Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

IDS 3.0: custom signatures and Unix director

Just made a custom signature on IDS Sensor 3.0 using new menu interface.

Few question about it:

- Is anyway to automate this process? I have few active sensors and manual way using menu is not the best for me.

- I can't see any changes in director after I made a customer signature on a sensor 3.0. Is it normal?

- After update to 3.0 I started to have alerts about sigs below 1000 (994, 995, etc) and alerts with dest. and sources addresses Is it normal and how can I fix it?

Cisco Employee

Re: IDS 3.0: custom signatures and Unix director

Glad to see that you are using this feature already.

There is currently no automated way to use this feature, but the Unix director will be released shortly with a GUI based version of the Signature Wizard. I do not know the specifics as to the timing of their release.

The 2.2.2a director will not display any custom signatures that you add as it does not know how to view or interpret them. Once again the timing of this release is not known to me.

Signature 994 and 995 were added to alert the users to whether or not the sensor is currently seeing traffic. 994 fires when the sensor is either initally started and begins to receive traffic or after a long period of not having seen traffic and the traffic restarts. 995 is the mirror image of this and alarms after a user tunable time threshold of not having any traffic on the NIC. The default is 90 seconds of no traffic. This value can be Modified in the SiWizMenu program under the Other 3.X tokens selection.

I need more information to answer the src address question as this is expected behavior for some signatures and not for others. Which signatures do you have reporting this way?

New Member

Re: IDS 3.0: custom signatures and Unix director

Thank you for your answers,

The example of event with src below:


Cisco Employee

Re: IDS 3.0: custom signatures and Unix director

That would appear to be a bug. I'll file a DDTs and we will look into it.

Cisco Employee

Re: IDS 3.0: custom signatures and Unix director

After reviewing this a little closer there is a legitimate way for this situation to occur. The 3.0 sensors have built-in to them the ability to rate limit alarms. The method that they follow is complicated, but if the alarm rate for a particular signature type is high enough the sensor will set that alarm type into "Global Summary Mode". In this mode you will no longer get IP addresses as this is an aggregation alarm, however, there should be a message to the effect that this is a summary alarm and how many events it has aggregated in this message. The info field in the alarm message is used for this summary info. You did not include this field in your previous posting so I can not tell for sure whether or not this is a summary message. Could you please include an entire log entry from one of the alarms in question?

CreatePlease login to create content