Enterasys Intrusion Prevention System Manual page 157

Basic Settings Tab
To configure the options on the Settings sub-tab page:
1. In the Enable group, select:
– Signature in Library to enable the signature being configured after configuration is
complete.
– Follow on Signature to create a follow on signature. Follow on signatures are only
evaluated when dynamic packets have been collected as a result of a match by another
signature or policy. (See the Dynamic Collection option below.)
– Extended to enable the extended signature language options on the Extended tab page.
Select this option only if you are creating an extended signature.
Note: If you want to change an existing basic signature with a basic pattern (configured on the
Basic Patterns sub-tab) to an extended signature, you must first remove the basic pattern(s), then
create the extended pattern(s).
2. Enter the name of the signature in the Signature Name field. If you are editing an existing
signature, this field will be greyed out. Signature names should not exceed 63 characters in
length.
A signature name can contain any combination of characters, excluding spaces. All signature
names must have at least two fields, with the first two fields separated by a colon (:). The first
field indicates the highest-layer protocol affected by the exploit/vulnerability. The second field
indicates the specific application that is affected. All following fields are separated by a
dash (-). Often, a third field is added as a one-word description of the event taking place, and
in cases of overlap with existing signatures, a fourth field is added indicating the component
of the application that is vulnerable or the difference from other exploits.
For example, a suitable name for a signature for a php email application called "phpemail"
that allows for an arbitrary file on the server to have its contents revealed could be either:
WEB:PHPEMAIL-DISCLOSURE or SMTP:PHPEMAIL-DISCLOSE-WEB
3. If required, select the operating system from the Signature OS pull-down menu. This field is
blank by default. Choices are:
– UNIX
– Solaris
– Windows
– Novell
– Embedded
– Any
4. If desired, enter a Dynamic Collection value to specify how many packets of the conversation
the sensor should collect after the signature is matched. A conversation is defined by source
and destination IP address and source and destination ports.
For example, for a Telnet login failure, the signature could instruct the Virtual Sensor to
capture the next 50 packets between the Telnet server and the IP address that had the login
failure. This allows a greater level of analysis to be applied to a security event.
Creating Network Sensor Policies and Signatures 3-15
Creating Custom Signatures