Cisco Support Community
Community Member

detail sigs info

Is there a more detail info than the nsdb pages on what exactly each signature is looking for?

Cisco Employee

Re: detail sigs info

If you want to know exactly what the signature is looking for, then the best information is in the signature definition itself.

In version 3.x the signature definition was hidden from the user (several signature parameters were intentionally hidden and would not appear when the signature was edited by the user), but in version 4.x it was decided to not hide the parameters.

NOTE1: There are still 2 or 3 sigs that we have to hide the parameters for because of agreements with partner companies. There are very few of these and typically the regular expression field will either not be present or show as encrypted data.

NOTE2: There are still a few signatures, especially with protocols like SMB, where we are still having to create compiled code to analyze the packets for the signature. For these signatures you will see little information in either the NSBD or signature definition and you would need to contact the TAC to ask what is specifically being looked for.

Go through IDM and follow the steps to tune the signature, following these steps will take you to the screen where all the parameters have been defined for that signature.

Once you've seen the signature parameters then the next question is: What do these parameters mean?

That information can read from the "Working with Signature Engines" section of the User's Guide:

CreatePlease to create content