8-42
Cisco Intrusion Prevention System CLI Sensor Configuration Guide for IPS 7.1
OL-19892-01
Chapter 8 Defining Signatures
Creating Custom Signatures
–
deny-attacker-service-pair-inline (inline only)—Does not transmit this packet and future
packets on the attacker address victim port pair for a specified period of time.
–
deny-attacker-victim-pair-inline (inline only)—Does not transmit this packet and future
packets on the attacker/victim address pair for a specified period of time.
–
deny-connection-inline (inline only)—Does not transmit this packet and future packets on the
TCP flow.
–
deny-packet-inline (inline only)—Does not transmit this packet.
–
log-attacker-packets—Starts IP logging of packets containing the attacker address.
–
log-pair-packets—Starts IP logging of packets containing the attacker-victim address pair.
–
log-victim-packets—Starts IP logging of packets containing the victim address.
–
produce-alert —Writes the event to the Event Store as an alert.
–
produce-verbose-alert—Includes an encoded dump (possibly truncated) of the offending
packet in the alert.
–
request-block-connection—Sends a request to the ARC to block this connection.
–
request-block-host—Sends a request to the ARC to block this attacker host.
–
request-rate-limit—Sends a rate limit request to the ARC to perform rate limiting.
–
request-snmp-trap—Sends a request to the Notification Application component of the sensor
to perform SNMP notification.
–
reset-tcp-connection—Sends TCP resets to hijack and terminate the TCP flow.
–
modify-packet-inline— Modifies packet data to remove ambiguity about what the end point
might do with the packet.
• no—Removes an entry or selection setting.
• regex-string —Specifies a regular expression to search for in a single TCP packet.
• service-ports—Specifies the ports or port ranges where the target service may reside. The valid
range is 0 to 65535. It is a separated list of integer ranges a-b[,c-d] within 0 to 65535. The second
number in the range must be greater than or equal to the first number.
• specify-exact-match-offset {yes | no}—(Optional) Enables exact match offset:
–
exact-match-offset—Specifies the exact stream offset the regular expression string must report
for a match to be valid. The value is 0 to 65535.
• specify-min-match-length {yes | no}—(Optional) Enables minimum match length:
–
min-match-length—Specifies the minimum number of bytes the regular expression string must
match. The value is 0 to 65535.
• strip-telnet-options {true | false}—Strips the Telnet option characters from the data before the
pattern is searched.
• swap-attacker-victim {true | false}—Swaps the attacker and victim addresses and ports (source
and destination) in the alert message and in any actions taken. The default is false.