OpenSignature tuning parameters

Use these tuning parameters for enabling the OpenSignature parser, for configuring OpenSignature responses, and for enabling and configuring OpenSignature throttling.

Navigating in IPS Local Management Interface: Secure Protection Settings > Advanced IPS > Tuning Parameters

Navigating in SiteProtector™ Management: select the Tuning Parameters policy

OpenSignature parser

Enable the OpenSignature parser to integrate the parser into PAM. When you enable the parser, the appliance processes your OpenSignature rules from the OpenSignatures page.

Table 1. Tuning parameters for the OpenSignature parser
Parameter Type Default Value Description
engine.opensignature.enabled Boolean True

Enables the OpenSignature parser.

OpenSignature responses

When the appliance detects an OpenSignature event that matches the rules you have specified, it uses the default response DISPLAY:WithoutRaw. When an event occurs, this response logs a summary event to the monitoring console. To change the default responses for OpenSignatures, use the parameters in this topic.
Note: The appliance does not support configuring different responses for each OpenSignature event.
Table 2. Tuning parameters for OpenSignature responses
Parameter Type Default Value Description
np.opensignature.user.response String DISPLAY:WithoutRaw

Defines the notification responses for OpenSignature rules.

Valid notification responses are:
  • DISPLAY
  • SNMP
  • EMAIL
  • LOGEVIDENCE
  • User specified
Example: np.opensignature.user.response=DISPLAY:WithouRaw,EMAIL:<myEmail>
np.opensignature.response String None

Defines the protection responses for OpenSignature rules.

Valid protection responses are:
  • block
  • quarantine-traffic
Example: np.opensignature.response=block
np.opensignature.quarantine.rule String None

Defines the quarantine parameters for the quarantine response. This parameter is only valid if the quarantine-traffic response is defined as part of the np.opensignature.response parameter.

Valid quarantine rule parameters are:
  • quarantine-victim-address
  • quarantine-victim-port
  • quarantine-intruder-address
  • quarantine-intruder-port
  • quarantine-icmp-code
  • quarantine-icmp-type
Example:
  • np.opensignature.response=quarantine-traffic
  • np.opensignature.quarantine.rule=quarantine-victim-address,quarantine-victim-port

OpenSignature throttling

Enable throttling for OpenSignatures to control how the appliance reports duplicate OpenSignature events to IPS Local Management Interface and to SiteProtector.

Table 3. Tuning parameter for OpenSignature throttling
Parameter Type Default Value Description
np.opensignature.throttle.time Number 0 Enables throttling for OpenSignature rules and specifies the number of seconds to suppress the reporting of duplicate OpenSignatures.