Tuning existing signatures and creating custom signatures is a powerful feature of Cisco IPS. Understanding this functionality enables you to fine-tune your Cisco IPS solution to provide the best protection for your network. Each signature is composed of fields in the following categories:
Each signature has the following four basic fields that identify the signature:
The signature description fields are composed of the following five fields:
By configuring the following event counter fields, you determine how many instances of the attack traffic are required to cause the signature to generate an alert:
The possible values for the Event Count Key are as follows:
A powerful new functionality in Cisco IPS version 5.0 is the Meta-Event Generator (MEG). The MEG enables you to create compound signatures based on multiple individual signatures. When defining a meta signature, you need to define the following parameters:
Cisco IPS version 5.0 enables you to conduct a more thorough analysis of HTTP and FTP by using application policy enforcement. The following signature engines provide the HTTP and FTP application policy enforcement functionality by providing deep-packet inspection for Layer 4 through Layer 7:
Tuning signatures involves performing one or more of the following:
The following tasks are usually not considered tuning a signature:
When creating custom signatures, you need to complete the following tasks:
When choosing which signature engine to use for a new signature, you need to consider several factors about the traffic being detected, such as the following:
|