In Cisco IPS Signatures 101 (Sept ’12 Chalk Talk) signature properties, engines, alerts, and actions were covered from a high level. The purpose of this document is to help a network or security professional understand how to configure Cisco Signatures to include the properties, engines, alerts, and actions. The content is relevant for the Cisco CCNP Security IPS Certification Exam (642-627) and should be useful for anyone studying for the CCIE Security Certification written and practical exam (Lab).
Configuring Basic Signature Properties
To configure signatures it is HIGHLY recommended to do so via the Cisco IDM (IPS Device Manager) by clicking on Configuration > Policies > Signature Definitions > sig0, then click All Signatures to access the Signature Configuration panel. The All Signatures is visible only when the Sig0 is expanded. By default, the signature configuration panel displays signatures that are listed by signature ID number. The All Signatures database view displays all signatures available in the sensor signature set and when each signature set is clicked on, it displays the list of signatures grouped under it in the view pane. The following are available signature sets –
Figure 1: Example of an actual Signature Configuration View (click to view larger image)
As seen below in Figure 2, there is a filter drop-down list in the configuration view pane that can be used to display signatures in different ways, such as types of attacks they detect or services being inspected. The Selection Criteria menu changes to correspond to the Filter drop-down selection. For example, if you choose Severity in the Filter drop-down, the criteria field provides a drop down with High, Medium, Low and Informational options respectively. The configuration view pane refreshes only those signatures that match the sorting criteria, but only if the Filter option is selected. There are a limited set of options from the Filter drop-down list including: Sig ID, Sig Name, Enabled, Severity, Fidelity Rating, Action, Type (Tuned … ), and Engine.
Figure 2: Example snapshot of the Filter drop-down list (click to view larger image)
Enabling & Disabling Signatures
Enabling a signature makes the signature inspect traffic, When it is disabled, it does not inspect traffic. The following steps walk you through enabling a signature.
Step 1: Click Configuration and choose Policies > Signature Definitions > Sig0 > Active Signatures. The Signature Configuration panel is displayed.
Step 2: Locate the signature that you want to enable. A signature that is already enabled has a check-mark in the check-box. If the signature is disabled, the check-box is empty.
Step 3: If the signature is currently disabled, put a check in the box next to signature by clicking on it.
Step 4: Click Apply to apply your changes and save the updated configuration. To disable a signature that is already disabled, uncheck the check box in the Enabled column.
Note: To enable multiple signatures at the same time, hold down the Ctrl or Shift key and click the signatures that you would like to enable, then right click on one of the selected signatures and click Enable.
Dave Burns joined Cisco in July 2008, as a systems engineer working for a U.S.-based SP Mobility account. He came to Cisco from a large U.S.-based cable company, where he was a senior network and security design engineer. Dave has held various roles prior to joining Cisco during his 10-plus years in the industry, working in SP operations, SP engineering, SP architecture, enterprise IT, and United States military intelligence communications engineering. He is currently a Systems Engineering Manager working with US Service Providers on various architectures that include IP NGN, Data Center, Cloud, Security, Mobility, and Transport. He holds various sales and industry and Cisco technical certifications, including CISSP, CCSP, CCDP, and two associate-level certifications. Dave recently passed the CCIE Security written exam, and is currently preparing for the CCIE Security Lab. Dave is also currently working on his Masters in Business Administration in his ‘free’ time. Dave earned his Bachelor of Science degree in telecommunications engineering technology from Southern Polytechnic State University, Georgia, where he currently serves as a member of the industry advisory board for the Computer & Electrical Engineering Technology School.
Here is what I am trying to do.Outside-1 18.104.22.168/28Outside-2 22.214.171.124/30Additional IP's routed to Outside-2 126.96.36.199/29Inside 172.16.22.0/24Host-A 172.16.22.50nat (inside,Outside-1) dynamic Host-A 188.8.131.52nat (inside,Outside-2) dynamic HOST-A 184.108.40.206Defaul...
Hello, I'm currently testing integration between our ISE 2.6 with Arista AP for the Guest and BYOD portal, but running into some issues, the flow would be typically standard whereby user will connect to guest or byod SSID respectively, and get redire...
Hi Team, We are implementing Cisco SDWAN (Viptella) with the underlay/overlay network. Questions: Can the brains trust see any issue with utilizing GETVPN over the Overlay. Keeping in mind the Overlay is secure a secure tunnel. Thanks...
Hello, I have a pair of 1010 in HA managed by FMC. The version is 220.127.116.11. I would like to setup RA VPN. I do not know if the customer has a CA for the certificate. Could I use a self signed certificate form the FMC?If I use this...