Cisco Systems IPS 7.1 Home Security System User Manual


  Open as PDF
of 1042
 
8-43
Cisco Intrusion Prevention System CLI Sensor Configuration Guide for IPS 7.1
OL-19892-01
Chapter 8 Defining Signatures
Creating Custom Signatures
Creating a String TCP Engine Signature
To create a signature based on the String TCP engine, follow these steps:
Step 1 Log in to the CLI using an account with administrator or operator privileges.
Step 2 Enter signature definition submode.
sensor# configure terminal
sensor(config)# service signature-definition sig1
Step 3 Specify a signature ID and subsignature ID for the signature. Custom signatures are in the range of 60000
to 65000.
sensor(config-sig)# signatures 60025 0
Step 4 Enter signature description submode.
sensor(config-sig-sig)# sig-description
Step 5 Specify a name for the new signature. You can also specify a additional comments about the sig using
the sig-comment command or additional information about the signature using the sig-string-info
command.
sensor(config-sig-sig-sig)# sig-name This is my new name
Step 6 Exit signature description submode.
sensor(config-sig-sig-sig)# exit
Step 7 Specify the string TCP engine.
sensor(config-sig-sig)# engine string-tcp
Step 8 Specify the service ports.
sensor(config-sig-sig-str)# service-ports 23
Step 9 Specify the direction.
sensor(config-sig-sig-str)# direction to-service
Step 10 Specify the regex string to search for in the TCP packet. You can change the event actions if needed
according to your security policy using the event-action command. The default event action is
produce-alert.
sensor(config-sig-sig-str)# regex-string This-is-my-new-Sig-regex
Step 11 You can modify the following optional parameters for this custom String TCP signature:
specify-exact-match-offset
specify-min-match-length
strip-telnet-options
swap-attacker-victim.
Step 12 Verify the settings.
sensor(config-sig-sig-str)# show settings
string-tcp
-----------------------------------------------
event-action: produce-alert <defaulted>
strip-telnet-options: false <defaulted>
specify-min-match-length
-----------------------------------------------
 previous next