User guide
Chapter 9: Configuring Other Intrusion Prevention Settings
108
Configuring OpenSignature
Introduction OpenSignature (formerly Trons) uses a flexible rules language to allow you to write
customized, pattern-matching IDS signatures to detect specific threats that are not already
preemptively covered in IPS products. This feature is integrated into the ISS Protocol
Analysis Module (PAM) as a rule interpreter.
Risks associated
with OpenSignature
The capabilities of custom signature development are very broad. With this flexibility comes
added risk. Poorly written rules or signatures could impact sensor performance or have other
consequences. Risks of using your own custom signatures include but are not limited to the
following:
●
unacceptable appliance performance
●
throwing PAM into an infinite loop
●
blocking all network traffic to a specific segment (inline mode with or without bypass)
Caution:
ISS does not guarantee appliance performance if you choose to use OpenSignature.
Enable this functionality at your own risk. ISS Customer Support is not available to help you
write or troubleshoot custom rules for your environment. If you require assistance to create
custom signatures, please contact ISS Professional Services.
OpenSignature
syntax
The syntax options for each custom rule are as follows:
<action>: alert
<protocol>: tcp, udp, icmp, ip
<IP and netmask>
: single IP address (a.b.c.d), range of IP addresses (a.b.c.d-w.x.y.z),
network address using CIDR notation (a.b.c.0/24)
The Negation operator is indicated with an '!':
alert tcp 192.168.1.0/24
This means an alert prompts you when anything other than what is indicated with the '!' is
used.
Important: If you have improperly formatted an OpenSignature rule, you may receive a
PAM configuration error response.