8-41
Cisco Intrusion Prevention System CLI Sensor Configuration Guide for IPS 7.1
OL-19892-01
Chapter 8 Defining Signatures
Creating Custom Signatures
Sequence for Creating a Custom Signature
Use the following sequence when you create a custom signature:
Step 1 Select a signature engine.
Step 2 Assign the signature identifiers:
• Signature ID
• SubSignature ID
• Signature name
• Alert notes (optional)
• User comments (optional)
Step 3 Assign the engine-specific parameters. The parameters differ for each signature engine, although there
is a group of master parameters that applies to each engine.
Step 4 Assign the alert response:
• Signature fidelity rating
• Severity of the alert
Step 5 Assign the alert behavior.
Step 6 Apply the changes.
Example String TCP Engine Signature
The String engine is a generic-based pattern-matching inspection engine for ICMP, TCP, and UDP
protocols. The String engine uses a regular expression engine that can combine multiple patterns into a
single pattern-matching table allowing for a single search through the data. There are three String
engines: String ICMP, String TCP, and String UDP.
Caution A custom signature can affect the performance of your sensor. Test the custom signature against a
baseline sensor performance for your network to determine the overall impact of the signature.
Note This procedure also applies to String UDP and ICMP signatures.
The following options apply:
• default—Sets the value back to the system default setting.
• direction—Specifies the direction of the traffic:
–
from-service—Traffic from service port destined to client port.
–
to-service—Traffic from client port destined to service port.
• event-action—Specifies the action(s) to perform when alert is triggered:
–
deny-attacker-inline (inline only)—Does not transmit this packet and future packets from the
attacker address for a specified period of time.