Hi,

You can go into the signature engine and modify the signature parameters or add new string signature.

sj_4250_40# conf t

sj_4250_40(config)# service virtual-sensor-configuration virtualSensor

sj_4250_40(config-vsc)# tune-micro-engines

sj_4250_40(config-vsc-virtualSensor)#

ATOMIC.ARP Layer 2 ARP signatures.

ATOMIC.ICMP Simple ICMP alarms based on Type, Code, Seq, Id

, etc.

ATOMIC.IPOPTIONS Simple L3 Alarms based on Ip Options

ATOMIC.L3.IP Simple L3 IP Alarms.

ATOMIC.TCP Simple TCP packet alarms based on TCP Flags, po

rts (both sides), and single packet regex. Use SummaryKey to define the address view for MinHits and Summarize counting. For best performance, use a StorageKey of xxxx.

Select the engine you want to modify and signature in it and change the settings.

sj_4250_40(config-vsc-virtualSensor)# atomic.tcp

sj_4250_40(config-vsc-virtualSensor-ATO)# signatures SIGID 9023

sj_4250_40(config-vsc-virtualSensor-ATO-sig)# show settings

SIGID: 9023

SubSig: 0

AlarmDelayTimer:

AlarmInterval:

AlarmSeverity: medium

AlarmThrottle: FireOnce

AlarmTraits:

ChokeThreshold: 100

DstPort: 36794

Enabled: True default: False

EventAction: ZERO

FlipAddr:

Mask: FIN|SYN|RST|PSH|ACK|URG

MaxInspectLength:

MaxTTL:

MinHits:

PortRange:

PortRangeSource:

Protocol: TCP

ResetAfterIdle: 15

SigComment:

SigName: Back Door Probe (TCP 36794)

SigStringInfo: SYN to TCP 36794

SigVersion: S40

SinglePacketRegex:

SrcPort:

StorageKey: xxxx

SummaryKey: AxBx

TcpFlags: SYN

ThrottleInterval: 30

WantFrag:

Thanks

Sujit