In Cisco IPS Signatures 101 (Sept ’12 Chalk Talk) signature properties, engines, alerts, and actions were covered from a high level. The purpose of this document is to help a network or security professional understand how to configure Cisco Signatures to include the properties, engines, alerts, and actions. The content is relevant for the Cisco CCNP Security IPS Certification Exam (642-627) and should be useful for anyone studying for the CCIE Security Certification written and practical exam (Lab).
Configuring Basic Signature Properties
To configure signatures it is HIGHLY recommended to do so via the Cisco IDM (IPS Device Manager) by clicking on Configuration > Policies > Signature Definitions > sig0, then click All Signatures to access the Signature Configuration panel. The All Signatures is visible only when the Sig0 is expanded. By default, the signature configuration panel displays signatures that are listed by signature ID number. The All Signatures database view displays all signatures available in the sensor signature set and when each signature set is clicked on, it displays the list of signatures grouped under it in the view pane. The following are available signature sets –
Figure 1: Example of an actual Signature Configuration View (click to view larger image)
As seen below in Figure 2, there is a filter drop-down list in the configuration view pane that can be used to display signatures in different ways, such as types of attacks they detect or services being inspected. The Selection Criteria menu changes to correspond to the Filter drop-down selection. For example, if you choose Severity in the Filter drop-down, the criteria field provides a drop down with High, Medium, Low and Informational options respectively. The configuration view pane refreshes only those signatures that match the sorting criteria, but only if the Filter option is selected. There are a limited set of options from the Filter drop-down list including: Sig ID, Sig Name, Enabled, Severity, Fidelity Rating, Action, Type (Tuned … ), and Engine.
Figure 2: Example snapshot of the Filter drop-down list (click to view larger image)
Enabling & Disabling Signatures
Enabling a signature makes the signature inspect traffic, When it is disabled, it does not inspect traffic. The following steps walk you through enabling a signature.
Step 1: Click Configuration and choose Policies > Signature Definitions > Sig0 > Active Signatures. The Signature Configuration panel is displayed.
Step 2: Locate the signature that you want to enable. A signature that is already enabled has a check-mark in the check-box. If the signature is disabled, the check-box is empty.
Step 3: If the signature is currently disabled, put a check in the box next to signature by clicking on it.
Step 4: Click Apply to apply your changes and save the updated configuration. To disable a signature that is already disabled, uncheck the check box in the Enabled column.
Note: To enable multiple signatures at the same time, hold down the Ctrl or Shift key and click the signatures that you would like to enable, then right click on one of the selected signatures and click Enable.
Dave Burns joined Cisco in July 2008, as a systems engineer working for a U.S.-based SP Mobility account. He came to Cisco from a large U.S.-based cable company, where he was a senior network and security design engineer. Dave has held various roles prior to joining Cisco during his 10-plus years in the industry, working in SP operations, SP engineering, SP architecture, enterprise IT, and United States military intelligence communications engineering. He is currently a Systems Engineering Manager working with US Service Providers on various architectures that include IP NGN, Data Center, Cloud, Security, Mobility, and Transport. He holds various sales and industry and Cisco technical certifications, including CISSP, CCSP, CCDP, and two associate-level certifications. Dave recently passed the CCIE Security written exam, and is currently preparing for the CCIE Security Lab. Dave is also currently working on his Masters in Business Administration in his ‘free’ time. Dave earned his Bachelor of Science degree in telecommunications engineering technology from Southern Polytechnic State University, Georgia, where he currently serves as a member of the industry advisory board for the Computer & Electrical Engineering Technology School.
Hello All, We are running SNS-3495 appliance with Version 22.214.171.1240. There is already a bug hitting our PSN node due to "HeapDumpOnOutOfMemoryError". Considering the Bug behavior, there must be a triggering point for the bug. We are suspecting while ...
Hello, I would like to ask some questions about the operation of AMP 1. When upgrading an agent, the reboot after needs to be done with privileged account?2. Is there a site that hosts IOC xml files?3. Is there a way for AMP to automatical...
hello. i have configured a remote access VPN on a Cisco ASA and evrything has been working fine all along until when i changed to use a url instead of the IP address of the ASA's outside Interface. When i connect using AnyConnect, the password prompt...
Hi all, I had one of my customers complain that FTP transfer is stopping in the during when transferring large video files(few hundred MBs) and large amount of pictures when using a hotspot on a mobile device. After troubleshooting with the cust...