Configuring Signatures and Alarms

Network intrusions are scans, attacks upon, or misuses of the network resources. To detect network intrusion, the Cisco IDS sensors use a signature-based technology. Every network attack has an order or a pattern to the bytes in the traffic stream between the attacking system and the target. These bytes represent a "fingerprint" or "signature" of the attack. By comparing the pattern of bytes in a given traffic stream between two hosts against a database containing various known signatures for network attacks, the IDS is able to determine when an attack has occurred. Each signature specifies the type of attack the sensor detects and reports. As a sensor scans the network packets, the rules allow it to detect patterns that match a known attack.

The IDS MC allows the operator to specify which signatures should be enabled. Additionally, the response action the IDS sensor initiates, whether it is simply raising an alarm on the Security Monitor console or initiating a TCP RST, is also determined based on what is specified in the signature. Tuning IDS signatures is one of the more important features of the IDS MC. Improperly tuned IDS sensors account for the great majority of false positive alarms (alarms raised by the IDS in response to benign network traffic) and result in potential mistrust of the IDS system by security personnel.