User`s guide

Chapter 19 Intrusion Prevention System

Import Signatures

19-48

Cisco Router and Security Device Manager Version 2.2 User’s Guide

OL-4015-08

Add, Edit, or Clone Signature

This window contains fields and values described in the Field Definitions section.

The fields vary depending on the signature. Therefore, this is not an exhaustive

list of all the fields you might see.

Field Definitions

The following fields are found on the Add, Edit and Clone Signature screens.

• SIGID—Identifies the unique numerical value assigned to this signature.

This value allows IPS to identify a particular signature.

• SigName—Identifies the name assigned to the signature.

• SubSig—Identifies the unique numerical value assigned to this

sub-signature. A subSig ID is used to identify a more granular version of a

broad signature.

• AlarmInterval—Special Handling for timed events. Use AlarmInterval Y

with MinHits X for X alarms in Y second interval.

• AlarmSeverity —Severity reported in alarm for this signature.

• AlarmThrottle —Technique used for alarm firings.

• AlarmTraits—User-defined traits further describing this signature.

• ChokeThreshold—Threshold value of alarms-per-interval to auto-switch

AlarmThrottle modes. If ChokeThreshold is defined IPS will automatically

switch AlarmThrottle modes when a large volume of alarms is seen in the

ThrottleInterval.

• Enabled—Identifies whether or not the signature is enabled. A signature

must be enabled in order for IPS to protect against the traffic specified by the

signature.

• EventAction—Identifies the actions IPS will take when this signature fires.

• FlipAddr—True if address (and ports) Source and Destination are swapped

in the alarm message. False for no swap (normal).

• MinHits—Minimum number of signature hits before the alarm message is

sent. This a limiter for firing the alarm only after X times of seeing the

signature on the address key.

• SigComment—The comment of the signature.