OpenSignature tuning parameters

For Network IPS appliances, use these tuning parameters to enable the OpenSignature parser, to configure OpenSignature responses, and to enable and configure OpenSignature throttling.

Navigating in the Network IPS Local Management Interface: Secure Protection Settings > Advanced IPS > Tuning Parameters

Navigating in the SiteProtector™ system: select the Tuning Parameters policy

OpenSignature parser

Enable the OpenSignature parser to integrate the parser into PAM. When you enable the parser, the appliance processes your OpenSignature rules from the OpenSignatures page.

Table 1. Tuning parameters for the OpenSignature parser
Parameter Type Default Value Description
engine.opensignature.enabled Boolean True Enables the OpenSignature parser.

OpenSignature responses

When the appliance detects an OpenSignature event that matches the rules that you specify, it uses the default response DISPLAY:WithoutRaw. When an event occurs, this response logs a summary event to the monitoring console. To change the default responses for OpenSignatures, use the parameters that are explained in this topic.
Note: The appliance does not support configuring different responses for each OpenSignature event.
Table 2. Tuning parameters for OpenSignature responses
Parameter Type Default Value Description
np.opensignature.user.response String DISPLAY:WithoutRaw Defines the notification responses for OpenSignature rules.
Valid notification responses are as follows:
  • DISPLAY
  • SNMP
  • EMAIL
  • LOGEVIDENCE
  • User specified
Example: np.opensignature.user.response=DISPLAY:WithouRaw,EMAIL:<myEmail>
np.opensignature.response String None Defines the protection responses for OpenSignature rules.
Valid protection responses are as follows:
  • block
  • quarantine-traffic
Example: np.opensignature.response=block
np.opensignature.quarantine.rule String None Defines the quarantine parameters for the quarantine response. This parameter is only valid if the quarantine-traffic response is defined as part of the np.opensignature.response parameter.
Valid quarantine rule parameters are as follows:
  • quarantine-victim-address
  • quarantine-victim-port
  • quarantine-intruder-address
  • quarantine-intruder-port
  • quarantine-icmp-code
  • quarantine-icmp-type
Example:
  • np.opensignature.response=quarantine-traffic
  • np.opensignature.quarantine.rule=quarantine-victim-address,quarantine-victim-port

OpenSignature throttling

Enable throttling for OpenSignatures to control how the appliance reports duplicate OpenSignature events to the Network IPS Local Management Interface and to the SiteProtector system.

Table 3. Tuning parameter for OpenSignature throttling
Parameter Type Default Value Description
np.opensignature.throttle.time Number 0 Enables throttling for OpenSignature rules and specifies the number of seconds to suppress the reporting of duplicate OpenSignatures.