Manual Chapter : Create protocol inspection items

Applies To:

Show Versions Show Versions


  • 17.1.0, 17.0.0, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.10, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0
Manual Chapter

Create protocol inspection items

Add inspection items to create new inspections based on Snort signatures. You write signatures in Snort format. For information on writing Snort rules, see
  1. On the Main tab, click
    Protocol Security
    Inspection List
    The Inspection List screen opens.
  2. Click
    New Signature
  3. In the
    field, type a name for the signature.
  4. In the
    field, type a description.
  5. In the
    Signature Definition
    field, type the valid snort syntax.
    All remaining fields are optional. However, the default settings accept the signature, and may not be configured correctly for your inspection. Configure settings that are appropriate to your security stance and the detection you want to accomplish.
  6. Specify an action for the signature.
  7. Select whether to log the signature.
  8. Specify the accuracy for the signature.
  9. Specify the direction on which the signature is detected.
  10. Specify the performance impact for the signature.
  11. Specify the protocol on which the signature acts.
  12. Specify the risk level for the attack.
  13. In the
    field, type any documentation for the signature.
  14. In the
    Attack Type
    field, specify the attack type.
  15. In the
    field, type any references for the signature.
  16. In the
    Reference Links
    field, type any reference links.
  17. In the
    field, type the revision number.
  18. In the
    field, type the systems affected by the signature.
  19. Specify the service to which the signature applies.
  20. Click
    to create the inspection item.
The signature is created and appears in the inspection list.
Assign the inspection item to an inspection profile to enable detection and the action associated with the inspection item.
To view user defined inspection items, you can select
from the
User Defined
list on the Inspection Profile or Inspection List screens.