Cisco Systems CL-28826-01 Security Camera User Manual


  Open as PDF
of 2616
 
38-24
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 38 Defining IPS Signatures
Configuring Signatures
Event Counter How the sensor counts events. For example, you can specify that you
want the sensor to send an alert only if the same signature fires 5 times
for the same address set. Configure the following values:
Event Count—The number of times an event must occur before an
alert is generated. The value is 1 to 65535. The default is 1.
Event Count Key—The storage type used to count events for this
signature. Choose attacker address, attacker address and victim
port, attacker and victim addresses, attacker and victim addresses
and ports, or victim address. The default is attacker address.
Specify Alert Interval—Whether you want to specify the time
between alerts for resetting the event count, Yes or No. If you select
Yes, enter the time in seconds from 2 to 1000.
Alert Frequency How often the sensor alerts you when this signature is firing. Specify
the following parameters for this signature. These parameters are
explained below.
Summary Mode
Summary Interval
Summary Key
Specify Global Summary Threshold
Summary Mode
(Alert Frequency group)
The mode of alert summarization. There are four modes: Fire All, Fire
Once, Summarize, and Global Summarize. The summary mode is
changed dynamically to adapt to the current alert volume. For example,
you can configure the signature to Fire All, but after a certain threshold
is reached, it starts summarizing. Your selection of summary mode
controls which other parameters are available in the Summary Mode
group.
Fire All—Fires an alert on all events.
Fire Once—Fires an alert only once.
Summarize—Summarizes alerts.
Global Summarize—Summarizes an alert so that it only fires once
regardless of how many attackers or victims.
Note When multiple contexts from an ASA device are contained in
one virtual sensor, the summary alerts contain the context name
of the last context that was summarized. Thus, the summary is
the result of all alerts of this type from all contexts that are
being summarized.
Specify Summary Threshold
(Summary Mode group.)
When you select Fire All, you can select whether you want to configure
the summary threshold settings that will be used if the device
dynamically changes to summary mode. If you select Yes, you can
configure the summary interval, key, or global summary thresholds.
Summary Interval
(Summary Mode group.)
The time in seconds used in each summary alert. The value is 1 to
65535. The default is 15.
Table 38-5 Edit Signature Parameters Dialog Box (Continued)
Elements Description