The Cisco IPS network based intrusion prevention system (NIPS) uses signatures to detect network-based attacks. Signatures can be created in a variety of engines based on the type of network traffic being inspected. Cisco signatures have very flexible configurations. In this blog post, I will discuss the trade-offs between two basic approaches for signature configuration: anomaly detection and vulnerability detection.

With Cisco IPS, anomaly detection is a broad approach of detecting malicious network activity. Signatures written to detect broad categories of anomalous activity will catch many different attack vectors, but at a cost. The parameters of a signature designed to detect an anomaly will often put a strain on the system running Cisco IPS in the form of memory or CPU usage, limiting the number of signatures that may be enabled. They also carry a high false positive risk due to their broad approach.

Vulnerability based signatures are targeted and require less overhead. These signatures normally target one or more attack vectors associated with a specific CVE. Their engine parameters typically use less memory and impact the CPU performance less on the IPS device, permitting more signatures to be active. They also allow the user to finely tune the configuration based on the types of vulnerable systems in a user’s network. False positive risk is low if the active signature set is tuned for a user’s network environment.

Given the size of the signature set and the limited resources on our legacy devices, Cisco IPS signature developers will focus on the vulnerability-based approach to signature development going forward. This will allow customers to deploy an efficient and safe signature configuration that detects the maximum number of common attack vectors for recent threats.

Customers seeking protection beyond the vulnerability-based approach will benefit from deploying other network security measures that are more effective at identifying and blocking less well-defined attacks.

  • Anti-virus products are effective for detecting malware that is active on the network.
  • Port access is filtered very efficiently by traditional firewall products.
  • Application firewalls control access to applications by filtering input, output and system service calls locally and over the network.
  • Cisco ASA with FirePOWER Services brings distinctive, threat-focused, security services that provide comprehensive protection from known and advanced threats, including protection against targeted and persistent malware attacks.

These devices narrow down the potential attack vectors, and in concert with our legacy, signature-based IPS devices, provide highly effective network security. While the Cisco IPS signature development team will be releasing fewer anomaly signatures in the future, we are available to create a limited number of custom detections for customers upon request. Custom signature request may be sent to ids-signature-team@cisco.com. Whether it is to detect an anomaly or for a threat not currently covered by the default signature set, a custom signature can fill a gap in an individual customer’s security profile. Custom signatures allow Cisco IPS to deliver targeted detection of threats of concern to some customers while leaving the default signature set more lightweight for most customers. Customers may also create their own custom signatures by utilizing the following guide: http://cs.co/9005BJPpv.


Nick Smith

Team Lead

Security Research and Operations