Filter
Top Products
8-45
Cisco Intrusion Prevention System CLI Sensor Configuration Guide for IPS 7.1
OL-19892-01
Chapter 8 Defining Signatures
Creating Custom Signatures
The following options apply:
• de-obfuscate {true | false}—Applies anti-evasive deobfuscation before searching.
• default—Sets the value back to the system default setting.
• event-action —Specifies the action(s) to perform when alert is triggered:
–
deny-attacker-inline (inline only)—Does not transmit this packet and future packets from the
attacker address for a specified period of time.
–
deny-attacker-service-pair-inline (inline only)—Does not transmit this packet and future
packets on the attacker address victim port pair for a specified period of time.
–
deny-attacker-victim-pair-inline (inline only)—Does not transmit this packet and future
packets on the attacker/victim address pair for a specified period of time.
–
deny-connection-inline (inline only)—Does not transmit this packet and future packets on the
TCP flow.
–
deny-packet-inline (inline only)—Does not transmit this packet.
–
log-attacker-packets—Starts IP logging of packets containing the attacker address.
–
log-pair-packets—Starts IP logging of packets containing the attacker-victim address pair.
–
log-victim-packets—Starts IP logging of packets containing the victim address.
–
produce-alert —Writes the event to the Event Store as an alert.
–
produce-verbose-alert—Includes an encoded dump (possibly truncated) of the offending
packet in the alert.
–
request-block-connection—Sends a request to the ARC to block this connection.
–
request-block-host—Sends a request to the ARC to block this attacker host.
–
request-rate-limit—Sends a rate limit request to the ARC to perform rate limiting.
–
request-snmp-trap—Sends a request to the Notification Application component of the sensor
to perform SNMP notification.
–
reset-tcp-connection—Sends TCP resets to hijack and terminate the TCP flow.
–
modify-packet-inline— Modifies packet data to remove ambiguity about what the end point
might do with the packet.
• max-field-sizes —Grouping for maximum field sizes:
–
specify-max-arg-field-length {yes | no}—Enables max-arg-field-length (optional).
–
specify-max-header-field-length {yes | no}—Enables max-header-field-length (optional).
–
specify-max-request-length {yes | no}—Enables max-request-length (optional).
–
specify-max-uri-field-length {yes | no}—Enables max-uri-field-length (optional).
• no—Removes an entry or selection setting.
• regex—Regular expression grouping:
–
specify-arg-name-regex—Enables arg-name-regex (optional).
–
specify-header-regex —Enables header-regex (optional).
–
specify-request-regex—Enables request-regex (optional).
–
specify-uri-regex—Enables uri-regex (optional).
• service-ports —A comma-separated list of ports or port ranges where the target service may reside.