Chapter 5. Basic Cisco IPS Signature Configuration


This chapter covers the following subjects:

  • Configuring Cisco IPS Signatures

  • Signature Groups

  • Alarm Summary Modes

  • Basic Signature Configuration

The heart of the Cisco IPS is the signatures that the sensor uses to identify intrusive traffic on your network. Viewing signatures by using signature groups enables you to efficiently configure the numerous Cisco IPS signatures to match your unique network configuration.

Your Cisco IPS sensors check network traffic against signatures of known intrusive traffic. It is important to understand how to locate the signatures available as well as to determine which signatures are most important in your unique network environment. This chapter explains how you can use IPS Device Manager (IDM) to view the different signatures by signature group and to enable the numerous signatures that are available. Advanced signature configuration operations, such as signature tuning and creating custom signatures, will be covered in Chapter 7, "Advanced Signature Configuration."

"Do I Know This Already?" Quiz

The purpose of the "Do I Know This Already?" quiz is to help you decide if you really need to read the entire chapter. If you already intend to read the entire chapter, you do not necessarily need to answer these questions now.

The 10-question quiz, derived from the major sections in the "Foundation and Supplemental Topics" portion of the chapter, helps you determine how to spend your limited study time.

Table 5-1 outlines the major topics discussed in this chapter and the "Do I Know This Already?" quiz questions that correspond to those topics.

Table 5-1. "Do I Know This Already?" Foundation and Supplemental Topics Mapping

Foundation or Supplemental Topic

Questions Covering This Topic

Signature Groups

1, 2, 6

Alarm Summary Modes

3, 4, 5

Basic Signature Configuration

7, 8, 9, 10


Caution

The goal of self-assessment is to gauge your mastery of the topics in this chapter. If you do not know the answer to a question or are only partially sure of the answer, you should mark this question wrong for purposes of the self-assessment. Giving yourself credit for an answer you correctly guess skews your self-assessment results and might provide you with a false sense of security.


1.

Which of the following is not a valid IDM signature group?

  1. Attack

  2. Operating System

  3. Service

  4. Signature Release

  5. Policy Violation

2.

Which of the following is not a valid signature response option?

  1. Deny Victim Inline

  2. Deny Attacker Inline

  3. Produce Alert

  4. Request SNMP Trap

  5. Log Pair Packets

3.

Which of the following is not a valid summary key?

  1. Attacker address

  2. Attacker address and victim port

  3. Victim address and attacker port

  4. Attacker and victim addresses

  5. Attacker and victim addresses and ports

4.

Which of the following is not a valid alarm summary mode?

  1. Fire Once

  2. Summary

  3. Global Summary

  4. Fire All

  5. Fire Global

5.

Which parameter determines when alarm summary mode takes effect?

  1. Global Summary Threshold

  2. Summary Threshold

  3. Choke Threshold

  4. Throttle Interval

  5. None of these

6.

Which of the following is not a valid service signature group?

  1. DHCP

  2. General Service

  3. SOCKS

  4. ARP

  5. File Sharing

7.

Which of the following is not a field on the Network Security Database (NSDB) signature information page for version 5.0?

  1. Description

  2. Benign Trigger(s)

  3. Recommended Signature Filter

  4. Related Threats

  5. Related Vulnerabilities

8.

Which button activates a signature that has been disabled?

  1. Enable

  2. Activate

  3. Add

  4. No Disable

  5. None of these

9.

Which button activates a signature that has been retired?

  1. Enable

  2. Activate

  3. Restore

  4. Add

  5. You cannot retire signatures

10.

When you create a custom signature, which option starts with the settings for an existing signature?

  1. Add

  2. Duplicate

  3. Copy

  4. Clone

  5. Replicate

The answers to the "Do I Know This Already?" quiz are found in the appendix. The suggested choices for your next step are as follows:

  • 8 or less overall score Read the entire chapter, including the "Foundation and Supplemental Topics," "Foundation Summary," and Q&A sections.

  • 9 or 10 overall score If you want more review on these topics, skip to the "Foundation Summary" section and then go to the Q&Asection. Otherwise, move to the next chapter.



CCSP IPS Exam Certification Guide
CCSP IPS Exam Certification Guide
ISBN: 1587201461
EAN: 2147483647
Year: 2004
Pages: 119
Authors: Earl Carter

Similar book on Amazon

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net