Friday, March 28, 2008

Custom IPS Signature Events

In Part 3 of the Cisco IPS Custom Signatures Article, after discussion with someone i cant remember,I made the following statement....

"An important note to remember is that once you define a Custom IPS sig, this cannot be deleted, but can be overwritten."

Now this is not strictly true, as i have found, whilst doing some custom parser work. When defining event parsers i noticed that an event was in the list (Confidential File.....), from a Cisco IPS custom signature i imported a while back...

Now events here can be deleted, so i thought i`d try it...


Sure enough, the Custom IPS Signature Event was listed, with the Cisco IPS Custom Sig ID of 60000/0, and the Groups and Inspection Rules it belongs too. So i went ahead and deleted.

Now i did a quick check on the Custom IPS Signature upload page, to see if anything untoward had happened here...


And i also did a check, whether or not the Event had actually gone. So a quick search of Events for device Cisco IPS 6.x, showed it had indeed been deleted.

Great stuff, so to be sure, so i uploaded a second custom parser event....

And sure enough, the event appeared under the Custom Parser Event Types, and thus can be slightly edited like any custom parser event.. (the description edited below)
And these changes do stick, as a quick event query for Cisco IPS6.x events shows.


NB: This is my own findings, and to my knowledge not in the MARS Userguide. So before you go deleting events as above, i`d check with TAC, that you are not going to explode your MARS box or anything :-)

No comments: