Home > Articles > Cisco

  • Print
  • + Share This
This chapter is from the book

Signatures and Signature Engines

A signature is a set of rules that an IDS and an IPS use to detect typical intrusive activity, such as DoS attacks. You can easily install signatures using IDS and IPS management software such as Cisco IDM. Sensors enable you to modify existing signatures and define new ones.

As sensors scan network packets, they use signatures to detect known attacks and respond with predefined actions. A malicious packet flow has a specific type of activity and signature, and an IDS or IPS sensor examines the data flow using many different signatures. When an IDS or IPS sensor matches a signature with a data flow, the sensor takes action, such as logging the event or sending an alarm to IDS or IPS management software, such as the Cisco SDM.

Signature-based intrusion detection can produce false positives because certain normal network activity can be misinterpreted as malicious activity. For example, some network applications or operating systems may send out numerous Internet Control Message Protocol (ICMP) messages, which a signature-based detection system might interpret as an attempt by an attacker to map out a network segment. You can minimize false positives by tuning your sensors. You can tune built-in signatures (tuned signatures) by adjusting the many signature parameters.

Examining Signature Micro-Engines

A signature micro-engine is a component of an IDS and IPS sensor that supports a group of signatures that are in a common category. Each engine is customized for the protocol and fields that it is designed to inspect and defines a set of legal parameters that have allowable ranges or sets of values. The signature micro-engines look for malicious activity in a specific protocol. Signatures can be defined for any of the supported signature micro-engines using the parameters offered by the supporting micro-engine. Packets are scanned by the micro-engines that understand the protocols contained in the packet.

Cisco signature micro-engines implement parallel scanning. All the signatures in a given signature micro-engine are scanned in parallel fashion, rather than serially. Each signature micro-engine extracts values from the packet and passes portions of the packet to the regular expression engine. The regular expression engine can search for multiple patterns at the same time (in parallel). Parallel scanning increases efficiency and results in higher throughput.

When IDS (promiscuous mode) or IPS (inline mode) is enabled, a signature micro-engine is loaded (or built) on to the router. When a signature micro-engine is built, the router may need to compile the regular expression found in a signature. Compiling a regular expression requires more memory than the final storage of the regular expression. Be sure to determine the final memory requirements of the finished signature before loading and merging signatures.

Table 6-6 summarizes the types of signature engines available in Cisco IOS Release 12.4(6)T. Table 6-7 provides more details on signature engines.

Table 6-6. Summary of Supported Signature Engines

Signature Engine



Signatures that examine simple packets, such as ICMP and UDP


Signatures that examine the many services that are attacked


Signatures that use regular expression-based patterns to detect intrusions


Supports flexible pattern matching and supports Trend Labs signatures


Internal engine to handle miscellaneous signatures

Table 6-7. Details on Signature Micro-Engines

Signature Micro-Engine



Provides simple Layer 3 IP alarms


Provides simple ICMP alarms based on these parameters: type, code, sequence, and ID


Provides simple alarms based on the decoding of Layer 3 options


Provides simple UDP packet alarms based on these parameters: port, direction, and data length


Provides simple TCP packet alarms based on these parameters: port, destination, and flags


Analyzes the Domain Name System (DNS) service


Analyzes the remote procedure call (RPC) service


Inspects Simple Mail Transfer Protocol (SMTP)


Provides HTTP protocol decode-based string engine; includes anti-evasive URL de-obfuscation


Provides FTP service special decode alarms


Offers TCP regular expression-based pattern inspection engine services


Offers UDP regular expression-based pattern inspection engine services


Provides ICMP regular expression-based pattern inspection engine services


Supports flexible pattern matching and supports Trend Labs signatures


Provides internal engine to handle miscellaneous signatures

Signature Alarms

The capability of IDS and IPS sensors to accurately detect an attack or a policy violation and generate an alarm is critical to the functionality of the sensors. Attacks can generate the following types of alarms:

  • False positive: A false positive is an alarm triggered by normal traffic or a benign action. Consider this scenario: A signature exists that generates alarms if the enable password of any network devices is entered incorrectly. A network administrator attempts to log in to a Cisco router but enters the wrong password. The IDS cannot distinguish between a rogue user and the network administrator, and it generates an alarm.
  • False negative: A false negative occurs when a signature is not fired when offending traffic is detected. Offending traffic ranges from someone sending confidential documents outside of the corporate network to attacks against corporate web servers. False negatives are bugs in the IDS and IPS software and should be reported. A false negative should be considered a software bug only if the IDS and IPS have a signature that has been designed to detect the offending traffic.
  • True positive: A true positive occurs when an IDS and IPS signature is correctly fired, and an alarm is generated, when offending traffic is detected. For example, consider a Unicode attack. Cisco IPS sensors have signatures that detect Unicode attacks against Microsoft Internet Information Services (IIS) web servers. If a Unicode attack is launched against Microsoft IIS web servers, the sensors detect the attack and generate an alarm.
  • True negative: A true negative occurs when a signature is not fired when nonoffending traffic is captured and analyzed. In other words, the sensor does not fire an alarm when it captures and analyzes “normal” network traffic.

Table 6-8 provides a summary of the alarm types. To understand the terminology, think in terms of “Was the alarm triggered?” A positive means that the alarm was triggered and a negative means that the alarm was not triggered. Thus the expression false alarm, which is the same as false positive (positive because the alarm was triggered, but false because the intrusion did not happen or the intrusion was not detected by the sensor).

Table 6-8. Alarm Types

Intrusion Occurred/Detected

Intrusion Did Not Occur / Not Detected

Alarm was triggered

True positive

False positive

Alarm was not triggered

False negative

True negative

Alarms fire when specific parameters are met. You must balance the number of incorrect alarms that you can tolerate with the capability of the signature to detect actual intrusions. If you have too few alarms, you might be letting in more suspect packets, but network traffic will flow more quickly. If IPS systems use untuned signatures, they will produce many false positive alarms. You should consider the following factors when implementing alarms that a signature uses:

  • The level assigned to the signature determines the alarm severity level.
  • A Cisco IPS signature is assigned one of four severity levels:

    • Informational: Activity that triggers the signature is not considered an immediate threat, but the information provided is useful information.
    • Low: Abnormal network activity is detected that could be perceived as malicious, but an immediate threat is not likely.
    • Medium: Abnormal network activity is detected that could be perceived as malicious, and an immediate threat is likely.
    • High: Attacks used to gain access or cause a DoS attack are detected, and an immediate threat is extremely likely.
  • You can manually adjust the severity level that an alarm produces.
  • To minimize false positives, study your existing network traffic patterns and then tune your signatures to recognize intrusion patterns that are atypical (out of character) for your network traffic patterns. Do not base your signature tuning on traffic patterns that are based only on industry examples. Use an industry example as a starting point, determine what your own network traffic patterns are, and use them in your signature alarm tuning efforts.
  • + Share This
  • 🔖 Save To Your Account