38-19
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter3 8 Defining IPS Signatures
Configuring Signatures
Step 1 Do one of the following:
(Device view) Select IPS > Signatures > Signatures from the Policy selector.
(Policy view, IPS appliances and service modules) Select IPS > Signatures > Signatures, then
select an existing policy or create a new one.
(Policy view, Cisco IOS IPS devices) Select IPS (Router) > Signatures, then select an existing
policy or create a new one.
The Signature page appears; see Signatures Page, page 38-4.
Step 2 Right-click the signature that you want to clone and select Clone.
Security Manager takes some time to make the copy, and might warn you that some attributes are
read-only and cannot be copied. If you receive a warning, click OK. The Add Custom Signature dialog
box then appears.
Step 3 Edit the properties of the cloned signature, as described in Adding Custom Signatures, page 38-16.
Step 4 Click OK. The clone appears in the summary table on the Signatures page as the last signature.
Cloned signatures are enabled and active by default.
Editing Signature Parameters (Tuning Signatures)
If you cannot alter the behavior of a signature to fit your needs using the Event Action Filters and
Overrides policies, or by changing the actions associated with a signature, you might need to fine-tune
the signature parameters. You should considered editing parameters to be your last option, however,
because these parameters can be complex and frequently require that you have a deep understanding of
packet characteristics.
The reason you would want to edit parameters is to reduce false positives and false negatives:
A false positive occurs when legitimate network activity, such as virus scanning, is interpreted and
reported as an attack. This happens when network activity meets criteria that were specified to
identify an attack before the attack occurred. You can decrease the number false positives by tuning
your sensor configurations.
A false negative occurs when an attack was not detected. Tuning your sensor configurations will
help you decrease the number of false negatives.
Tip You cannot edit the parameters of a default signature. Before editing the parameters of a default
signature, you must convert the signature to a local- or shared-policy signature. In some cases, such as
regular expression editing, you must clone the signature and convert it to a custom signature.
This procedure describes how to edit signature parameters to tune a signature.
Related Topics
Editing Signatures, page 38-11
Understanding Signatures, page 38-1
Configuring Event Action Filters, page 39-4
Configuring Event Action Overrides, page 39-13