8-7
Cisco Intrusion Prevention System CLI Sensor Configuration Guide for IPS 7.1
OL-19892-01
Chapter 8 Defining Signatures
Configuring Signatures
• vulnerable-os—Specifies the list of OS types that are vulnerable to this attack signature.
For More Information
• For the procedure for configuring alert frequency, see Configuring Alert Frequency, page 8-7.
• For more information about signature engines, see Appendix B, “Signature Engines.”
• For the procedure for assigning actions, see Assigning Actions to Signatures, page 8-15.
• For the procedure for configuring event counts, see Configuring the Event Counter, page 8-10.
• For the procedure for configuring the signature fidelity rating, see Configuring Signature Fidelity
Rating, page 8-12.
• For the procedure for enabling and disabling signatures, see Configuring the Status of Signatures,
page 8-13.
• For the procedure for configuring vulnerable OSes, see Configuring the Vulnerable OSes for a
Signature, page 8-14.
Configuring Alert Frequency
Use the alert-frequency command in signature definition submode to configure the alert frequency for
a signature. The alert-frequency command specifies how often the sensor alerts you when this signature
is firing.
The following options apply:
• sig_id—Identifies the unique numerical value assigned to this signature. This value lets the sensor
identify a particular signature. The value is 1000 to 65000.
• subsig_id—Identifies the unique numerical value assigned to this subsignature. A subsignature ID
is used to identify a more granular version of a broad signature. The value is 0 to 255.
• summary-mode—Specifies the way you want the sensor to group the alerts:
–
fire-all—Fires an alert on all events.
–
fire-once—Fires an alert only once.
–
global-summarize—Summarizes an alert so that it only fires once regardless of how many
attackers or victims.
–
summarize—Summarize all the alerts.
• specify-summary-threshold {yes | no}—Enables summary threshold mode:
–
summary-threshold—Specifies the minimum number of hits the sensor must receive before
sending a summary alert for this signature. The value is 0 to 65535.
–
summary-interval—Specifies the time in seconds used in each summary alert. The value is 1
to 1000.
• summary-key—Specifies the storage type on which to summarize this signature:
–
Axxx—Attacker address.
–
Axxb—Attacker address and victim port.
–
AxBx—Attacker and victim addresses.
–
AaBb—Attacker and victim addresses and ports.
–
xxBx—Victim address.