Chapter 5. Basic Cisco IPS Signature Configuration

This chapter covers the following subjects:

  • Configuring Cisco IPS Signatures

  • Signature Groups

  • Alarm Summary Modes

  • Basic Signature Configuration

The heart of the Cisco IPS is the signatures that the sensor uses to identify intrusive traffic on your network. Viewing signatures by using signature groups enables you to efficiently configure the numerous Cisco IPS signatures to match your unique network configuration.

Your Cisco IPS sensors check network traffic against signatures of known intrusive traffic. It is important to understand how to locate the signatures available as well as to determine which signatures are most important in your unique network environment. This chapter explains how you can use IPS Device Manager (IDM) to view the different signatures by signature group and to enable the numerous signatures that are available. Advanced signature configuration operations, such as signature tuning and creating custom signatures, will be covered in Chapter 7, "Advanced Signature Configuration."

"Do I Know This Already?" Quiz

The purpose of the "Do I Know This Already?" quiz is to help you decide if you really need to read the entire chapter. If you already intend to read the entire chapter, you do not necessarily need to answer these questions now.

The 10-question quiz, derived from the major sections in the "Foundation and Supplemental Topics" portion of the chapter, helps you determine how to spend your limited study time.

Table 5-1 outlines the major topics discussed in this chapter and the "Do I Know This Already?" quiz questions that correspond to those topics.

Table 5-1. "Do I Know This Already?" Foundation and Supplemental Topics Mapping

Foundation or Supplemental Topic

Questions Covering This Topic

Signature Groups

1, 2, 6

Alarm Summary Modes

3, 4, 5

Basic Signature Configuration

7, 8, 9, 10


The goal of self-assessment is to gauge your mastery of the topics in this chapter. If you do not know the answer to a question or are only partially sure of the answer, you should mark this question wrong for purposes of the self-assessment. Giving yourself credit for an answer you correctly guess skews your self-assessment results and might provide you with a false sense of security.


Which of the following is not a valid IDM signature group?

  1. Attack

  2. Operating System

  3. Service

  4. Signature Release

  5. Policy Violation


Which of the following is not a valid signature response option?

  1. Deny Victim Inline

  2. Deny Attacker Inline

  3. Produce Alert

  4. Request SNMP Trap

  5. Log Pair Packets


Which of the following is not a valid summary key?

  1. Attacker address

  2. Attacker address and victim port

  3. Victim address and attacker port

  4. Attacker and victim addresses

  5. Attacker and victim addresses and ports


Which of the following is not a valid alarm summary mode?

  1. Fire Once

  2. Summary

  3. Global Summary

  4. Fire All

  5. Fire Global


Which parameter determines when alarm summary mode takes effect?

  1. Global Summary Threshold

  2. Summary Threshold

  3. Choke Threshold

  4. Throttle Interval

  5. None of these


Which of the following is not a valid service signature group?

  1. DHCP

  2. General Service

  3. SOCKS

  4. ARP

  5. File Sharing


Which of the following is not a field on the Network Security Database (NSDB) signature information page for version 5.0?

  1. Description

  2. Benign Trigger(s)

  3. Recommended Signature Filter

  4. Related Threats

  5. Related Vulnerabilities


Which button activates a signature that has been disabled?

  1. Enable

  2. Activate

  3. Add

  4. No Disable

  5. None of these


Which button activates a signature that has been retired?

  1. Enable

  2. Activate

  3. Restore

  4. Add

  5. You cannot retire signatures


When you create a custom signature, which option starts with the settings for an existing signature?

  1. Add

  2. Duplicate

  3. Copy

  4. Clone

  5. Replicate

The answers to the "Do I Know This Already?" quiz are found in the appendix. The suggested choices for your next step are as follows:

  • 8 or less overall score Read the entire chapter, including the "Foundation and Supplemental Topics," "Foundation Summary," and Q&A sections.

  • 9 or 10 overall score If you want more review on these topics, skip to the "Foundation Summary" section and then go to the Q&Asection. Otherwise, move to the next chapter.

CCSP IPS Exam Certification Guide
CCSP IPS Exam Certification Guide
ISBN: 1587201461
EAN: 2147483647
Year: 2004
Pages: 119
Authors: Earl Carter © 2008-2017.
If you may any questions please contact us: