[ LiB ] |
It should be apparent that the Cisco series of signature engines allows you to create a wide range of custom signatures. Use the following guidelines when determining which signature engine to use to create your custom signatures:
Network protocol Determine the network protocol of the traffic to be examined. To create a signature engine that examines OSPF packets, for example, use the Atomic.L3.IP signature engine, which allows you to specify a protocol number.
Target address Determine the target you are considering. For example, if you want to detect an attack on a subnet, use the Flood.Net signature engine.
Target port Choose the signature engine that examines the ports of interest.
Type of attack Determine the anticipated nature of the attack. For DoS, you generally use the Flood signature engines, whereas the Sweep signature engines are designed for reconnaissance attacks.
Payload inspection If you need the payload to be inspected for a string pattern, for example, consider using the String.TCP signature engine, which is designed to detect a string pattern within a TCP packet.
[ LiB ] |