38-18
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 38 Defining IPS Signatures
Configuring Signatures
Service H225—Inspects VoIP traffic.
service-http—Inspects HTTP traffic. The WEBPORTS variable defines inspection port for HTTP
traffic.
Service IDENT—Inspects IDENT (client and server) traffic.
Service MSRPC—Inspects MSRPC traffic.
Service MSSQL—Inspects Microsoft SQL traffic.
Service NTP—Inspects NTP traffic.
service-rpc—Inspects RPC traffic.
Service SMB—Inspects SMB traffic.
Service SMB Advanced—Processes Microsoft SMB and Microsoft RPC over SMB packets.
Service SNMP—Inspects SNMP traffic.
Service SSH—Inspects SSH traffic.
Service TNS—Inspects TNS traffic.
state—Stateful searches of strings in protocols such as SMTP.
string-icmp—Searches on Regex strings based on ICMP protocol.
string-tcp—Searches on Regex strings based on TCP protocol.
string-udp—Searches on Regex strings based on UDP protocol.
Sweep—Analyzes sweeps of ports, hosts, and services, from a single host (ICMP and TCP), from
destination ports (TCP and UDP), and multiple ports with RPC requests between two nodes.
Sweep Other TCP—Analyzes TCP flag combinations from reconnaissance scans that are trying to
get information about a single host. The signatures look for flags A, B, and C. When all three are
seen, an alert is fired.
Traffic ICMP—Analyzes nonstandard protocols, such as TFN2K, LOKI, and DDOS. There are only
two signatures with configurable parameters.
Traffic Anomaly—Analyzes TCP, UDP, and other traffic for worm-infested hosts.
Trojan Bo2k—Analyzes traffic from the nonstandard protocol BO2K. There are no
user-configurable parameters in this engine.
Trojan Tfn2k—Analyzes traffic from the nonstandard protocol TFN2K. There are no
user-configurable parameters in this engine.
Trojan UDP—Analyzes traffic from the UDP protocol. There are no user-configurable parameters
in this engine.
Cloning Signatures
If you want to create a custom signature that is similar to an existing signature, you can create a clone,
or copy, of the signature. You can then edit the parameters to make the clone perform according to your
requirements.
For example, you might want to create a clone of a Cisco-defined signature to customize it to your needs.
You might find this preferable to converting the Cisco signature to a Local or shared policy signature and
directly editing its parameters.
To clone a signature, follow these steps: