SIGNATURES

IDS signature EventActions take one or all of the following actions: TCP reset ( Reset ), IP log ( Log ), block host ( ShunHost ), block connection ( ShunConnection ), or ZERO .

Pre-block ACL Entries that the sensor will place at the beginning of the new ACL before any sensor blocking entries.

Post-block ACL ACL entries that the sensor should place after the sensor blocking entries.

Flood signature engine Used to detect attempts to cause DoS.

Sweep signature engine Used to detect network reconnaissance traffic.

Services signature engine Uses Layers 5, 6, and 7 and are operating systemindependent.

Trojan signature engine Cannot be used to create custom signatures.

Protected parameters Cannot be changed for the default signatures. However, they can be changed for custom signatures.

Required parameters Must be defined for all signatures, both default and custom.

Master parameters Common to most signatures and exist in most signature engines.

Local signature parameters Engine-specific.

Regular expressions searching for the text "Secret" or "secret" use the syntax [Ss]ecret .

The PortRange parameter with a value of ZERO means that all ports will be inspected.

Signature engine Atomic.L3.IP can be used to detect attacks which make use of routing protocols such as Border Gateway Protocol (BGP) and Enhanced Interior Gateway Routing Protocol (EIGRP) at layer 3.

Automatic IP logging captures entire IP packets into a log file. It is not enabled by default and must be configured.