Support User Manuals

Cisco Systems IPS 7.1 Home Security System User Manual

Open as PDF

of 1042

8-53

Cisco Intrusion Prevention System CLI Sensor Configuration Guide for IPS 7.1

OL-19892-01

Chapter 8 Defining Signatures

Creating Custom Signatures

Step 4 Enter signature description submode.

sensor(config-sig-sig)# sig-description

Step 5 Specify a name for the new signature. You can also specify a additional comments about the sig using

the sig-comment command or additional information about the signature using the sig-string-info

command.

sensor(config-sig-sig-sig)# sig-name This is my new name

Step 6 Exit signature description submode.

sensor(config-sig-sig-sig)# exit

Step 7 Specify the String XL TCP engine.

sensor(config-sig-sig)# engine string-xl-tcp

Step 8 Specify the service ports.

sensor(config-sig-sig-str)# service-ports 80

Step 9 Specify the direction.

sensor(config-sig-sig-str)# direction to-service

Step 10 Change the event actions if needed according to your security policy by using the event-action

command. The default event action is produce-alert.

Step 11 Make sure raw regex is turned off:

sensor(config-sig-sig-str)# specify-raw-regex-string no

Note Raw Regex is regular expression syntax used for raw mode processing. It is expert mode only

and targeted for use by the Cisco IPS signature development team or only those who are under

supervision by the Cisco IPS signature development team. You can configure a String XL

signature in either regular Regex or raw Regex.

Step 12 Specify the regex string to search for in the TCP packet.

sensor(config-sig-sig-str-no)# regex-string tcpstring

Step 13 Exit raw regex mode to configure optional String XL TCP parameters.

sensor(config-sig-sig-str-no)# exit

sensor(config-sig-sig-str)#

Step 14 Specify an exact match offset for this signature.

sensor(config-sig-sig-str)# specify-exact-match-offset yes

sensor(config-sig-sig-str-yes)# exact-match-offset 20

Note If you have exact match offset set to yes, you cannot configure maximum or minimum match

offset. If you have exact match offset set to no, you can configure both maximum and minimum

match offset at the same time.

Step 15 Turn off exact match offset and specify a maximum match offset for this signature.

sensor(config-sig-sig-str-yes)# exit

sensor(config-sig-sig-str)# specify-exact-match-offset no

sensor(config-sig-sig-str-no)# specify-max-match-offset yes

previous next