38-3
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter3 8 Defining IPS Signatures
Understanding Signatures
Tip If this window is not visible to you, expand it with the up arrow button in the bottom-left corner of the
Signatures page. To hide this window, collapse it with the corresponding down arrow, also in the
bottom-left corner of the Signatures page. You can resize this window with standard controls.
Understanding Signature Inheritance
Signature inheritance for IPS devices is different than for any other Security Manager rules-based policy.
Inheritance refers to the capability of Security Manager to enforce hierarchical lists of first-match,
rule-based policies such as access rules. Signature inheritance is different because for IPS devices,
Security Manager allows inheritance on a per-signature basis.
This example shows what is meant by inheritance on a per-signature basis:
Step 1 In Policy View, select IPS > Signatures > Signatures.
Step 2 Create a policy named test1.
Step 3 Create a second policy, named test2.
Step 4 Right-click test 2 and select Inherit Signatures. The Inherit Rules—test 2 dialog box appears.
Step 5 Select test1 and click the OK button.
Step 6 Select test1 and edit a signature. Note the edit that you made and save your change.
Step 7 Select test2 and select the signature that you just edited. Observe that test2 inherited the editing that you
did on test1.
IPS Signature Purge
Beginning with Security Manager 4.1, old signature versions (defined as being older than the lowest
signature level deployed) are purged during a periodic purge operation, the purpose of which is to
optimize the database.
Note As a result of the purge operation, you may notice the deletion of some of your unused tuning contexts.
Some of the purged signatures may be restored during your next download of IPS signature packages
from Cisco.com.
IPS signature purge is disabled by default. To enable IPS signature purge,
Step 1 Stop the Cisco Security Manager Daemon Manager: At the command prompt, enter net stop crmdmgtd.
Step 2 Navigate to NMSROOT\MDC\ips\etc\sensorupdate.properties file, where NMSROOT is the path to the
Security Manager installation directory. The default is C:\Program Files\CSCOpx.
Step 3 In sensorupdate.properties, change purgeUnusedSignautesEntriesinDB:false to
purgeUnusedSignautesEntriesinDB:true.
Step 4 Re-start the Cisco Security Manager Daemon Manager: At the command prompt, enter net start
crmdmgtd.