In Cisco IPS Signatures 101 (Sept ’12 Chalk Talk) signature properties, engines, alerts, and actions were covered from a high level. The purpose of this document is to help a network or security professional understand how to configure Cisco Signatures to include the properties, engines, alerts, and actions. The content is relevant for the Cisco CCNP Security IPS Certification Exam (642-627) and should be useful for anyone studying for the CCIE Security Certification written and practical exam (Lab).
Configuring Basic Signature Properties
To configure signatures it is HIGHLY recommended to do so via the Cisco IDM (IPS Device Manager) by clicking on Configuration > Policies > Signature Definitions > sig0, then click All Signatures to access the Signature Configuration panel. The All Signatures is visible only when the Sig0 is expanded. By default, the signature configuration panel displays signatures that are listed by signature ID number. The All Signatures database view displays all signatures available in the sensor signature set and when each signature set is clicked on, it displays the list of signatures grouped under it in the view pane. The following are available signature sets –
Figure 1: Example of an actual Signature Configuration View (click to view larger image)
As seen below in Figure 2, there is a filter drop-down list in the configuration view pane that can be used to display signatures in different ways, such as types of attacks they detect or services being inspected. The Selection Criteria menu changes to correspond to the Filter drop-down selection. For example, if you choose Severity in the Filter drop-down, the criteria field provides a drop down with High, Medium, Low and Informational options respectively. The configuration view pane refreshes only those signatures that match the sorting criteria, but only if the Filter option is selected. There are a limited set of options from the Filter drop-down list including: Sig ID, Sig Name, Enabled, Severity, Fidelity Rating, Action, Type (Tuned … ), and Engine.
Figure 2: Example snapshot of the Filter drop-down list (click to view larger image)
Enabling & Disabling Signatures
Enabling a signature makes the signature inspect traffic, When it is disabled, it does not inspect traffic. The following steps walk you through enabling a signature.
Step 1: Click Configuration and choose Policies > Signature Definitions > Sig0 > Active Signatures. The Signature Configuration panel is displayed.
Step 2: Locate the signature that you want to enable. A signature that is already enabled has a check-mark in the check-box. If the signature is disabled, the check-box is empty.
Step 3: If the signature is currently disabled, put a check in the box next to signature by clicking on it.
Step 4: Click Apply to apply your changes and save the updated configuration. To disable a signature that is already disabled, uncheck the check box in the Enabled column.
Note: To enable multiple signatures at the same time, hold down the Ctrl or Shift key and click the signatures that you would like to enable, then right click on one of the selected signatures and click Enable.
Dave Burns joined Cisco in July 2008, as a systems engineer working for a U.S.-based SP Mobility account. He came to Cisco from a large U.S.-based cable company, where he was a senior network and security design engineer. Dave has held various roles prior to joining Cisco during his 10-plus years in the industry, working in SP operations, SP engineering, SP architecture, enterprise IT, and United States military intelligence communications engineering. He is currently a Systems Engineering Manager working with US Service Providers on various architectures that include IP NGN, Data Center, Cloud, Security, Mobility, and Transport. He holds various sales and industry and Cisco technical certifications, including CISSP, CCSP, CCDP, and two associate-level certifications. Dave recently passed the CCIE Security written exam, and is currently preparing for the CCIE Security Lab. Dave is also currently working on his Masters in Business Administration in his ‘free’ time. Dave earned his Bachelor of Science degree in telecommunications engineering technology from Southern Polytechnic State University, Georgia, where he currently serves as a member of the industry advisory board for the Computer & Electrical Engineering Technology School.
All, So I have been investigating access logs on our web server and came across something that does not make sense to me. In the secure log i have batches of sshd attempts, and i know that based on the description of the log these attempts did n...
Hi guys, A user has changed his AD password today, and now the AD account gets locked out all the time from the proxy. We think his session with the old password is open in any computer or server, but the problem is that the proxy longs don´t show wh...
Hello, We have a strange problem. We had a working Site-to-Site VPN to one of our offices which now doesn't work anymore.We are receiving data but not sending data out. If I do a packet tracer I get the following result : Phase: 12Type: VPN...
I just upgraded to Mac OS Catalina and Cisco AnyConnect 4.8 version and not able to connect anymore: Also went thru some recommendations on other threads (uninstall previous version, clear cache...) and same issue: It was working per...
Hi, Recently I have upgraded amp console to 6.3.5. But for some of the servers its still showing a old version in console. When I checked the server in amp, its stated at a right group and policy. Can any one help me on this ? Th...