- Cisco Home Security System User's Manual

ManualsBrandsCisco Systems ManualsHome Safety ProductIPS4510K9

231

232

233

234

235

236

237

238

239

240

7-47

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

Chapter 7 Defining Signatures

Creating Custom Signatures

Meta Signature Engine Enhancement

The purpose of the Meta engine is to detect a specified payload from an attacker and a corresponding

payload from the victim. It is also used to inspect streams at different offsets. The Meta engine supports

the AND and OR logical operators. ANDNOT capability has been added to the Meta engine. This clause

is a negative clause used to complement the existing positive clause-based signatures. The previous

signature format had the following form:

IF (A and B and C) then Alarm; alternatively, IF (A or B or C) then Alarm is also

supported; where A, B, and C are meta component signatures.

The addition of the negative clause allows for the following logic:

IF (A and/or B) AND NOT (C and/or D) then Alarm.

The (C and/or D) is the negative clause and is satisfied if (C and D) [alternatively (C or D)] do not occur

before the Meta Reset Interval time expires.

A component of the positive clause must occur before the negative clause(s) to establish the Meta

tracking state. The Meta engine cannot track the lack of past behavior. The state of the negative clause

is evaluated when the Meta Reset Interval time expires.

Caution

A custom signature can affect the performance of your sensor. Test the custom signature against a

baseline sensor performance for your network to determine the overall impact of the signature.

The Meta engine is different from other engines in that it takes alerts as input where most engines take

packets as input.

The following options apply:

•

component-list name1—Specifies the list of Meta components:

–

edit—Edits an existing entry in the list.

–

insert —Inserts a new entry into the list.

–

move—Moves an entry in the list.

–

begin—Places the entry at the beginning of the active list.

–

end—Places the entry at the end of the active list.

–

inactive—Places the entry into the inactive list.

–

before—Places the entry before the specified entry.

–

after—Places the entry after the specified entry.

–

component-count—Specifies the number of times component must fire before this component

is satisfied.

–

component-sig-id—Specifies the signature ID of the signature to match this component on.

–

component-subsig-id—Specifies the subsignature ID of the signature to match this component

on.

–

is-not-component {true | false}—Specifies that the component is a NOT component.

•

component-list-in-order {true | false}—Specifies whether to have the component list fire in order.

For example, if signature 1001 in the m2 component fires before signature 1000 in the m1

component, the Meta signature will not fire.

•

all-components-required {true | false}—Specifies to use all components. This option works with

the all-not-components-required option, if you have NOT components configured as required, the

Meta signature will not fire.