Filter
Top Products
8-48
Cisco Intrusion Prevention System CLI Sensor Configuration Guide for IPS 7.1
OL-19892-01
Chapter 8 Defining Signatures
Creating Custom Signatures
–
is-not-component {true | false}—Specifies that the component is a NOT component.
• component-list-in-order {true | false}—Specifies whether to have the component list fire in order.
For example, if signature 1001 in the m2 component fires before signature 1000 in the m1
component, the Meta signature will not fire.
• all-components-required {true | false}—Specifies to use all components. This option works with
the all-not-components-required option, if you have NOT components configured as required, the
Meta signature will not fire.
• all-not-components-required {true | false}—Specifies to use all of the NOT components.
• swap-attacker-victim {true | false}—Swaps the attacker and victim addresses and ports (source
and destination) in the alert message and in any actions taken.
• meta-reset-interval—Specifies the time in seconds to reset the Meta signature. The valid range is
0 to 3600 seconds. The default is 60 seconds.
• meta-key—Specifies the storage type for the Meta signature:
–
AaBb—Attacker and victim addresses and ports.
–
AxBx—Attacker and victim addresses.
–
Axxx—Attacker address.
–
xxBx—Victim address.
• unique-victim-ports—Specifies the number of unique victims ports required per Meta signature.
The valid range is 1 to 256.
• event-action—Specifies the action(s) to perform when an alert is triggered:
–
deny-attacker-inline (inline only)—Does not transmit this packet and future packets from the
attacker address for a specified period of time.
–
deny-attacker-service-pair-inline (inline only)—Does not transmit this packet and future
packets on the attacker address victim port pair for a specified period of time.
–
deny-attacker-victim-pair-inline (inline only)—Does not transmit this packet and future
packets on the attacker/victim address pair for a specified period of time.
–
deny-connection-inline (inline only)—Does not transmit this packet and future packets on the
TCP flow.
–
deny-packet-inline (inline only)—Does not transmit this packet.
–
log-attacker-packets—Starts IP logging of packets containing the attacker address.
–
log-pair-packets—Starts IP logging of packets containing the attacker-victim address pair.
–
log-victim-packets—Starts IP logging of packets containing the victim address.
–
produce-alert —Writes the event to the Event Store as an alert.
–
produce-verbose-alert—Includes an encoded dump (possibly truncated) of the offending
packet in the alert.
–
request-block-connection—Sends a request to the ARC to block this connection.
–
request-block-host—Sends a request to the ARC to block this attacker host.
–
request-rate-limit—Sends a rate limit request to the ARC to perform rate limiting.
–
request-snmp-trap—Sends a request to the Notification Application component of the sensor
to perform SNMP notification.
–
reset-tcp-connection—Sends TCP resets to hijack and terminate the TCP flow.