Cisco Systems CL-28826-01 Security Camera User Manual


  Open as PDF
of 2616
 
CHAPTER
38-1
User Guide for Cisco Security Manager 4.4
OL-28826-01
38
Defining IPS Signatures
You can use Security Manager to configure IPS signatures for dedicated IPS appliances and service
modules or Cisco IOS IPS devices. When configuring signatures for Cisco IOS IPS, keep in mind that
the router cannot use as many signatures as a dedicated appliance or service module.
This chapter contains the following topics:
Understanding Signatures, page 38-1
Configuring Signatures, page 38-4
Configuring Signature Settings, page 38-27
Understanding Signatures
Network intrusions are attacks on, or other misuses of, network resources. Cisco IPS sensors and Cisco
IOS IPS devices use a signature-based technology to detect network intrusions. A signature specifies the
types of network intrusions that you want the sensor to detect and report. As sensors scan network
packets, they use signatures to detect known types of attacks, such as denial of service (DoS) attacks,
and respond with actions that you define.
On a basic level, signature-based intrusion detection technology can be compared to virus-checking
programs. Cisco IPS contains a set of signatures that the sensor compares with network activity. When
a match is found, the sensor takes some action, such as logging the event or sending an alarm to the
Security Manager Event Viewer.
Signatures can produce false positives, because certain normal network activity can be construed as
malicious. For example, some network applications or operating systems may send out numerous ICMP
messages, which a signature-based detection system might interpret as an attempt by an attacker to map
out a network segment. You can minimize false positives by editing your signature parameters (tuning
your signatures).
To configure a sensor to monitor network traffic for a particular signature, you must enable the signature.
By default, the most critical signatures are enabled when you install the signature update. When an attack
is detected that matches an enabled signature, the sensor generates an alert, which is stored in the event
store of the sensor. The alerts, as well as other events, may be retrieved from the event store by
web-based clients such as Event Viewer. By default the sensor logs all Informational alerts or higher.
Some signatures have subsignatures, that is, the signature is divided into subcategories. When you
configure a subsignature, changes made to the parameters of one subsignature apply only to that
subsignature. For example, if you edit signature 3050 subsignature 1 and change the severity, the severity
change applies to only subsignature 1 and not to 3050 2, 3050 3, and 3050 4.