CSIDS Exam Cram 2 (Exam 642-531)

It should be apparent that the Cisco series of signature engines allows you to create a wide range of custom signatures. Use the following guidelines when determining which signature engine to use to create your custom signatures:

• Network protocol Determine the network protocol of the traffic to be examined. To create a signature engine that examines OSPF packets, for example, use the Atomic.L3.IP signature engine, which allows you to specify a protocol number.

• Target address Determine the target you are considering. For example, if you want to detect an attack on a subnet, use the Flood.Net signature engine.

• Target port Choose the signature engine that examines the ports of interest.

• Type of attack Determine the anticipated nature of the attack. For DoS, you generally use the Flood signature engines, whereas the Sweep signature engines are designed for reconnaissance attacks.

• Payload inspection If you need the payload to be inspected for a string pattern, for example, consider using the String.TCP signature engine, which is designed to detect a string pattern within a TCP packet.