Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

IDS Signatures

I would like to know if there is a specific programming language the IDS signatures are written in and if I can learn the programming language. I am a Security Analyst that likes to understand the working of what I am supporting. I will soon be taking a 6 day course on Intrusion Detection to understand and learn to detect intrusion data packets. It would be very helpful to understand how CISCO IDS detects and analyze data packets.

2 REPLIES
Cisco Employee

Re: IDS Signatures

The majority of the Cisco IDS signatures are written using what we call Signature Engines.

(There are still a few that are hardcoded into the compiled packetd executable, but most have been written using the Engines)

The Signature Engines are major pieces of code inside of the Packetd executable which are designed to analyze a particular type of traffic.

For example we have signature engines for analyzing sweeps, floods, HTTP traffic, icmp traffic etc..

When Packetd first starts up it reads an encrypted configuration file.

That configuration file contains one line for each subsignature of each signature.

The configuration line designates which Engine the signature should be a part of, and what Engine parameters are used to create that signature.

Packetd then configures each of it's Engines based on these configurations.

So in other words, these configuration lines are what create the signatures.

Users can then override these initial configuration by changing the parameters of a given signature.

The majority of the parameters in the encrypted signature file are viewable through the various sensor interfaces.

Some parameters are Protected so the user can not change them.

Others are Hidden so the user can not see them (they contain Cisco proprietary information)

The changes a user makes are saved in a separate file so that the encrypted signature file can be replaced each time a signature update occurs without losing any changes the user may have made previously.

Also using the same configuration method, the user can now create their own custom signatures.

To learn more about these Signature Engines and the parameters available per Engine you should read:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids8/13869_01.htm

This document describes what you would call our "programming language" for signatures.

Community Member

Re: IDS Signatures

Thanks. This does help me understand how things works.

275
Views
10
Helpful
2
Replies
CreatePlease to create content