- Signature Types
- Signature Triggers
- Signature Actions
- Summary
Signature Triggers
The heart of any IPS signature is the mechanism that causes it to trigger. These triggering mechanisms can be simple or complex, and every IPS incorporates signatures that use one or more of these basic triggering mechanisms to trigger signature actions. These triggering mechanisms can be applied to both atomic and stateful signatures. Current IPSs incorporate various triggering mechanisms when developing signatures, including the following:
- Pattern detection
- Anomaly-based detection
- Behavior-based detection
Table 2-1 shows the relationship between the various signature types and triggering mechanisms.
Table 2-1 Signature Type Versus Signature Trigger
Signature Trigger |
Signature Type |
|
|
Atomic Signature |
Stateful Signature |
Pattern detection |
No state required to examine pattern to determine if signature action should be applied |
Must maintain state or examine multiple items to determine if signature action should be applied |
Anomaly detection |
No state required to identify activity that deviates from normal profile |
State required to identify activity that deviates from normal profile |
Behavior detection |
No state required to identify undesirable behavior |
Previous activity (state) required to identify undesirable behavior |
The following sections explain the signature triggering mechanisms in detail. Table 2-2 and Table 2-3 provide example signatures that illustrate the various combinations of signature types and triggering mechanisms to help clarify how the different signature types and triggers combine to create useful signatures.
Table 2-2 Host-Based Signature Examples
Signature Trigger |
Signature Type |
|
|
Atomic Signature |
Stateful Signature |
Pattern detection |
Searching for the string confidential in a data file |
Searching for the string SELECT FROM in a URI |
Anomaly detection |
Detecting a function call that is not part of the normal profile |
Two function calls that are part of the normal profile, but have never been called within 1 second of each other |
Behavior detection |
Searching for any invocation of cmd.exe |
Searching for an e-mail application (program that has previously generated or received e-mail traffic) invoking command.com |
Table 2-3 Network-Based Signature Examples
Signature Trigger |
Signature Type |
|
|
Atomic Signature |
Stateful Signature |
Pattern detection |
Detecting for an Address Resolution Protocol (ARP) request that has a source Ethernet address of FF:FF:FF:FF:FF:FF |
Searching for the string confidential across multiple packets in a TCP session |
Anomaly detection |
Detecting traffic that is going to a destination port that is not in the normal profile |
Verifying protocol compliance for HTTP traffic |
Behavior detection |
Detecting abnormally large fragmented packets by examining only the last fragment |
Searching for RPC requests that do not initially utilize the PortMapper |
Each of these triggering mechanisms has its benefits and drawbacks. Using the correct triggering mechanism in the appropriate situation greatly improves its efficiency. IPS devices that support multiple triggering mechanisms can more adequately support efficient signatures for a wide variety of activities without significantly impacting the performance of the IPS device.
By understanding the mechanisms that a signature can use to identify an activity, you can more efficiently determine a product's true capabilities.
Pattern Detection
The simplest triggering mechanism is identifying a specific pattern. This pattern can represent a textual or binary string or it can be other patterns, such as a sequence of function calls. Besides simple string patterns, most systems provide enhanced pattern detection using the following mechanisms:
- Regular expression (regex) patterns
- Deobfuscation techniques
Specifying string patterns using regex provides the ability to efficiently search for textual patterns (using a single regular expression) while making it harder to bypass the pattern without detection.
grep [Aa][Tt][Tt][Aa][Cc][Kk] output.results