In each Cisco Intrusion Prevention System (IPS) signature specification, there are a number of fields immediately following the Signature Name that can be administratively defined. These are configured beneath the Sig Description subheading and include:
- Signature Name (if customized)
- Alert Notes
- User Comments
- Alert Traits
This post focuses on the last field. To understand the alert traits option, you should read the background behind the IPS alerting mechanism. The vendor-neutral Security Device Event Exchange, (SDEE) drafted back in 2004, represented a collaboration of competing vendors including Cisco Systems, Fortinet, Symantec, and TripWire. Currently SDEE is only implemented on Intrusion Detection and IPS, but it’s both flexible and extensible in part due to its use of Extensible Markup Language (XML) alert formats.
Acting on the extensibility of SDEE, Cisco devised a variant: Cisco Intrusion Detection Event Exchange (CIDEE). Besides expanding SDEE to include error, status, and shun (blocking) events, CIDEE extends alerts while providing a specific set of request parameters. Among these parameters is one titled, curiously enough, mustHaveAlarmTraits.
Now things get interesting.
If we leave this field set to its default value of zero, nothing is sent when an alert is triggered, as shown by the sample IPS Device Manager (IDM) monitored alert below:
By comparison, watch what happens when we put in a value of 2 in the alarm traits field. The alarmTraits=2 value is clearly shown:
To confirm what’s displayed here, an SSH CLI session was initiated and the show events alert command was executed. The alert traits value also appeared in the raw CLI output.
Now note the output of IPS Manager Express (IME) monitoring this same alarm, after expanding all details:
No alert traits at all! It appears that the Alert Traits feature is intended for customized user implementations only.
Since many Security Information and Event Management (SIEM) solutions on the market today (including the Cisco MARS appliance) allow for custom parsing of raw events, this field could be used in a variety of ways. Two that come to mind are as a criterion for queries on raw events and as an incident filtering or triggering mechanism.