Filter
Top Products
CHAPTER
8-1
Cisco Intrusion Prevention System CLI Sensor Configuration Guide for IPS 7.1
OL-19892-01
8
Defining Signatures
This chapter describes how to define and create signatures. It contains the following sections:
• Signature Definition Notes and Caveats, page 8-1
• Understanding Policies, page 8-1
• Working With Signature Definition Policies, page 8-2
• Understanding Signatures, page 8-3
• Configuring Signature Variables, page 8-4
• Configuring Signatures, page 8-6
• Creating Custom Signatures, page 8-40
Signature Definition Notes and Caveats
The following notes and caveats apply to defining signatures:
• You must preface signature variables with a dollar ($) sign to indicate that you are using a variable
rather than a string.
• We recommend that you do NOT change the promiscuous delta setting for a signature.
• The parameters tcp-3-way-handshake-required and tcp-reassembly-mode only impact sensors
inspecting traffic in promiscuous mode, not inline mode. To configure asymmetric options for
sensors inspecting inline traffic, use the inline-TCP-evasion-protection-mode parameter.
• A custom signature can affect the performance of your sensor. Test the custom signature against a
baseline sensor performance for your network to determine the overall impact of the signature.
Understanding Policies
You can create multiple security policies and apply them to individual virtual sensors. A security policy
is made up of a signature definition policy, an event action rules policy, and an anomaly detection policy.
Cisco IPS contains a default signature definition policy called sig0, a default event action rules policy
called rules0, and a default anomaly detection policy called ad0. You can assign the default policies to
a virtual sensor or you can create new policies. The use of multiple security policies lets you create
security policies based on different requirements and then apply these customized policies per VLAN or
physical interface.