38-26
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 38 Defining IPS Signatures
Configuring Signatures
To modify the components list:
Add new components—Click the Add Entry (+) button to the left of the inactive list. The Add
Signature Parameter—List Entry dialog box opens. Configure the following values:
Entry Key—A name for the component.
Component Sig ID—The signature ID of the signature you are looking for.
Component SubSig ID—The subsignature ID; enter 0 if there are no subsignatures.
Component Count—The number of times this signature must fire before the Meta signature is
triggered.
Is a Not Component—This field lets you create negative entries; thus, you can identify a list
where some signatures must fire, and some signatures must not fire. Select No for signatures
that must fire, and Yes for signatures that must not fire.
When you click OK in the Add Signature Parameter—List Entry dialog box, the new component is
added to the inactive list. Select it and click the >> button to move it to the active list. Then, use the
Up and Down arrow buttons to position the component in the active component list; a third button
is available to reset the order to the previously saved order.
Edit an existing component—Select the component (in either list) and click the Edit Entry
(pencil) button that is between the lists. The Edit Signature Parameter—List Entry dialog box opens.
The parameters are the same as for adding a new entry, except that you cannot change the component
name.
Delete a component—Select the component in the inactive list and click the Delete Entry (trash
can) button that is to the left of the inactive list. If you want to delete an active component, you must
first select it in the active list and click the << button to move it to the inactive list.
Restore defaults—If you want to restore the default values of a component, select it and click
Restore.
Obsoletes Dialog Box
Use the Obsoletes dialog box to identify obsolete signatures associated with a particular signature. In
many cases, this information is read-only. In some cases, it is read-write; for example, you can edit the
list for IOS IPS signature policies for Local or shared-policy-specific signatures.
If you can edit the list:
Click the Add Entry (+) button to add the signature and subsignature ID of a signature that is made
obsolete by the signature you are editing.
Select an entry and click the Delete Entry (trash can) button to remove it from the list of obsoleted
signatures.
Navigation Path
The Obsoletes list is part of the signature parameters. To edit the parameters, follow the procedure
described in Editing Signature Parameters (Tuning Signatures), page38-19. When you open the Edit
Signature Parameters dialog box, look for the Status > Obsoletes parameter. The parameter value
contains a pencil icon and the word Set (when the parameter is not read-only). Click the pencil or word
to open the Obsoletes dialog box.