Support User Manuals

Cisco Systems IPS 7.1 Home Security System User Manual

Open as PDF

of 1042

8-56

Cisco Intrusion Prevention System CLI Sensor Configuration Guide for IPS 7.1

OL-19892-01

Chapter 8 Defining Signatures

Creating Custom Signatures

Creating a String XL TCP Engine Signature

The following example demonstrates how to create a custom String XL TCP signature that searches for

minimum match length with stingy, dot all, and UTF-8 turned on.

To create a custom signature based on the String XL TCP engine that searches for minimum match length

with stingy, dot all, and UTF-8 turned on, follow these steps:

Step 1 Log in to the CLI using an account with administrator or operator privileges.

Step 2 Enter signature definition submode.

sensor# configure terminal

sensor(config)# service signature-definition sig1

Step 3 Specify a signature ID and subsignature ID for the signature.

sensor(config-sig)# signatures 60004 0

Custom signatures are in the range of 60000 to 65000.

Step 4 Enter signature description submode.

sensor(config-sig-sig)# sig-description

Step 5 Specify a name for the new signature. You can also specify a additional comments about the sig using

the sig-comment command or additional information about the signature using the sig-string-info

command.

sensor(config-sig-sig-sig)# sig-name This is my new name

Step 6 Exit signature description submode.

sensor(config-sig-sig-sig)# exit

Step 7 Specify the String XL TCP engine.

sensor(config-sig-sig)# engine string-xl-tcp

Step 8 Specify the service ports.

sensor(config-sig-sig-str)# service-ports 80

Step 9 Specify the direction.

sensor(config-sig-sig-str)# direction to-service

Step 10 Change the event actions if needed according to your security policy by using the event-action

command. The default event action is produce-alert.

Step 11 Make sure raw regex is turned off:

sensor(config-sig-sig-str)# specify-raw-regex-string no

Note Raw Regex is regular expression syntax used for raw mode processing. It is expert mode only

and targeted for use by the Cisco IPS signature development team or only those who are under

supervision by the Cisco IPS signature development team. You can configure a String XL

signature in either regular Regex or raw Regex.

Step 12 Specify the regex string to search for in the TCP packet with dot all turned on.

sensor(config-sig-sig-str-no)# regex-string ht+p[\r].

sensor(config-sig-sig-str-no)# dot-all true

previous next