Configuring Signatures

General signatures are signatures that are embedded in the sensor software itself. IDS end users cannot add or delete general signatures, but the end user can enable or disable them and configure the response to attacks that fit the general signatures. The following steps can be used to configure a general signature:

1. From the Management Center for IDS Sensors page, select Configuration | Settings.

2. A Table of Contents page appears. Select the Object Selector handle.

3. In the Object Selector, select the sensor containing the general signature to configure. The Object Selector will close and redisplay the Table of Contents.

4. In the Table of Contents, select Signatures | General. The general Signatures page will appear, as shown in Figure 10.23.

   
   Figure 10.23: The General Signatures Page

5. Click the link for the signature group to be modified. This results in the display of the Signature(s) in Group page listing all of the signatures within the selected group, as shown in Figure 10.24.

   
   Figure 10.24: The Signature(s) in Group Page

6. Select the signature to configure by checking the corresponding box and clicking Edit.

7. The Edit Signature(s) window appears (as shown in Figure 10.25) and shows the name of the signature to configure. To enable or disable the signature, check or uncheck the Enable box.

   
   Figure 10.25: The Edit Signature(s) Page

Configuring Alarms

The severity of an alarm, as well as the actions to be taken when an event matches a signature, can be specified by editing the signature.

1. To change the severity of an attack that matches this signature, select a Severity from the pull-down menu:

   • Info  Indicates an event that results from normal activity.

   • Low  Indicates an attack that is mild in severity. The Security Monitor Event Viewer will display this type of attack with a green icon.

   • Medium  Indicates an attack that is moderately severe. The Security Monitor Event Viewer will display this type of attack with a yellow icon.

   • High  Indicates an attack that is highly severe. The Security Monitor Event Viewer will display this type of attack with a red icon.

2. Note the options to the right of the Actions label. Depending on the signature, you may specify one or more of the following actions to be taken when a signature matches an event:

   • Log  Stands for IP Log, and generates an IP session log with information about the attack.

   • Reset  Stands for TCP Reset, and resets the TCP session in which the attack signature was detected.

   • Block  Causes the sensor to issue a command to a PIX firewall or Cisco router. That firewall or router will block packets from the attacking host or network and keep them from entering the protected network.

To tune a signature, return to the general Signature(s) page shown in Figure 10.23. For the signature to be tuned, select the signature link in the Engine column of the table. This brings up the Tune Signature page, as shown in Figure 10.26.

Figure 10.26: The Tune Signature Page

There are three columns in the Tune Signature Parameters table: Parameter Name, Value, and Default. Each one can be modified to an appropriate, desired value. Use the following procedure to tune a given parameter in a procedure:

1. Select the radio button for the parameter to be tuned in the Parameter Name column, then select Edit, as shown in Figure 10.27.

   
   Figure 10.27: The Tune Signature Parameters Page

2. Enter a value for the parameter in the Value field, as shown in Figure 10.28.

   
   Figure 10.28: The Signature Parameter Page

3. Enter an optional description for the signature parameter in the Description field.

4. To accept the changes, click the OK button. The Tune Signature page will redisplay.

5. On the Tune Signature page, click OK to accept the changes. The general Signature(s) page will reappear.