Which two fields uniquely identify a signature?
Answer: Together, the Signature ID and SubSignature ID uniquely identify a signature.
What does the Signature Fidelity Rating indicate?
Answer: The Signature Fidelity Rating indicates the likelihood that a signature will detect actual attack traffic without the sensor having specific knowledge about the target system's operating system and applications.
What does the Alert Severity level indicate?
Answer: The Alert Severity level indicates the relative seriousness of the traffic that the signature is designed to detect.
What values can you assign to the Event Count Key field?
Answer: You can assign the following values to the Event Count Key field: attacker address, attacker address and victim port, attacker and victim addresses, attacker and victim addresses and ports, or victim address.
What does the Event Count Key specify?
Answer: The Event Count Key specifies which IP address and or ports are used when determining unique instances of a signature's traffic.
What is the Meta Event Generator?
Answer: The Meta Event Generator enables you to create compound (meta) signatures based on multiple individual component signatures.
When configuring a signature with the Meta signature engine, which engine-specific parameters do you need to specify?
Answer: When defining a signature with the Meta signature engine, you need to define the signatures that comprise the meta signature, the number of unique victims needed to trigger the signature, the IP addresses or ports used to determine unique signature instances, and potentially whether the order of the component signatures is important.
Explain Application Policy Enforcement and identify which signature engines support this capability.
Answer: Application Policy Enforcement refers to the capability to provide deep-packet inspection for Layer 4 through Layer 7 for specific protocols, enabling a much more granular verification of your defined security policy. This functionality is provided by the AIC HTTP and AIC FTP signature engines.
What are some of the checks provided by the AIC HTTP signature engine?
Answer: The AIC HTTP signature engine provides functionality such as detection of covert tunneling through port 80, ensuring RFC compliance of HTTP methods, filtering traffic based on specified MIME types, and controlling permitted traffic based on user-defined policies.
Signature tuning involves changing which signature parameters?
Answer: Signature tuning involves changing the following signature parameters: engine-specific fields, event counter fields, and alert frequency fields.
Signature tuning does not usually involve changing which signature parameters?
Answer: Signature tuning does not usually involve enabling or disabling a signature, changing the alert severity, or assigning a signature action.
What are the four high-level steps involved in creating a custom signature?
Answer: When creating a custom signature, you need to perform the following tasks: choose a signature engine, verify existing functionality, define the signature parameters, and test the new signature's effectiveness.
What are the factors that you need to consider when choosing a signature engine for a new signature?
Answer: When choosing a signature engine for a new signature, you need to consider the following factors about the traffic being detected: network protocol, target address, target port, attack type, inspection criteria.
What is the difference between adding a new signature and creating a new signature by using the cloning functionality?
Answer: Using the cloning functionality enables you to initially populate a new signature with the values for an existing signature. This can save time when you are creating a new signature based on an existing signature.
What regex matches the following patterns: ABXDF, ABXXDF, and ABD?
Answer: A regex that detects ABXDF, ABXXF, and ABD is AB[X]*D[F]*. The asterisk (*) enables those patterns to occur 0 or more times. With the patterns specified, you could have also specified [D]+ to allow one or more Ds, since it is not clear from the patterns if more than one D is allowed.