7-40
Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2
OL-29168-01
Chapter 7 Defining Signatures
Creating Custom Signatures
sensor(config-sig-ip)#
Step 5
Exit signature definition submode.
sensor(config-sig-ip)# exit
sensor(config-sig)# exit
Apply Changes:?[yes]:
Step 6
Press Enter to apply the changes or enter
no
to discard them.
Creating Custom Signatures
This section describes how to create custom signatures and contains the following topics:
•
Sequence for Creating a Custom Signature, page 7-40
•
Example String TCP Engine Signature, page 7-41
•
Example Service HTTP Engine Signature, page 7-44
•
Example Meta Engine Signature, page 7-46
•
Example IPv6 Engine Signature, page 7-50
•
Example String XL TCP Engine Match Offset Signature, page 7-52
•
Example String XL TCP Engine Minimum Match Length Signature, page 7-55
Sequence for Creating a Custom Signature
Use the following sequence when you create a custom signature:
Step 1
Select a signature engine.
Step 2
Assign the signature identifiers:
•
Signature ID
•
SubSignature ID
•
Signature name
•
Alert notes (optional)
•
User comments (optional)
Step 3
Assign the engine-specific parameters. The parameters differ for each signature engine, although there
is a group of master parameters that applies to each engine.
Step 4
Assign the alert response:
•
Signature fidelity rating
•
Severity of the alert
Step 5
Assign the alert behavior.
Step 6
Apply the changes.