Select this button to exit the course. ExitButtonClicked replayBtn Replay Replay. Select this button to replay the current screen. ReplayButtonClicked pauseBtn Pause Pause. Select this button to pause the course. PauseButtonClicked resumeBtn Resume Resume. Select this button to resume the course. ResumeButtonClicked previousPgBtn Previous Page Previous. Select this button to go to the previous screen. PreviousButtonClicked nextPgBtn Next Page Next. Select this button to go to the next screen. NextButtonClicked disaidscr4_01 1 Welcome to the NIDS Rule Optimization lesson. When you have completed this lesson, you will be able to identify the benefits and liabilities of NIDS rule modifiers and the purpose of tagging and logging. Finally, you will use this information to write a complex NIDS rule using tagging. There are five topics for this lesson. After completing the introduction, you will learn about NIDS rule performance. Then you will learn about correlating information with a NIDS rule and the importance of logging. Finally, you will write a NIDS custom rule. Rich Media Text Description, Course: D O D Intrusion Detection System (I D S) Analysis, Part 3, Module 2: DoD Network Intrusion Detection System (NIDS) Custom Rules Module, Lesson 4: NIDS Rule Optimization, For each screen you will hear a description. The description is cued by an audio tone. Listen to the description, and then select the play audio narration button to continue. Screen 1 of 12. Lesson title: NIDS Rule Optimization. Topic title: Introduction. Screen title: Objectives and Topics. Three learning objectives display in support of audio. Five topics display. The first topic is titled Introduction. The second topic is titled Rule Performance. The third topic is titled Correlating Information. The fourth topic is Logging, followed by the final topic Conclusion. disaidscr4_02 2 As CND-IS personnel, you want to gain the most benefit from your resources while protecting the data. Optimized custom rules will leverage the robust abilities of your NIDS to accurately detect intrusion and malicious events while maintaining overall network and appliance performance. NIDS rule optimization allows the most efficient use of resources to capture accurate information about network intrusions. Screen 2 of 12. Screen title: Overview of Rule Optimization. Image of person walking on tight rope with a long balancing stick displays. Image of a box labeled intrusion data is displayed on one end of the balancing stick. An image of a box labeled network performance is displayed on the other end of the balancing stick. Text displays NIDS rule optimization. disaidscr4_03 3 When creating NIDS custom rules for your network, there are several key points to keep in mind. You write rules efficiently to balance system resources with data monitoring. As CND-IS personnel, you should understand what information you really need from the NIDS data and the ramifications your custom rules have on overall performance. Monitoring the context of alerts and messages from rules serves an important purpose. Correlating data helps to gain insight into possible malicious events and data leaks. Efficient custom rules help leverage the full power of the NIDS, without creating unnecessary processing. NIDS serves as a key component of a defense-in-depth strategy. You want to provide the right level of monitoring. Too little monitoring allows malicious events to go undetected while over monitoring can really affect NIDS performance. When custom rules are written too broadly it leads to NIDS analyzing needless data and operating at a higher workload. A NIDS will fail more frequently under high load. When a NIDS is overburdened, network traffic goes unprocessed. When this happens, the NIDS misses true positives and may create a spike of false negatives. Protect your network from instability. Use custom rules wisely and write them efficiently. Screen 3 of 12. Topic title: Rule Performance. Screen title: Importance of Rule Performance. Displays reprised image of person on tight rope with balancing stick. Text displays, balance system resources with data security. On the network performance side of balancing stick, image of pencil breaking displays with text, know the ramifications of rule criteria. On the intrusion detection side of balancing stick, image of a filing cabinet with text; correlate findings to discover important information. Image of an overworked computer displays on network performance side, with text; write efficient rules to decrease load on NIDS. Image of a clock and calendar displays on intrusion detection side, with text; provide right amount of monitoring. The image of the overworked computer rocks side to side causing the balancing stick to become unbalanced. Text displays; NIDS fail more frequently under high load. Followed by bulleted text in support of audio stating; traffic goes unanalyzed, true positives missed, false negatives may spike. disaidscr4_04 4 When creating custom NIDS rules, remember to keep the ramifications of your rule in mind. For example, the any variable is a powerful option when writing custom NIDS rules and may work as your best option for certain situations. For example, malware C2 channels may occur on any port. However, you need to be aware of the implications of using the any variable. "Any" is resource intensive. Using the any variable will create a greater load on your NIDS because it forces the analysis of more data packets. When possible, designate the specific ports for rules to reduce the load on the NIDS. Optimize custom rules by specifically identifying which addresses or set of addresses and ports to analyze. For those instances that require scanning all IP addresses and ports, improve efficiency by limiting how much of the content is analyzed using content modifiers such as offset, depth, distance, and within when creating custom rules. Remember that these content modifiers narrow the search area, potentially skipping large portions of packet data. This decreases the load on the NIDS and improves the accuracy of the rules. Screen 4 of 12. Screen title: Rule Optimizers. Reprised image of broken pencil with caution symbol displays. Text displays, variable: any. Bulleted text displays in support of audio: sometimes best option, such as malware C 2 channels. Next bulleted text displays; resource intensive, because it creates greater load on the NIDS, and causes NIDS to inspect more traffic. Bulleted text concludes with address and port specified to reduce workload. Image of a check mark displays representing efficiency. Text displays, content modifiers: offset-depth and distance-within. Bulleted text states: improve efficiency, narrow search area, decrease amount of data to analyze, decrease workload for NIDS, and improve accuracy. disaidscr4_05 5 You have learned how to create NIDS custom rules to assist in monitoring your network. When a potential issue arises you receive a NIDS alert. Alerts such as these are of importance, but they provide a limited view of the event or potential malicious activity. In reviewing each alert you see the specific malicious packet that triggered the NIDS rule. What about subsequent data? How wide spread is this potential event? Is malicious activity occurring on other ports or protocols? Using only NIDS alerts, you may miss the context of the activity. When you review the data prior to and after the trigger you gain context of what is occurring. Your ability to understand the event and develop a solution relies on your ability to correlate the trigger within the context of other data. Otherwise you may receive an alert but not have enough data to determine the cause or purpose, allowing a potential malicious event to go unresolved. Screen 5 of 12. Topic Title: Correlating Information. Screen title: Importance of Correlating Information. NIDS alert file image displays. Text displays; NIDS alerts, followed by bulleted text in support of audio: show a limited view of event, show specific malicious packets, and miss the context. Text displays; correlating information provides you the key to understanding the event. disaidscr4_06 6 To provide the context for a triggered alert, you can use the rule option "tag". When writing a NIDS custom rule, place "tag" after the content and just prior to rule identifiers. Tag can provide you with the insight to understand the event and develop a solution. When using the rule option tag, it flags any traffic triggering the alert and logs subsequent data packets. You can use tag to log subsequent sessions or follow the traffic going to and coming from a specific host or client. This additional information assists in analyzing the threat and developing a solution. When using the rule option tag in your NIDS custom rule follow the standard format of the keyword, colon, followed by the modifiers for type, count, metric, and direction. Select each tag modifier to learn more. disaidscr4_06_01 6 The tag modifier type allows you to determine what is tagged when the rule triggers. There are two options: session and host. When you use session, the rule will log packets of the session that triggered the event. Other modifiers may further detail what information you log. When you use host, the rule will log data packets from the specific host. The host type requires you to use the direction modifier. You may use other modifiers to narrow the results to log as well. typePopup 1 of 4. Popup title: Tag:type. Reprise tag option image with host highlighted displays. Image of two computers with data streaming between them displays. Text displays, type modifier: session defined as: log packets of session that triggered rule, and use additional modifiers to refine logging. Text displays, type modifier: host defined as logs packets from host that triggered rule, uses [direction], and use additional modifiers to refine logging. disaidscr4_06_02 6 The tag modifier count allows you to define how long the logging should occur. The count modifier is a specific number that will be applied to the metric. countPopup 2 of 4. Popup title: Tag:count. Reprise tag option image with 120 highlighted displays. Image of rotating integers displays. Text displays, count modifier: integer defined as: numeric value applied to the metric. disaidscr4_06_03 6 The tag modifier metric defines the unit used in conjunction with count for the amount of data to log. You have three options to choose from: seconds, packets, or bytes. When you use seconds as the modifier, the rule will log data for the specified amount of time. Using the packets metric will log data for the specific number of packets. The bytes modifier instructs the rule to log data for a specific number of bytes of data. 256 represents the default tag_packet_limit, which will cause the rule to cease logging when reached. For more information regarding configuration, please review the Snort User Manual. metricPopup 3 of 4. Popup title: Tag:metric. Reprise tag option image with seconds highlighted displays. Image of an odometer displays. Text displays, metric modifier: seconds defined as log the host or session for a specified time. Text displays, metric modifier: packets defined as logs the host or session for a specified packet count. Text displays, metric modifier: bytes defined as logs the host or session for a specified number of bytes. disaidscr4_06_04 6 The tag modifier direction defines the directional flow of traffic to log. Direction is used only with the tag type modifier host. There are two modifiers to use with direction. Source, written as "src," works as the modifier that tags packets containing the source IP of the packet triggering the rule. The second direction modifier is destination, written as "dst." When destination is used, the rule logs packets containing the destination IP of the packet triggering the rule. directionPopup 4 of 4. Popup title: Tag:direction. Reprise tag option image with s r c highlighted displays. Image of a computer with links coming to it. Text displays, used only with host type option. Text displays, direction modifier: s r c defined as tag packets containing source IP of packet triggering rule. Text displays, direction modifier: d s t defined as tag packet containing destination IP of packet triggering rule. Screen 6 of 12. Screen title: Tag. Reprised image of complete rule displays. Reprise of rule options image displays. Textbox labeled tag displays pointing to the tag option in the rule options image. Text displays; rule option: tag, followed by bulleted text: flags any traffic triggering an alert, logs subsequent packets, can log subsequent session or follow traffic sent to/from specific host, and captures additional information. Image of tag option is created by removing it from the rule option image, so the tag option image states: tag colon host comma one hundred twenty comma seconds comma s r c semicolon. Four textboxes pointing to the associated component of the rule option display: type, count, metric direction. Each textbox becomes a popup link, and text displays: select each tag modifier to learn more. disaidscr4_07 7 In this example, the rule will trigger an alert for any data packet through TCP port 80, containing the content "BAD." The keyword option tag works with the session modifier, so any other packets, up to 100, in the TCP connection will also be logged. Let's look at a different example. For this one, the same alert will be triggered for any data packet TCP port 80 containing the content "BAD." Any other packets containing the Source IP during the next 120 seconds will also be logged. Screen 7 of 12. Screen title: Example Rule Using Tag. This lesson is comprised of two examples, each with a modified rule. Example 1 rule image states: alert t c p any any directional indicator any 80 open parentheses m s g colon open quotation mark upper case B lower case a d space upper case T lower case r a f f I c close quotation mark semicolon space content colon open quotation mark all upper case B A D close quotation mark semicolon space tag colon session comma one hundred comma packets semicolon space sid colon one million eleven semicolon space rev colon two semicolon close parentheses. Bulleted text displays: alert any traffic to T C P port eighty with content all upper case B A D, and any further packets in that T C P connection, up to 100 packets also logged. Example 2 rule image states: alert t c p any any directional indicator any 80 open parentheses m s g colon open quotation mark upper case B lower case a d space upper case T lower case r a f f I c close quotation mark semicolon space content colon open quotation mark all upper case B A D close quotation mark semicolon space tag colon host comma one hundred twenty comma seconds comma s r c semicolon space sid colon one million eleven semicolon space rev colon two semicolon close parentheses. Bulleted text displays alert any traffic to T C P port 80 with content “BAD”, and any packets from the host containing the Source I P during the next 120 seconds. disaidscr4_08 8 You should consider logging an important part of your NIDS operation. It allows the NIDS to record information relative to the rule and the data triggering it. Logging helps to identify multiple types of events more accurately. Finally, logging provides additional data for analysts. Snort uses multiple types of logging formats, including: text alert files, syslogs, database, and tcpdump. This module focuses on text alerts. Snort can also create packet capture, or PCAP, files for any rule triggering an alert. The PCAP file can be viewed with any PCAP-enabled tool, such as Wireshark. When you create a rule using the tag option, it automatically creates a PCAP file. Screen 8 of 12. Screen title: Logging. Text displays; benefits of logging, followed by bulleted text: records related information, identifies multiple types of events, and provides additional data. Text displays; multiple formats, followed by bulleted text: text alert files, sys logs, database, t c p dump, and P CAP which you use with Wireshark and is the default format with tag. Images display on screen in support of audio of: text alert, sys log, database, t c p dump, and p cap file. disaidscr4_09 9 Knowledge Check 1 500 550 Which of the following are reasons to write efficient custom rules for your NIDS? NIDS fail more frequently under high traffic loads Balance system resources with data security Correlate data to discover important information Network performance is of no concern, just analyze everything Correct. Efficient NIDS custom rules provide the balance between effective analysis and network performance. Incorrect. Efficient NIDS custom rules provide the balance between effective analysis and network performance. After you make your selection, select Done. Screen 9 of 12. Topic title: Knowledge Check. Screen title: Knowledge Check. This knowledge check consists of one question and four possible answers. Select all responses that apply, and select done. Use the keyboard to cycle through the answers. disaidscr4_10 10 Knowledge Check 1 300 550 Defines the unit used to determine amount of data to log, includes seconds, packets, and bytes. Type for Statement: Defines the unit used to determine amount of data to log, includes seconds, packets, and bytes. Count for Statement: Defines the unit used to determine amount of data to log, includes seconds, packets, and bytes. Metric for Statement: Defines the unit used to determine amount of data to log, includes seconds, packets, and bytes. Direction for Statement: Defines the unit used to determine amount of data to log, includes seconds, packets, and bytes. Correct. Metric defines the amount of data to log used with count. Incorrect. Metric defines the amount of data to log used with count. Determines how long the logging is to occur. Type for Statement: Determines how long the logging is to occur. Count for Statement: Determines how long the logging is to occur. Metric for Statement: Determines how long the logging is to occur. Direction for Statement: Determines how long the logging is to occur. Correct. Count is the numeric value for how long the logging is to occur. Incorrect. Count is the numeric value for how long the logging is to occur. Defines what will be logged when the rule is triggered, includes session or host. Type for Statement: Defines what will be logged when the rule is triggered, includes session or host. Count for Statement: Defines what will be logged when the rule is triggered, includes session or host. Metric for Statement: Defines what will be logged when the rule is triggered, includes session or host. Direction for Statement: Defines what will be logged when the rule is triggered, includes session or host. Correct. Type defines what will be logged when the rule is triggered. Incorrect. Type defines what will be logged when the rule is triggered. Defines directional flow of traffic to log and can only be used with host type. Type for Statement: Defines directional flow of traffic to log and can only be used with host type. Count for Statement: Defines directional flow of traffic to log and can only be used with host type. Metric for Statement: Defines directional flow of traffic to log and can only be used with host type. Direction for Statement: Defines directional flow of traffic to log and can only be used with host type. Correct. Direction defines the directional flow of the traffic to log, and is used on with host type. Incorrect. Direction defines the directional flow of the traffic to log, and is used on with host type. Select the correct match for each statement. Screen 10 of 12. Screen title: Knowledge Check. This knowledge check consists of four question and four possible answers. Select the best response from the four columns from left to right: type, count, metric, and direction. Select done when complete. Use the keyboard to cycle through the answers. disaidscr4_11 11 Knowledge Check 1 0 0 Write a complex NIDS rule for the scenario. Screen 11 of 12. Screen title: Knowledge Check. This is a free response knowledge check. Type the response in the answer field and select done when complete. disaidscr3_12 12 Congratulations! You have completed the NIDS Rule Optimization lesson. You should now be able to identify the benefits and liabilities of NIDS rule modifiers and identify the purpose of tagging and logging. Finally, you should be able to write a NIDS custom rule using tagging and logging. Screen 12 of 12. Topic title: Conclusion. Screen title: Summary and Conclusion. The word Congratulations appears in large text. Text displays in support of audio. Objectives bullets change to checkmarks in sync with audio.