Appendix B Signature Engines

Master Engine

Obsoletes

The Cisco signature team uses the obsoletes field to indicate obsoleted, older signatures that have been replaced by newer, better signatures, and to indicate disabled signatures in an engine when a better instance of that engine is available. For example, some String XL hardware-accelerated signatures now replace equivalent signatures that were defined in the String engine.

Vulnerable OS List

When you combine the vulnerable OS setting of a signature with passive OS fingerprinting, the IPS can determine if it is likely that a given attack is relevant to the target system. If the attack is found to be relevant, the risk rating value of the resulting alert receives a boost. If the relevancy is unknown, usually because there is no entry in the passive OS fingerprinting list, then no change is made to the risk rating. If there is a passive OS fingerprinting entry and it does not match the vulnerable OS setting of a signature, the risk rating value is decreased. The default value by which to increase or decrease the risk rating is +/- 10 points.

For More Information

For more information about promiscuous mode, see Understanding Promiscuous Mode, page 4-14.

For more information about passive OS fingerprinting, see Configuring OS Identifications, page 8-26.

Alert Frequency

The purpose of the alert frequency parameter is to reduce the volume of the alerts written to the Event Store to counter IDS DoS tools, such as stick. There are four modes: fire-all, fire-once, summarize, and global-summarize. The summary mode is changed dynamically to adapt to the current alert volume. For example, you can configure the signature to fire-all, but after a certain threshold is reached, it starts summarizing.

Table B-2lists the alert frequency parameters.

Table B-2

Master Engine Alert Frequency Parameters

 

 

 

 

 

Parameter

 

Description

Value

 

 

 

 

summary-mode

 

Specifies the mode used for summarization:

fire-all

 

 

fire-all—Fires an alert on all events.

fire-once

 

 

fire-once—Fires an alert only once.

global-summarize

 

 

global-summarize—Summarizes an alert so

summarize

 

 

 

that it only fires once regardless of how

 

 

 

 

many attackers or victims.

 

 

 

summarize—Summarizes alerts.

 

 

 

 

specify-summary-threshold

Enables summary threshold mode:

0 to 65535

{yes no}

 

summary-threshold—Specifies the

1 to 1000

 

 

 

 

 

threshold number of alerts to send a

 

 

 

 

signature into summary mode.

 

 

 

summary-interval—Specifies the time in

 

 

 

 

seconds used in each summary alert.

 

 

 

 

 

 

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

 

OL-29168-01

B-7

 

Page 617
Image 617
Cisco Systems IPS4510K9 manual Alert Frequency, Obsoletes, Vulnerable OS List

IPS4510K9 specifications

Cisco Systems has long been a leading player in network security, and its IPS (Intrusion Prevention System) series is a testament to its commitment to safeguarding digital environments. Among its notable offerings are the IPS4510K9 and IPS4520K9 models, both designed to provide advanced threat protection for mid-sized to large enterprise networks.

The Cisco IPS4510K9 and IPS4520K9 are distinguished by their cutting-edge features that help organizations defend against a myriad of cyber threats. These systems utilize a multi-layered approach to security, integrating intrusion prevention, advanced malware protection, and comprehensive visibility across the network.

One of the primary characteristics of the IPS4510K9 is its high performance. It boasts a throughput of up to 1 Gbps, making it suitable for environments that demand rapid data processing and real-time responses to threats. The IPS4520K9, on the other hand, enhances that capability with improved throughput of up to 2 Gbps, accommodating larger enterprises with heavier network traffic. These models are equipped with powerful processors that support complex signature matching and can intelligently distinguish between legitimate traffic and potential threats.

In addition to performance, both models are designed with scalability in mind. They can be easily integrated into existing Cisco infrastructures. This facilitates a seamless enhancement of security without causing significant interruptions to ongoing operations. Moreover, they offer flexible deployment options, allowing organizations to operate them inline or out of band depending on their specific needs.

The Cisco IPS4510K9 and IPS4520K9 leverage advanced detection technologies, utilizing a variety of signature types and heuristic analysis to detect known and unknown threats effectively. They are equipped with real-time alerting and reporting capabilities, giving security teams immediate visibility into potential breaches and enabling them to respond swiftly.

Furthermore, both models support a range of management options through the Cisco Security Manager, allowing for centralized administration, streamlined policy management, and enhanced monitoring capabilities. Automated updates ensure the systems remain current with the latest threat intelligence, vital for staying ahead of evolving cyber threats.

In summary, the Cisco Systems IPS4510K9 and IPS4520K9 represent powerful solutions for organizations seeking robust intrusion prevention capabilities. With their high performance, scalability, and advanced detection technologies, these systems are essential tools in the ever-changing landscape of cybersecurity, providing enterprises with the peace of mind needed to operate securely in today's digital world.