38-16
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 38 Defining IPS Signatures
Configuring Signatures
Adding Custom Signatures
If you want to look for traffic patterns that are not identified by the built-in signatures, you can create
your own custom signatures to define the traffic patterns.
Even if a built-in signature covers the traffic pattern, you might want to create a custom signature to edit
the detailed signature parameters without altering the default signature. If you are creating a custom
signature that is similar to an existing signature, the easiest way to do it is to clone the signature as
described in Cloning Signatures, page 38-18.
Note The AIP-SSC-5 does not support custom signatures.
Step 1 Do one of the following:
(Device view) Select IPS > Signatures > Signatures from the Policy selector.
(Policy view, IPS appliances and service modules) Select IPS > Signatures > Signatures, then
select an existing policy or create a new one.
(Policy view, Cisco IOS IPS devices) Select IPS (Router) > Signatures, then select an existing
policy or create a new one.
The Signature page appears; see Signatures Page, page 38-4.
Step 2 Click the Add Row (+) button beneath the signature table to open the Add Custom Signature dialog box.
Step 3 Configure the desired settings. For specific details about each option, see Edit Signature or Add Custom
Signature Dialog Boxes, page 38-12.
When creating signatures, keep the following in mind:
You cannot change the signature name after you define the signature. If you later want to change the
name, you must clone the signature and change it while creating the clone.
Select the appropriate signature engine for the signature. For a description of the signature engines,
see Engine Options, page 38-17. You cannot change the engine after you create the signature; if you
select the wrong engine and click OK to save the signature, you must start over and create an entirely
new signature.
The default is to create an enabled signature, but you can deselect the Enabled check box to initially
create a disabled signature. You might want to disable the signature if you have not finished editing
its parameters.
Follow the procedure described in Editing Signature Parameters (Tuning Signatures), page 38-19 to
define the detailed signature parameters. You must select the desired engine before you edit the
parameters, because many of the parameters are determined by the signature engine.
Whether you can save the signature before configuring parameters differs based on the engine that
you select. At minimum, you must click Edit Parameters to open the Edit Signature Parameters
dialog box, and then click OK in the Edit Signature Parameters dialog box, before you can save the
signature definition. However, to create a meaningful signature, you will need to configure the
parameters to identify the desired traffic pattern.
Step 4 Click OK to save your changes.
The custom signature is added to the end of the table and given the next available signature ID starting
at 60000.