Managing Signatures
The most effective way to identify malicious traffic in the Cisco IPS/IDS systems is through the use of signature-based matching. This section covers how signatures are manipulated and managed to meet a specific network requirement.
Dealing with signatures is one of the tasks that you will perform as you tune, implement, maintain, and monitor a sensor appliance (or an IOS router running IPS in software). Cisco organizes its signatures into groups that have similar characteristics. For each of its groups, a signature micro-engine is used to govern that set of signatures. When a packet comes through the sensor, all the signatures in a specific group or micro-engine are compared simultaneously to the packet looking for matches. If you modify a signature, the micro-engine responsible for that signature is responsible for updating and implementing the changes behind the scenes. There are several signature micro-engines, and even inside of the micro-engine there are further subdivisions for the organization of the signatures. Fortunately, as administrators, we do not really have to worry too much about the specific micro-engines, but for certification you definitely want to be aware that they exist. Table 17-7 describes a few of the micro-engines.
Note that this is only a subset of the micro-engines and is presented here to introduce the concept.