Cisco Systems IPS 7.1 Home Security System User Manual


  Open as PDF
of 1042
 
8-16
Cisco Intrusion Prevention System CLI Sensor Configuration Guide for IPS 7.1
OL-19892-01
Chapter 8 Defining Signatures
Configuring Signatures
reset-tcp-connection—Sends TCP resets to hijack and terminate the TCP flow.
modify-packet-inline— Modifies packet data to remove ambiguity about what the end point
might do with the packet.
event-action-settings—Enables the external-rate-limit-type:
none—No rate limiting configured.
percentage—Specifies the rate limit by traffic percentage (external-rate-limit-percentage).
Configuring Event Actions
To configure event actions and event action settings for a signature, follow these steps:
Step 1 Log in to the CLI using an account with administrator privileges.
Step 2 Enter signature definition mode.
sensor# configure terminal
sensor(config)# service signature-definition sig0
sensor(config-sig)#
Step 3 Specify the signature you want to configure.
sensor(config-sig)# signatures 1200 0
Step 4 Specify the signature engine (for signature 1200 it is the Normalizer engine).
sensor(config-sig-sig)# engine normalizer
Step 5 Configure the event action.
sensor(config-sig-sig-nor)# event-action produce-alert|request-snmp-trap
Note Each time you configure the event actions for a signature, you overwrite the previous
configuration. For example, if you always want to produce an alert when the signature is fired,
you must configure it along with the other event actions you want. Use the | symbol to add more
than one event action, for example, product-alert|deny-packet-inline|request-snmp-trap.
Step 6 Verify the settings.
sensor(config-sig-sig-nor)# show settings
normalizer
-----------------------------------------------
event-action: produce-alert|request-snmp-trap default:
produce-alert|deny-packet-inline
Step 7 Specify the percentage for rate limiting.
sensor(config-sig-sig-nor)# event-action-settings
sensor(config-sig-sig-nor-eve)# external-rate-limit-type percentage
sensor(config-sig-sig-nor-eve-per)# external-rate-limit-percentage 50
Step 8 Verify the settings.
sensor(config-sig-sig-nor-eve-per)# show settings
percentage
-----------------------------------------------
external-rate-limit-percentage: 50 default: 100
-----------------------------------------------
 previous next