Chapter 9. Cisco IDS Signatures, Alarms, and Signature Series

Terms you'll need to understand:

• Signature engine parameters

• Protected parameters

• Required parameters

• Master and local signature engine parameters

• Built-in (default) signatures

• Custom signatures

• Signature engines

• Regular expression (Regex) syntax

• FlipAddr parameter

• AlarmThrottle parameter

• ThrottleInterval parameter

• SummaryKey parameter

• ChokeThreshold parameter

• State machines

• State machine transitions

Techniques and concepts you'll need to master:

• Alarm severity levels

• Alarm summarization with the AlarmThrottle parameter

• Automatic alarm summarization with the ChokeThreshold parameter

• Recognizing signature responses

• Selecting a signature engine

Signatures form the core of the Cisco Secure Intrusion Detection System (IDS). This chapter describes how signatures are structured and the various ways that they are categorized. The chapter then discusses signature engines, which support multiple signatures in a specific category. This chapter describes signature engine characteristics and features (including alarm configuration) and the full range of Cisco Signature Engines and their key parameters. The chapter also discusses the severity and alarm levels associated with each signature. Finally, we list and describe the Cisco Secure IDS signature engine series.