Chapter27 Cisco IOS IPS
Edit IPS
27-54
Cisco Router and Security Device Manager 2.5 User’s Guide
OL-4015-12
SigName—Name assigned to the signature.
SubSig—Unique numerical value assigned to this subsignature. A subsig ID
is used to identify a more granular version of a broad signature.
AlarmInterval—Special Handling for timed events. Use AlarmInterval Y
with MinHits X for X alarms in Y second interval.
AlarmSeverity—Severity of the alarm for this signature.
AlarmThrottle—Technique used for triggering alarms.
AlarmTraits—User-defined traits further describing this signature.
ChokeThreshold—Threshold value of alarms-per-interval that triggers
autoswitch AlarmThrottle modes. If ChokeThreshold is defined, Cisco IOS
IPS automatically switches AlarmThrottle modes if a large volume of alarms
is seen in the ThrottleInterval.
Enabled—Identifies whether or not the signature is enabled. A signature
must be enabled in order for Cisco IOS IPS to protect against the tr affic
specified by the signature.
EventAction—Actions Cisco IOS IPS will take if this signature is triggered.
FlipAddr—True if the source and destination addresses, and their associated
ports, are swapped in the alarm message. False if no swap occurs (default).
MinHits—Specifies the minimum number of signature hits that must occur
before the alarm message is sent. A hit is the appearan ce of the signature on
the address key.
SigComment—Comment or description text for the signature.
SigVersion—Signature version.
ThrottleInterval—Number of seconds defining an Alarm Throttle interval.
This is used with the AlarmThrottle parameter to tune special alarm limiters.
WantF rag—True enables inspection of fragmented packets only. False
enables inspection of non-fragmented packets only. Choose “undefined” to
allow for inspection of both fragmented and non-fragmented packets.