Cisco Systems IPS4510K9 manual Meta Signature Engine Enhancement

Chapter 7 Defining Signatures

Creating Custom Signatures

Meta Signature Engine Enhancement

The purpose of the Meta engine is to detect a specified payload from an attacker and a corresponding payload from the victim. It is also used to inspect streams at different offsets. The Meta engine supports the AND and OR logical operators. ANDNOT capability has been added to the Meta engine. This clause is a negative clause used to complement the existing positive clause-based signatures. The previous signature format had the following form:

IF (A and B and C) then Alarm; alternatively, IF (A or B or C) then Alarm is also supported; where A, B, and C are meta component signatures.

The addition of the negative clause allows for the following logic:

IF (A and/or B) AND NOT (C and/or D) then Alarm.

The (C and/or D) is the negative clause and is satisfied if (C and D) [alternatively (C or D)] do not occur before the Meta Reset Interval time expires.

A component of the positive clause must occur before the negative clause(s) to establish the Meta tracking state. The Meta engine cannot track the lack of past behavior. The state of the negative clause is evaluated when the Meta Reset Interval time expires.

Caution A custom signature can affect the performance of your sensor. Test the custom signature against a baseline sensor performance for your network to determine the overall impact of the signature.

The Meta engine is different from other engines in that it takes alerts as input where most engines take packets as input.

The following options apply:

•component-listname1—Specifies the list of Meta components:

–edit—Edits an existing entry in the list.

–insert —Inserts a new entry into the list.

–move—Moves an entry in the list.

–begin—Places the entry at the beginning of the active list.

–end—Places the entry at the end of the active list.

–inactive—Places the entry into the inactive list.

–before—Places the entry before the specified entry.

–after—Places the entry after the specified entry.

–component-count—Specifies the number of times component must fire before this component is satisfied.

–component-sig-id—Specifies the signature ID of the signature to match this component on.

–component-subsig-id—Specifies the subsignature ID of the signature to match this component on.

–is-not-component {true false}—Specifies that the component is a NOT component.

•component-list-in-order {true false}—Specifies whether to have the component list fire in order. For example, if signature 1001 in the m2 component fires before signature 1000 in the m1 component, the Meta signature will not fire.

•all-components-required {true false}—Specifies to use all components. This option works with the all-not-components-requiredoption, if you have NOT components configured as required, the Meta signature will not fire.