Filter
Top Products
B-6
Cisco Intrusion Prevention System CLI Sensor Configuration Guide for IPS 7.1
OL-19892-01
Appendix B Signature Engines
Master Engine
Promiscuous Delta
The promiscuous delta lowers the risk rating of certain alerts in promiscuous mode. Because the sensor
does not know the attributes of the target system and in promiscuous mode cannot deny packets, it is
useful to lower the prioritization of promiscuous alerts (based on the lower risk rating) so the
administrator can focus on investigating higher risk rating alerts. In inline mode, the sensor can deny the
offending packets so that they never reach the target host, so it does not matter if the target was
vulnerable. Because the attack was not allowed on the network, the IPS does not subtract from the risk
rating value. Signatures that are not service, OS, or application-specific have 0 for the promiscuous delta.
If the signature is specific to an OS, service, or application, it has a promiscuous delta of 5, 10, or 15
calculated from 5 points for each category.
Caution We recommend that you do NOT change the promisc-delta setting for a signature.
specify-alert-interval
{yes | no}
Enables the alert interval:
• alert-interval—Specifies the time in seconds
before the event count is reset.
2 to 1000
status Specifies whether the signature is enabled or
disabled, active or retired.
enabled | retired {yes |
no}
obsoletes Indicates that a newer signature has disabled an older
signature.
—
vulnerable-os-list When combined with passive OS fingerprinting, it
allows the IPS to determine if it is likely a given
attack is relevant to the target system.
aix
bsd
general-os
hp-ux
ios
irix
linus
mac-os
netware
other
solaris
unix
windows
windows-ut
windows-nt-2k-xp
mars-category {yes |
no}
Maps signatures to a MARS attack category.
1
—
1. This is a static information category that you can set in the configuration and view in the alerts.Refer to the MARS
documentation for more information.
Table B-1 Master Engine Parameters (continued)
Parameter Description Value