7-5
Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0
78-16527-01
Chapter 7 Defining Signatures
Configuring Signatures
Configuring Alert Frequency
Use the
alert-frequency
command in the signature definition submode to configure the alert frequency
for a signature.
The following options apply:
•
sig-id
—Identifies the unique numerical value assigned to this signature.
This value lets the sensor identify a particular signature. The value is 1000 to 65000.
•
subsig-id
—Identifies the unique numerical value assigned to this subsignature.
A subsignature ID is used to identify a more granular version of a broad signature. The value is 0 to
255.
•
alert-frequency
—How often the sensor alerts you when this signature is firing.
Specify the following parameters for this signature:
–
summary-mode
—The way you want the sensor to group the alerts:
fire-all
—Fires an alert on all events.
fire-once
—Fires an alert only once.
global-summarize
—Summarizes an alert so that it only fires once regardless of how many
attackers or victims.
summarize
—Summarize all the alerts.
–
summary-interval
—Time in seconds used in each summary alert.
The value is 1 to 65535.
–
summary-key
—Storage type on which to summarize this signature.
Axxx
—Attacker address.
Axxb
—Attacker address and victim port.
AxBx
—Attacker and victim addresses.
AaBb
—Attacker and victim addresses and ports.
xxBx
—Victim address.
–
specify-global-summary-threshold [yes | no]
—Specifies whether you want to configure a
global summary threshold (optional).
–
global-summary-threshold
—Threshold number of events to take alert into global summary.
To configure the alert frequency parameters of a signature, follow these steps:
Step 1
Log in to the CLI using an account with administrator or operator privileges.
Step 2
Enter signature definition submode:
sensor#
configure terminal
sensor(config)#
service signature-definition sig0
Step 3
Specify the signature you want to configure:
sensor(config-sig)#
signatures 9000 0
Step 4
Enter alert frequency submode:
sensor(config-sig-sig)#
alert-frequency