Filter
Top Products
8-46
Cisco Intrusion Prevention System CLI Sensor Configuration Guide for IPS 7.1
OL-19892-01
Chapter 8 Defining Signatures
Creating Custom Signatures
• swap-attacker-victim {true | false}—Whether address (and ports) source and destination are
swapped in the alarm message. The default is false for no swapping.
Creating a Service HTTP Engine Signature
To create a custom signature based on the Service HTTP engine, follow these steps:
Step 1 Log in to the CLI using an account with administrator or operator privileges.
Step 2 Enter signature definition submode.
sensor# configure terminal
sensor(config)# service signature-definition sig1
Step 3 Specify a signature ID and a subsignature ID for the signature. Custom signatures are in the range of
60000 to 65000.
sensor(config-sig)# signatures 63000 0
Step 4 Enter signature description mode.
sensor(config-sig-sig)# sig-description
Step 5 Specify a signature name.
sensor(config-sig-sig-sig)# sig-name myWebSig
Step 6 Specify the alert traits. The valid range is from 0 to 65535.
sensor(config-sig-sig-sig)# alert-traits 2
Step 7 Exit signature description submode.
sensor(config-sig-sig-sig)# exit
Step 8 Specify the alert frequency.
sensor(config-sig-sig)# alert-frequency
sensor(config-sig-sig-ale)# summary-mode fire-all
sensor(config-sig-sig-ale-fir)# summary-key Axxx
sensor(config-sig-sig-ale-fir)# specify-summary-threshold yes
sensor(config-sig-sig-ale-fir-yes)# summary-threshold 200
Step 9 Exit alert frequency submode.
sensor(config-sig-sig-ale-fir-yes)# exit
sensor(config-sig-sig-ale-fir)# exit
sensor(config-sig-sig-ale)# exit
Step 10 Configure the signature to apply anti-evasive deobfuscation before searching:
sensor(config-sig-sig)# engine service-http
sensor(config-sig-sig-ser)# de-obfuscate true