Example Meg Signature - Cisco 4215 - Intrusion Detection Sys Sensor Configuration Manual

Chapter 7 Defining Signatures
Exit signature description submode:
Step 7
sensor(config-sig-sig-sig)# exit
Assign the alert frequency:
Step 8
sensor(config-sig-sig)# alert-frequency
sensor(config-sig-sig-ale)# summary-mode fire-all
sensor(config-sig-sig-ale-fir)# summary-key Axxx
sensor(config-sig-sig-ale-fir)# specify-summary-threshold yes
sensor(config-sig-sig-ale-fir-yes)# summary-threshold 200
Exit alert frequency submode:
Step 9
sensor(config-sig-sig-ale-fir-yes)# exit
sensor(config-sig-sig-ale-fir)# exit
sensor(config-sig-sig-ale)# exit
Configure the service HTTP parameters:
Step 10
sensor(config-sig-sig)# engine service-http
sensor(config-sig-sig-ser)# regex
sensor(config-sig-sig-ser-reg)# specify-uri-regex yes
sensor(config-sig-sig-ser-reg-yes)# uri-regex [Mm][Yy][Ff][Oo][Oo]
Exit regex submode:
Step 11
sensor(config-sig-sig-ser-reg-yes)# exit
sensor(config-sig-sig-ser-reg-)# exit
Configure the service ports using the signature variable WEBPORTS:
Step 12
sensor(config-sig-sig-ser)# service-ports $WEBPORTS
Step 13 Exit signature definition submode:
sensor(config-sig-sig-ser)# exit
sensor(config-sig-sig)# exit
sensor(config-sig)# exit
Apply Changes:?[yes]:
Press Enter to apply the changes or type
Step 14

Example MEG Signature

The following example demonstrates how to create a MEG signature based on the META engine.
The META engine is different from other engines in that it takes alerts as input where most engines take
Note
packets as input.
The following options apply to the META signature engine:
•
78-16527-01
component-list—List of META components.
edit—Edits an existing entry in the list.
–
insert name1—Inserts a new entry into the list.
–
move—Moves an entry in the list.
–
Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0
to discard them.
no
Creating Custom Signatures
7-33