Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

Cisco Employee

Request for user input on Signature Wizard

We are in the planning and early development phases for the 5.0 version of IDM and would like to get some feedback from the customers to help us with the development of an improved Signature Builder Wizard.

In order for this wizard to be most useful for the users we need to understand what parts of signature development users have the most trouble with and how you use this feature.

If you wish to participate in this survey please answer the following questions:

(You may select more than one answer on multiple choice questions)

1. When I have tried to develop a signature in the past I have had the most difficulty in

a. determining which engine is appropriate

b. filling in the signature parameter fields

c. never attempted (It's just too difficult)

(Please explain what it is that is too difficult)

d. Other (please explain)

2. Please describe the kind(s) of things that you would most often like to write signatures to detect. Be as specific as possible. (Example: I would like to be able to write a signature that detected a host that is repeatedly trying to connect to a particular host on my network in a very short time.)

3. Would you use a wizard that guided you through the signature building process with a series of questions if it ended with a restricted set of well defined fill in the blanks to finish the signature? (Note: This will make the wizard very specific in nature and limit the types of signatures that may be written, however it would simplify your development significantly.)

4. Alternatively would you use a wizard that guided you to which engine was appropriate for you signature and then limited your parameter scope to only the most relavent fields for signatures of this type with an advanced guide for the more esoteric fields?

5. Please explain why you chose either the method described in question 3 or 4.

Thank you for participating.

1 REPLY
New Member

Re: Request for user input on Signature Wizard

1. a and b

2. New exploits (0 day Exploits). Since Snort has many sigs already circulating it would be nice to have a Snort sig converter.

3. Yes

4. both options would be nice.

5. I think #3 would be the best approach assuming that both techniques couldn't be incorporated into a interface to which you could choose which approach would best suit your needs.

189
Views
0
Helpful
1
Replies