Chapter 7. Advanced Signature Configuration

This chapter covers the following subjects:

  • Advanced Signature Configuration

  • Meta-Event Generator

  • Understanding HTTP and FTP Application Policy Enforcement

  • Tuning an Existing Signature

  • Creating a Custom Signature

Many Cisco IPS deployments can take advantage of default signature configurations. Sometimes, however, you may need to create a custom signature or tune an existing signature to meet the needs your specific network environment. Cisco IPS provides the capability to tweak existing signatures and to easily create custom signatures based on the various Cisco IPS signature engines.

When default signature configurations do not match your requirements, you can either tune existing signatures to match your requirements or create your own custom signatures. Understanding the various signature fields is vital to your successful completion of either of these operations.

"Do I Know This Already?" Quiz

The purpose of the "Do I Know This Already?" quiz is to help you decide if you really need to read the entire chapter. If you already intend to read the entire chapter, you do not necessarily need to answer these questions now.

The 10-question quiz, derived from the major sections in the "Foundation and Supplemental Topics" portion of the chapter, helps you determine how to spend your limited study time.

Table 7-1 outlines the major topics discussed in this chapter and the "Do I Know This Already?" quiz questions that correspond to those topics.

Table 7-1. "Do I Know This Already?" Foundation and Supplemental Topics Mapping

Foundation or Supplemental Topic

Questions Covering This Topic

Advanced Signature Configuration Regular Expressions String Matching


Advanced Signature Configuration Signature Fields

1, 2

Meta-Event Generator

3, 7

Understanding HTTP and FTP Application Policy Enforcement

8, 10

Tuning an Existing Signature

4, 5

Creating a Custom Signature



The goal of self-assessment is to gauge your mastery of the topics in this chapter. If you do not know the answer to a question or are only partially sure of the answer, you should mark this question wrong for purposes of the self-assessment. Giving yourself credit for an answer you correctly guess skews your self-assessment results and might provide you with a false sense of security.


Which signature field indicates the likelihood that the signature will trigger on attack traffic?

  1. Alert Severity

  2. Signature Fidelity Rating

  3. Target Value Rating

  4. Event Action Override

  5. Alert Notes


Which of the following is not a valid value for the Event Count Key field?

  1. Attacker address

  1. Victim address

  2. Attacker and victim addresses

  3. Attacker address and port

  4. Attacker address and victim port


To create a signature that generates an alert based on multiple component signatures, which of the following signature engines should you use?


  2. Meta

  3. Normalizer

  4. Multi String

  5. Service General


Which of the following is considered tuning a signature?

  1. Enabling a signature

  2. Disabling a signature

  3. Changing the Alert Severity level

  4. Changing the signature's engine-specific parameters

  5. Assigning a new signature action


Which of the following is not considered tuning a signature?

  1. Changing the signature's engine-specific parameters

  2. Changing the signature's event counter parameters

  3. Assigning a new severity level

  4. Changing the signature's alert frequency parameters


What is the first step in creating a custom signature?

  1. Choose a signature engine.

  2. Define event counter parameters.

  3. Test signature effectiveness.

  4. Define alert frequency parameters.

  5. Define basic signature fields.


Which of the following is true about meta signatures?

  1. The meta signature can use only component signatures from the same signature engine.

  2. The order of the component signatures can be specified.

  3. The order of the component signatures cannot be specified.

  4. You can configure a reset interval for each component signature.


For which protocol is application policy enforcement supported in Cisco IPS version 5.0?

  1. SMTP

  2. NTP

  3. HTTP

  4. ARP

  5. IP


Which regex will match one or more As?

  1. [^A]*

  2. [A]+

  3. [A]?

  4. [A]*

  5. [^A]+


Which signature engine enables you to detect tunneling of non-HTTP traffic through port 80?

  1. Service HTTP

  2. Service FTP


  4. AIC FTP

  5. Service Generic

The answers to the "Do I Know This Already?" quiz are found in the appendix. The suggested choices for your next step are as follows:

  • 8 or less overall score Read the entire chapter, including the "Foundation and Supplemental Topics," "Foundation Summary," and Q&A sections.

  • 9 or 10 overall score If you want more review on these topics, skip to the "Foundation Summary" section and then go to the Q&A section. Otherwise, move to the next chapter.

CCSP IPS Exam Certification Guide
CCSP IPS Exam Certification Guide
ISBN: 1587201461
EAN: 2147483647
Year: 2004
Pages: 119
Authors: Earl Carter © 2008-2017.
If you may any questions please contact us: