Filter
Top Products
B-34
Cisco Intrusion Prevention System CLI Sensor Configuration Guide for IPS 7.1
OL-19892-01
Appendix B Signature Engines
Meta Engine
All signature events are handed off to the Meta engine by the Signature Event Action Processor. The
Signature Event Action Processor hands off the event after processing the minimum hits option.
Summarization and event action are processed after the Meta engine has processed the component
events.
Component Signatures and the Meta Engine
Component signatures are not independent signatures, they are pieces of a Meta signature. The sig-type
option is marked as component. Since these signatures are not independent signatures, the risk rating
when triggered is automatically set to 0. The risk rating is applicable to the Meta signature rather than
the component signatures. This prevents the component signatures from causing denial of packets by
either event action overrides or global correlation. Event action overrides and global correlation are
applied against the Meta signature rather than the component signature.
Note Some component signatures in the Meta signatures are valuable as both independent signatures and
component signatures. These signatures are not marked as sig-type component and instead are marked
with the sig-type set to either vulnerability, exploit, anomaly, or other. The risk rating for these
signatures is calculated and is not set to 0.
Meta Signature Engine Enhancement
The purpose of the Meta engine is to detect a specified payload from an attacker and a corresponding
payload from the victim. It is also used to inspect streams at different offsets. The Meta engine supports
the AND and OR logical operators. ANDNOT capability has been added to the Meta engine. This clause
is a negative clause used to complement the existing positive clause-based signatures. The previous
signature format had the following form:
IF (A and B and C) then Alarm; alternatively, IF (A or B or C) then Alarm is also
supported; where A, B, and C are meta component signatures.
The addition of the negative clause allows for the following logic:
IF (A and/or B) AND NOT (C and/or D) then Alarm.
The (C and/or D) is the negative clause and is satisfied if (C and D) [alternatively (C or D)] do not occur
before the Meta Reset Interval time expires.
A component of the positive clause must occur before the negative clause(s) to establish the Meta
tracking state. The Meta engine cannot track the lack of past behavior. The state of the negative clause
is evaluated when the Meta Reset Interval time expires.