Filter
Top Products
38-25
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 38 Defining IPS Signatures
Configuring Signatures
Editing the Component List for Meta Engine Signatures
Use the Edit Signature Parameter—Component List dialog box to edit the component list for a meta
engine signature.
The Meta engine defines events that occur in a related manner within a sliding time interval. This engine
processes events rather than packets. As signature events are generated, the Meta engine inspects them
to determine if they match any or several Meta definitions. The Meta engine generates a signature event
after all requirements for the event are met.
All signature events are handed off to the Meta engine by the Signature Event Action Processor. The
Signature Event Action Processor hands off the event after processing the minimum hits option.
Summarization and event action are processed after the Meta engine has processed the component
events.
The Meta engine is different from other engines in that it takes alerts as input where most engines take
packets as input. Thus, in a Meta engine signature, you must identify the signatures that the Meta
signature should be looking for. This list of signatures is contained in the Component list.
The Component list is part of the signature parameters. To edit the parameters, follow the procedure
described in Editing Signature Parameters (Tuning Signatures), page 38-19. When you open the Edit
Signature Parameters dialog box for a signature that uses the Meta engine, look for the Engine >
Component List parameter. The parameter value contains a pencil icon and the word List. Click List to
open the Edit Signature Parameter—Component List dialog box.
The dialog box is divided into two lists, an Inactive list (on the left) and an active list (on the right). The
active list defines the signatures that the Meta engine signature is looking for.
Summary Key
(Summary Mode group.)
The storage type used to summarize alerts. Choose Attacker address,
Attacker address and victim port, Attacker and victim addresses,
Attacker and victim addresses and ports, or Victim address. The default
is Attacker address.
Specify Global Summary
Threshold
(Summary Mode group.)
Whether to specify the threshold number of events to take the alert into
global summary, Yes or No. If you select Yes, enter the threshold
number of events, from 1 to 65535. The default is 240.
Status The status of the signature.
The Obsoletes list shows the signatures that are obsoleted by this
signature; click the pencil icon to open the list. In many cases, this
information is read-only. If you can modify the list, click Set in the
parameter field to open the list, where you can add the obsoleted
signature IDs.
Vulnerable OS List The list of operating systems that this attack targets.
MARS Category The category in Cisco Security MARS to which this signature belongs.
This metadata is used to color the events generated in such a way as to
provide MARS with the data that it needs to process this signature
relative to the event categories that it studies.
Expand All button Expands all categories and subcategories.
Collapse All button Collapses all fields to the category.
Table 38-5 Edit Signature Parameters Dialog Box (Continued)
Elements Description