Chapter 7 Defining Signatures; About Signatures - Cisco 4215 - Intrusion Detection Sys Sensor Configuration Manual

Defining Signatures
This chapter describes how to define and create signatures. It contains the following sections:
•
•
•
•

About Signatures

Attacks or other misuses of network resources can be defined as network intrusions. Sensors that use a
signature-based technology can detect network intrusions. A signature is a set of rules that your sensor
uses to detect typical intrusive activity, such as DoS attacks. As sensors scan network packets, they use
signatures to detect known attacks and respond with actions that you define.
The sensor compares the list of signatures with network activity. When a match is found, the sensor takes
an action, such as logging the event or sending an alert. Sensors let you modify existing signatures and
define new ones.
Signature-based intrusion detection can produce false positives because certain normal network activity
can be misinterpreted as malicious activity. For example, some network applications or operating
systems may send out numerous ICMP messages, which a signature-based detection system might
interpret as an attempt by an attacker to map out a network segment. You can minimize false positives
by tuning your signatures.
To configure a sensor to monitor network traffic for a particular signature, you must enable the signature.
By default, the most critical signatures are enabled when you install the signature update. When an attack
is detected that matches an enabled signature, the sensor generates an alert, which is stored in the
sensor's event store. The alerts, as well as other events, may be retrieved from the event store by
web-based clients. By default the sensor logs all Informational alerts or higher.
Some signatures have subsignatures, that is, the signature is divided into subcategories. When you
configure a subsignature, changes made to the parameters of one subsignature apply only to that
subsignature. For example, if you edit signature 3050 subsignature 1 and change the severity, the severity
change applies to only subsignature 1 and not to 3050 2, 3050 3, and 3050 4.
IPS 5.0 contains over 1000 built-in default signatures. You cannot rename or delete signatures from the
list of built-in signatures, but you can retire signatures to remove them from the sensing engine. You can
later activate retired signatures; however, this process requires the sensing engines to rebuild their
78-16527-01
About Signatures, page 7-1
Signature Variables, page 7-2
Configuring Signatures, page 7-3
Creating Custom Signatures, page 7-29
Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0
7
C H A P T E R
7-1