09-10-2010 03:24 PM - edited 03-10-2019 05:07 AM
Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to get an update on Intrusion Prevention System with Scott Fringer. Scott Fringer is a Technical Assistance Center engineer on the intrusion detection system team in Research Triangle Park, North Carolina. His team supports Cisco's various intrusion detection/prevention sensors, the Cisco IOS IPS feature set, Cisco Security MARS, Cisco Security Manager, Cisco Security Agent, and the Cisco Anomaly Detector/Guard products. Fringer has represented the Technical Assistance Center at previous Networkers conferences and currently holds CCSP certification.
Remember to use the rating system to let Scott know if you have received an adequate response.
Scott might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through September 24, 2010. Visit this forum often to view responses to your questions and the questions of other community members.
09-21-2010 11:28 AM
Hi Scott,
I am new to ips and i want to write some custom signatures, i was looking for some beginner (easy to understand) document which can tell more about the signature engine and regex?.........is there any reading material or documentation that you can point me to so that i can understand the signature engine and write custom signatures?.....any suggestion would be helpful
Thanks
09-21-2010 11:40 AM
The best place to start with understanding custom signature development for Cisco's IPS platform is to understand the system's architecture. There is a good overview available at this link:
The next piece to understand is the functionality the various signature engines available provide. This is outlined at this link:
http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/cli/cli_signature_engines.html
With the underlying technology in place, you can start with custom signature creation as discussed at this link:
(Or for the IDM GUI):
As for references on regular expressions, there are a multitude of resources available on the Internet. There is a brief overview within the IPS user guide at this link:
Scott
09-22-2010 02:21 AM
Hi Scott,
Thanks a lot for your help....i had another question, in the service http engine if i specify "uri regex" and "header regex".....will the signature trigger only when it matches both uri and header regex or will it trigger if either one of them match?
09-22-2010 04:32 AM
Within a signature all enabled and defined regex values must match for the signature to match and in turn take action. So, if you want a signature to fire whether either the header regex or the URL regex matches, you would want to create two separate signatures; one for each specific match.
Scott
09-22-2010 11:23 AM
Hi Scott,
we have around 15 cisco ips devices running IPS 7.0(4)E4, sometimes the "analysis engine" of some of the sensors stops running (i.e anlaysis engine NOT running)......what is the cause of this? and what are the steps or solution to solve this problem so that analysis engine starts running normally?
Thanks
09-22-2010 11:29 AM
Unfortunately there is not a single cause or corrective action for times when the analysis engine stops running. When this occurs, the best thing you can do is gather a 'show tech' from the affected sensor and open a service request with TAC. It will take specific investigation on a case-by-case basis.
Scott
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide