Filter
Top Products
38-2
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 38 Defining IPS Signatures
Understanding Signatures
Cisco IPS contains over 10,000 built-in default signatures. You cannot rename or delete signatures from
the list of built-in signatures, but you can retire signatures to remove them from the sensing engine. You
can later activate retired signatures; however, this process requires the sensing engines to rebuild their
configuration, which takes time and could delay the processing of traffic. You can tune built-in
signatures by adjusting several signature parameters. Built-in signatures that have been modified are
called tuned signatures.
Note We recommend that you retire any signatures that you are not using. This improves sensor performance.
You can create signatures, which are called custom signatures. Custom signature IDs begin at 60000.
You can configure them for several things, such as matching of strings on UDP connections, tracking of
network floods, and scans. Each signature is created using a signature engine specifically designed for
the type of traffic being monitored.
For more about signatures, see:
• Obtaining Detailed Information About a Signature, page 38-2
• Understanding Signature Inheritance, page 38-3
Related Topics
• Configuring Signatures, page 38-4
• Chapter 41, “Configuring Global Correlation”
Obtaining Detailed Information About a Signature
You can find detailed information about each signature from the Cisco Security Intelligence Operations
web site. The web site includes a wealth of information and best practice recommendations for network
security, and you can set up IntelliShield alerts. There is education on advanced security topics to help
you protect your network, prioritize remediation, and structure your systems to reduce organizational
risk.
When you edit the Signatures policy in Security Manager (see Signatures Page, page 38-4), the signature
ID is linked directly into the Cisco Security Intelligence Operations database of IPS signatures. Clicking
a signature ID opens a page containing information about the signature, including a description, the
vulnerabilities on which the signature is based, when the signature was created, and so forth. You can
search this database yourself at http://tools.cisco.com/security/center/search.x?search=Signature. (The
database was formerly called the Cisco Network Security Database or NSDB.)
If you do not have access to Cisco.com, then the signature ID is linked to a local copy of the signature
database information. Security Manager detects whether you have access to Cisco.com and makes the
appropriate link for you without your having to set a preference.
The database includes information only for built-in, default signatures. You cannot find information
about custom (user-defined) signatures.
Beginning with Security Manager 4.4, the Signatures Page (IPS > Signatures > Signatures) contains an
Explanation tab and a Related Threats tab for each signature. These tabs display detailed information in
a separate window on the Signatures page. For example, the Explanation tab displays Description,
Signature ID, and so forth; the Related Threats tab displays vulnerabilities for other software that you
may be using, and so forth.