Foundation Summary


Tuning existing signatures and creating custom signatures is a powerful feature of Cisco IPS. Understanding this functionality enables you to fine-tune your Cisco IPS solution to provide the best protection for your network.

Each signature is composed of fields in the following categories:

  • Basic signature fields

  • Signature description fields

  • Engine-specific fields

  • Event counter fields

  • Alert frequency fields

  • Status fields

Each signature has the following four basic fields that identify the signature:

  • Signature ID

  • SubSignature ID

  • Alert Severity

  • Signature Fidelity Rating

The signature description fields are composed of the following five fields:

  • Signature Name

  • Alert Notes

  • User Comments

  • Alarm Traits

  • Release

By configuring the following event counter fields, you determine how many instances of the attack traffic are required to cause the signature to generate an alert:

  • Event Count

  • Event Count Key

  • Alert Interval

The possible values for the Event Count Key are as follows:

  • Attacker address

  • Attacker address and victim port

  • Attacker and victim addresses

  • Attacker and victim addresses and ports

  • Victim address

A powerful new functionality in Cisco IPS version 5.0 is the Meta-Event Generator (MEG). The MEG enables you to create compound signatures based on multiple individual signatures. When defining a meta signature, you need to define the following parameters:

  • Signatures that comprise the meta signature

  • Number of unique victims needed to trigger the meta signature

  • IP addresses or ports used to trigger the meta signature

  • Order in which signatures need to be detected (optional)

Cisco IPS version 5.0 enables you to conduct a more thorough analysis of HTTP and FTP by using application policy enforcement. The following signature engines provide the HTTP and FTP application policy enforcement functionality by providing deep-packet inspection for Layer 4 through Layer 7:

  • AIC FTP

  • AIC HTTP

Tuning signatures involves performing one or more of the following:

  • Changing the signature's engine parameters

  • Changing the signature's event counter parameters

  • Changing the signature's alert frequency parameters

The following tasks are usually not considered tuning a signature:

  • Enabling or disabling a signature

  • Assigning a severity level

  • Assigning a signature action

When creating custom signatures, you need to complete the following tasks:

  1. Choose a signature engine.

  2. Verify existing functionality.

  3. Define signature parameters.

  4. Test signature effectiveness.

When choosing which signature engine to use for a new signature, you need to consider several factors about the traffic being detected, such as the following:

  • Network protocol

  • Target address

  • Target port

  • Attack type

  • Inspection criteria



CCSP IPS Exam Certification Guide
CCSP IPS Exam Certification Guide
ISBN: 1587201461
EAN: 2147483647
Year: 2004
Pages: 119
Authors: Earl Carter

Similar book on Amazon

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net