- Cisco Home Security System User's Manual

ManualsBrandsCisco Systems ManualsHome Safety ProductIPS4510K9

221

222

223

224

225

226

227

228

229

230

7-45

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

Chapter 7 Defining Signatures

Creating Custom Signatures

–

modify-packet-inline— Modifies packet data to remove ambiguity about what the end point

might do with the packet.

•

max-field-sizes —Grouping for maximum field sizes:

–

specify-max-arg-field-length {yes | no}—Enables max-arg-field-length (optional).

–

specify-max-header-field-length {yes | no}—Enables max-header-field-length (optional).

–

specify-max-request-length {yes | no}—Enables max-request-length (optional).

–

specify-max-uri-field-length {yes | no}—Enables max-uri-field-length (optional).

•

no—Removes an entry or selection setting.

•

regex—Regular expression grouping:

–

specify-arg-name-regex—Enables arg-name-regex (optional).

–

specify-header-regex —Enables header-regex (optional).

–

specify-request-regex—Enables request-regex (optional).

–

specify-uri-regex—Enables uri-regex (optional).

•

service-ports —A comma-separated list of ports or port ranges where the target service may reside.

•

swap-attacker-victim {true | false}—Whether address (and ports) source and destination are

swapped in the alarm message. The default is false for no swapping.

Creating a Service HTTP Engine Signature

To create a custom signature based on the Service HTTP engine, follow these steps:

Step 1

Step 2

Enter signature definition submode.

sensor# configure terminal

sensor(config)# service signature-definition sig1

Step 3

Specify a signature ID and a subsignature ID for the signature. Custom signatures are in the range of

60000 to 65000.

sensor(config-sig)# signatures 63000 0

Step 4

Enter signature description mode.

sensor(config-sig-sig)# sig-description

Step 5

Specify a signature name.

sensor(config-sig-sig-sig)# sig-name myWebSig

Step 6

Specify the alert traits. The valid range is from 0 to 65535.

sensor(config-sig-sig-sig)# alert-traits 2

Step 7

Exit signature description submode.

sensor(config-sig-sig-sig)# exit

Step 8

Specify the alert frequency.

sensor(config-sig-sig)# alert-frequency

sensor(config-sig-sig-ale)# summary-mode fire-all

sensor(config-sig-sig-ale-fir)# summary-key Axxx

sensor(config-sig-sig-ale-fir)# specify-summary-threshold yes