In Cisco IPS Signatures 101 (Sept ’12 Chalk Talk) signature properties, engines, alerts, and actions were covered from a high level. The purpose of this document is to help a network or security professional understand how to configure Cisco Signatures to include the properties, engines, alerts, and actions. The content is relevant for the Cisco CCNP Security IPS Certification Exam (642-627) and should be useful for anyone studying for the CCIE Security Certification written and practical exam (Lab).
Configuring Basic Signature Properties
To configure signatures it is HIGHLY recommended to do so via the Cisco IDM (IPS Device Manager) by clicking on Configuration > Policies > Signature Definitions > sig0, then click All Signatures to access the Signature Configuration panel. The All Signatures is visible only when the Sig0 is expanded. By default, the signature configuration panel displays signatures that are listed by signature ID number. The All Signatures database view displays all signatures available in the sensor signature set and when each signature set is clicked on, it displays the list of signatures grouped under it in the view pane. The following are available signature sets –
Figure 1: Example of an actual Signature Configuration View (click to view larger image)
As seen below in Figure 2, there is a filter drop-down list in the configuration view pane that can be used to display signatures in different ways, such as types of attacks they detect or services being inspected. The Selection Criteria menu changes to correspond to the Filter drop-down selection. For example, if you choose Severity in the Filter drop-down, the criteria field provides a drop down with High, Medium, Low and Informational options respectively. The configuration view pane refreshes only those signatures that match the sorting criteria, but only if the Filter option is selected. There are a limited set of options from the Filter drop-down list including: Sig ID, Sig Name, Enabled, Severity, Fidelity Rating, Action, Type (Tuned … ), and Engine.
Figure 2: Example snapshot of the Filter drop-down list (click to view larger image)
Enabling & Disabling Signatures
Enabling a signature makes the signature inspect traffic, When it is disabled, it does not inspect traffic. The following steps walk you through enabling a signature.
Step 1: Click Configuration and choose Policies > Signature Definitions > Sig0 > Active Signatures. The Signature Configuration panel is displayed.
Step 2: Locate the signature that you want to enable. A signature that is already enabled has a check-mark in the check-box. If the signature is disabled, the check-box is empty.
Step 3: If the signature is currently disabled, put a check in the box next to signature by clicking on it.
Step 4: Click Apply to apply your changes and save the updated configuration. To disable a signature that is already disabled, uncheck the check box in the Enabled column.
Note: To enable multiple signatures at the same time, hold down the Ctrl or Shift key and click the signatures that you would like to enable, then right click on one of the selected signatures and click Enable.
Dave Burns joined Cisco in July 2008, as a systems engineer working for a U.S.-based SP Mobility account. He came to Cisco from a large U.S.-based cable company, where he was a senior network and security design engineer. Dave has held various roles prior to joining Cisco during his 10-plus years in the industry, working in SP operations, SP engineering, SP architecture, enterprise IT, and United States military intelligence communications engineering. He is currently a Systems Engineering Manager working with US Service Providers on various architectures that include IP NGN, Data Center, Cloud, Security, Mobility, and Transport. He holds various sales and industry and Cisco technical certifications, including CISSP, CCSP, CCDP, and two associate-level certifications. Dave recently passed the CCIE Security written exam, and is currently preparing for the CCIE Security Lab. Dave is also currently working on his Masters in Business Administration in his ‘free’ time. Dave earned his Bachelor of Science degree in telecommunications engineering technology from Southern Polytechnic State University, Georgia, where he currently serves as a member of the industry advisory board for the Computer & Electrical Engineering Technology School.
I just installed a new FTD in Azure (standalone, not managed by FMC), running 6.7.0-65. I so far we have done no config, just set set a single static route to access our VNET and enabled management over the inside data interface. Getting a ERR_S...
With the enhancements in ISE 3.0 for integrating with Azure AD via SAML IdP, it is now possible to leverage Microsoft Single Sign-On for multiple ISE Portals (for example Sponsor and Guest/BYOD Portals).
At the time of this writing, ISE cann...
Hello everyone,Quick question, we are in the process of shutting down our ACS along with the SSID that are still using them, our team would like to create a splash page once the user authenticates with 802.1x, I created the auth profile on the ACS, is the...
I am trying to understand the following behavior in ISE: When a WLC gets rebooted, the already ongoing radius sessions will be terminated which is expected.The users of these sessions get blocked from authenticating again until ISE is rebooted.Any us...