Support User Manuals

Cisco Systems IPS 7.1 Home Security System User Manual

Open as PDF

of 1042

8-49

Cisco Intrusion Prevention System CLI Sensor Configuration Guide for IPS 7.1

OL-19892-01

Chapter 8 Defining Signatures

Creating Custom Signatures

–

modify-packet-inline— Modifies packet data to remove ambiguity about what the end point

might do with the packet.

Note Signature 64000 subsignature 0 will fire when it sees the alerts from signature 1000 subsignature 0 and

signature 1001 subsignature 0 on the same source address. The source address selection is a result of the

meta key default value of Axxx. You can change the behavior by changing the meta key setting to xxBx

(destination address) for example.

Creating a Meta Engine Signature

To create a signature based on the Meta engine, follow these steps:

Step 1 Log in to the CLI using an account with administrator or operator privileges.

Step 2 Enter signature definition submode.

sensor# configure terminal

sensor(config)# service signature-definition sig1

Step 3 Specify a signature ID and a subsignature ID for the signature. Custom signatures are in the range of

60000 to 65000.

sensor(config-sig)# signatures 64000 0

Step 4 Specify the signature engine.

sensor(config-sig-sig)# engine meta

Step 5 Insert a signature (named m1) at the beginning of the list.

sensor(config-sig-sig-met)# component-list insert m1 begin

Step 6 Specify the signature ID of the signature on which to match this component.

sensor(config-sig-sig-met-com)# component-sig-id 1000

Step 7 Exit component list submode.

sensor(config-sig-sig-met-com)# exit

Step 8 Insert another signature (named m2) at the end of the list.

sensor(config-sig-sig-met)# component-list insert m2 end

Step 9 Specify the signature ID of the signature on which to match this component.

sensor(config-sig-sig-met-com)# component-sig-id 1001

Step 10 Configure the component list not to fire in order.

sensor(config-sig-sig-met-com)# component-list-in-order false

Step 11 Specify to use all components you have created.

sensor(config-sig-sig-met-com)# all-components-required true

Step 12 Specify not to use all of the NOT components.

sensor(config-sig-sig-met-com)# all-not-components-required false

Step 13 Verify the settings.

sensor(config-sig-sig-met-com)# exit

sensor-128(config-sig-sig-met)# show settings

previous next