Chapter19 Intrusion Prevention System
Import Signatures
19-48
Cisco Router and Security Device Manager Version 2.2 Users Guide
OL-4015-08
Add, Edit, or Clone Signature
This window contains fields and values described in the Field Definitions section.
The fields vary depending on the signature. Therefore, this is not an exhaustive
list of all the fields you might see.

Field Definitions

The following fields are found on the Add, Edit and Clone Signat ure screens.
SIGIDIdentifies the unique numerical value assigned to this signature.
This value allows IPS to identify a particular signature.
SigNameIdentifies the name assigned to the signature.
SubSigIdentifies the unique numerical value assigned to this
sub-signature. A subSig ID is used to identify a more granular version of a
broad signature.
AlarmIntervalSpecial Handling for timed events. Use AlarmInterval Y
with MinHits X for X alarms in Y second interval.
AlarmSeverity Severity reported in alarm for this signature.
AlarmThrottle Technique used for alarm firings.
AlarmTraitsUser-defined traits further describing this signature.
ChokeThresholdThreshold value of alarms-per-interval to auto-switch
AlarmThrottle modes. If ChokeThreshold is defined IPS will automatica lly
switch AlarmThrottle modes when a large volume of alarms is seen in the
ThrottleInterval.
EnabledIdentifies whether or not the signature is enabled. A signature
must be enabled in order for IPS to protect against the traffic specified by the
signature.
EventActionIdentifies the actions IPS will take when this signature fires.
FlipAddrTrue if address (and ports) Source and Destination are swapped
in the alarm message. False for no swap (normal).
MinHitsMinimum number of signature hits before the alarm message is
sent. This a limiter for firing the alarm only after X times of seeing the
signature on the address key.
SigCommentThe comment of the signature.