Cisco Systems CL-28826-01 Cloning Signatures

38-18

User Guide for Cisco Security Manager 4.4

OL-28826-01

Chapter 38 Defining IPS Signatures

Configuring Signatures

•Service H225—Inspects VoIP traffic.

•service-http—Inspects HTTP traffic. The WEBPORTS variable defines inspection port for HTTP

traffic.

•Service IDENT—Inspects IDENT (client and server) traffic.

•Service MSRPC—Inspects MSRPC traffic.

•Service MSSQL—Inspects Microsoft SQL traffic.

•Service NTP—Inspects NTP traffic.

•service-rpc—Inspects RPC traffic.

•Service SMB—Inspects SMB traffic.

•Service SMB Advanced—Processes Microsoft SMB and Microsoft RPC over SMB packets.

•Service SNMP—Inspects SNMP traffic.

•Service SSH—Inspects SSH traffic.

•Service TNS—Inspects TNS traffic.

•state—Stateful searches of strings in protocols such as SMTP.

•string-icmp—Searches on Regex strings based on ICMP protocol.

•string-tcp—Searches on Regex strings based on TCP protocol.

•string-udp—Searches on Regex strings based on UDP protocol.

•Sweep—Analyzes sweeps of ports, hosts, and services, from a single host (ICMP and TCP), from

destination ports (TCP and UDP), and multiple ports with RPC requests between two nodes.

•Sweep Other TCP—Analyzes TCP flag combinations from reconnaissance scans that are trying to

get information about a single host. The signatures look for flags A, B, and C. When all three are

seen, an alert is fired.

•Traffic ICMP—Analyzes nonstandard protocols, such as TFN2K, LOKI, and DDOS. There are only

two signatures with configurable parameters.

•Traffic Anomaly—Analyzes TCP, UDP, and other traffic for worm-infested hosts.

•Trojan Bo2k—Analyzes traffic from the nonstandard protocol BO2K. There are no

user-configurable parameters in this engine.

•Trojan Tfn2k—Analyzes traffic from the nonstandard protocol TFN2K. There are no

user-configurable parameters in this engine.

•Trojan UDP—Analyzes traffic from the UDP protocol. There are no user-configurable parameters

in this engine.

Cloning Signatures

If you want to create a custom signature that is similar to an existing signature, you can create a clone,

or copy, of the signature. You can then edit the parameters to make the clone perform according to your

requirements.

For example, you might want to create a clone of a Cisco-defined signature to customize it to your needs.

You might find this preferable to converting the Cisco signature to a Local or shared policy signature and

directly editing its parameters.

To clone a signature, follow these steps: