Cisco Systems CL-28826-01 Manual

A SERVICE OF

next previous

38-18

User Guide for Cisco Security Manager 4.4

OL-28826-01

Chapter 38 Defining IPS Signatures

Configuring Signatures

• Service H225—Inspects VoIP traffic.

• service-http—Inspects HTTP traffic. The WEBPORTS variable defines inspection port for HTTP

traffic.

• Service IDENT—Inspects IDENT (client and server) traffic.

• Service MSRPC—Inspects MSRPC traffic.

• Service MSSQL—Inspects Microsoft SQL traffic.

• Service NTP—Inspects NTP traffic.

• service-rpc—Inspects RPC traffic.

• Service SMB—Inspects SMB traffic.

• Service SMB Advanced—Processes Microsoft SMB and Microsoft RPC over SMB packets.

• Service SNMP—Inspects SNMP traffic.

• Service SSH—Inspects SSH traffic.

• Service TNS—Inspects TNS traffic.

• state—Stateful searches of strings in protocols such as SMTP.

• string-icmp—Searches on Regex strings based on ICMP protocol.

• string-tcp—Searches on Regex strings based on TCP protocol.

• string-udp—Searches on Regex strings based on UDP protocol.

• Sweep—Analyzes sweeps of ports, hosts, and services, from a single host (ICMP and TCP), from

destination ports (TCP and UDP), and multiple ports with RPC requests between two nodes.

• Sweep Other TCP—Analyzes TCP flag combinations from reconnaissance scans that are trying to

get information about a single host. The signatures look for flags A, B, and C. When all three are

seen, an alert is fired.

• Traffic ICMP—Analyzes nonstandard protocols, such as TFN2K, LOKI, and DDOS. There are only

two signatures with configurable parameters.

• Traffic Anomaly—Analyzes TCP, UDP, and other traffic for worm-infested hosts.

• Trojan Bo2k—Analyzes traffic from the nonstandard protocol BO2K. There are no

user-configurable parameters in this engine.

• Trojan Tfn2k—Analyzes traffic from the nonstandard protocol TFN2K. There are no

user-configurable parameters in this engine.

• Trojan UDP—Analyzes traffic from the UDP protocol. There are no user-configurable parameters

in this engine.

Cloning Signatures

If you want to create a custom signature that is similar to an existing signature, you can create a clone,

or copy, of the signature. You can then edit the parameters to make the clone perform according to your

requirements.

For example, you might want to create a clone of a Cisco-defined signature to customize it to your needs.

You might find this preferable to converting the Cisco signature to a Local or shared policy signature and

directly editing its parameters.

To clone a signature, follow these steps: