Signature Engine Selection

[ LiB ]  

It should be apparent that the Cisco series of signature engines allows you to create a wide range of custom signatures. Use the following guidelines when determining which signature engine to use to create your custom signatures:

  • Network protocol Determine the network protocol of the traffic to be examined. To create a signature engine that examines OSPF packets, for example, use the Atomic.L3.IP signature engine, which allows you to specify a protocol number.

  • Target address Determine the target you are considering. For example, if you want to detect an attack on a subnet, use the Flood.Net signature engine.

  • Target port Choose the signature engine that examines the ports of interest.

  • Type of attack Determine the anticipated nature of the attack. For DoS, you generally use the Flood signature engines, whereas the Sweep signature engines are designed for reconnaissance attacks.

  • Payload inspection If you need the payload to be inspected for a string pattern, for example, consider using the String.TCP signature engine, which is designed to detect a string pattern within a TCP packet.

[ LiB ]  

CSIDS Exam Cram 2 (Exam 642-531)
CSIDS Exam Cram 2 (Exam 642-531)
Year: 2004
Pages: 213 © 2008-2017.
If you may any questions please contact us: