A "signatures" file is commonly used in intrusion detection
systems to list the network patterns that indicate an attack.
The file sigs.ini is located in the directory where
the product is installed. You can edit this file using
any standard text editor, such as notepad. The file
is in standard .ini file format. However, there are not
"sections" within this file, so the location where you place things
does not matter.
From time to time, you might want to edit this file in order to
tweak how the system detects intrusions.
What is a signature?
A signature is a pattern that the system scans for. An "anti-virus"
program scans your hard-drive looking for patterns that indicate
a virus has infected your machine. Network ICE scans network traffic
in order to find patterns that indicate intrusions.
However, Network ICE's technology is primarily "protocol decode"
based rather than "pattern based". Protocols are fairly loose
standards, and you can often achive the same effect even
when the exact pattern changes.
For example, the following two URLs go to the same web-page, even though
they are technically different. They mean the same thing
even though they have a different pattern.
http://www.networkice.com/
http://www.networkice.com/%2E/
Network ICE's unique technology discovers the meaning behind the patterns
when it looks for signs of intrusions. This makes the product much
harder to evade than any other intrusion detection systems on
the market.
