Filter
Top Products
38-17
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 38 Defining IPS Signatures
Configuring Signatures
Note Beginning with Security Manager 4.4, you can specify a signature ID and a subsignature ID
while adding a custom signature. If you specify a signatureID/subsignature ID combination that
already exists, you will receive an error message.
Engine Options
The following list identifies the options you can specifying in the Engine field of the Edit Signature
Parameters dialog box. For detailed information about each engine, and the parameters available, see the
“Signature Engines” section in the Installing and Using Cisco Intrusion Prevention System Device
Manager document for the IPS Software release you are using.
• AIC FTP—Inspects FTP traffic and lets you control the commands being issued.
• AIC HTTP—Provides granular control over HTTP sessions to prevent abuse of the HTTP protocol.
• Atomic ARP—Inspects Layer-2 ARP protocol. The Atomic ARP engine is different because most
engines are based on Layer-3-IP.
• atomic-ip—Inspects IP protocol packets and associated Layer-4 transport protocols.
• Atomic IPv6—Detects IOS vulnerabilities that are stimulated by malformed IPv6 traffic.
• Flood Host—Detects ICMP and UDP floods directed at hosts.
• Flood Net—Detects ICMP and UDP floods directed at networks.
• Meta—Defines events that occur in a related manner within a sliding time interval. This engine
processes events rather than packets.
• multi-string—Defines signatures that inspect Layer 4 transport protocol (ICMP, TCP, and UDP)
payloads using multiple string matches for one signature. You can specify a series of regular
expression patterns that must be matched to fire the signature.
• normalizer—Configures how the IP and TCP normalizer functions and provides configuration for
signature events related to the IP and TCP normalizer. Allows you to enforce RFC compliance.
• service-dns—Inspects DNS (TCP and UDP) traffic.
• service-ftp—Inspects FTP traffic.
• Service Generic—Decodes custom service and payload.
The Service Generic engine allows programmatic signatures to be issued in a config-file-only
signature update. It has a simple machine and assembly language that is defined in the configuration
file. It runs the machine code (distilled from the assembly language) through its virtual machine,
which processes the instructions and pulls the important pieces of information out of the packet and
runs them through the comparisons and operations specified in the machine code. It is intended as
a rapid signature response engine to supplement the String and State engines.
You cannot use the Service Generic engine to create custom signatures.
Note Due to the proprietary nature of this complex language, we do not recommend that you edit
the Service Generic engine signature parameters. Change only the severity and event action
for these signatures.
• Service Generic Advanced—Generically analyzes network protocols.