Cisco 4215 - Intrusion Detection Sys Sensor Configuration Manual page 152

Creating Custom Signatures
–
–
–
–
–
component-count—Number of times component must fire before this component is satisfied.
•
component-sig-id—Signature ID of the signature to match this component on.
•
component-subsig-id—Subsignature ID of the signature to match this component on.
•
component-list-in-order [true | false]—Whether or not to have the component list fire in order.
•
event-action—Action(s) to perform when alert is triggered.
•
–
–
–
–
–
–
–
–
–
–
–
–
meta-key—Storage type for the META signature.
•
–
–
–
–
meta-reset-interval—Time in seconds to reset the META signature.
•
The valid range is 0 to 3600 seconds. The default is 60 seconds.
Signature 64000 subsignature 0 will fire when it sees the alerts from signature 2000 subsignature 0 and
Note
signature 3000 subsignature 0 on the same source address. The source address selection is a result of the
meta key default value of Axxx. You can change the behavior by changing the meta key setting to xxBx
(destination address) for example.
Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0
7-34
begin—Places the entry at the beginning of the active list.
end—Places the entry at the end of the active list.
inactive—Places the entry into the inactive list.
before—Places the entry before the specified entry.
after—Places the entry after the specified entry.
produce-alert —Writes an evIdsAlert to the Event Store.
produce-verbose-alert—Includes an encoded dump (possibly truncated) of the offending
packet in the evIdsAlert.
deny-attacker-inline —(Inline mode only) does not transmit this packet and future packets
from the attacker address for a specified period of time.
deny-connection-inline—(Inline mode only) does not transmit this packet and future packets
on the TCP Flow.
deny-packet-inline—(Inline mode only) does not transmit this packet.
log-attacker-packets—Starts IP logging of packets containing the attacker address.
log-pair-packets—Starts IP logging of packets containing the attacker-victim address pair.
log-victim-packets—Starts IP logging of packets containing the victim address.
request-block-connection—Requests Network Access Controller to block this connection.
request-block-host—Requests Network Access Controller to block this attacker host.
request-snmp-trap—Sends a request to NotificationApp to perform SNMP action.
reset-tcp-connection—Sends TCP resets to hijack and terminate the TCP flow.
AaBb—Attacker and victim addresses and ports.
AxBx—Attacker and victim addresses.
Axxx—Attacker address.
xxBx—Victim address.
Chapter 7 Defining Signatures
78-16527-01