The IPS Rules policy can contain three type of signatures:
Host signatures
Host-based intrusion prevention signatures (HIPS) detect and prevent system operations activity attacks, and includes File, Registry, Service, and HTTP type rules. They are developed by the Host Intrusion Prevention security experts and are delivered with the product.
Each signature has a description and a default severity level. With appropriate privilege levels, an administrator can modify the severity level of a signature or disable a signature for agent groups.
When triggered, host-based signatures generate an IPS event that appears in the IPS Events tab.
Custom host signatures
Custom signatures are host-based signatures that you can create for additional protection to suit your needs. For example, when you create a new directory with important files, you can create a custom signature to protect it.
Network signatures
Network-based intrusion prevention signatures (NIPS) detect and prevent known network-based attacks that arrive on the host system.
Network-based signatures appear in the console in the same list of signatures as the host-based signatures. They have their own icon in the Type column and are designated as Network IPS in the Signature Properties General dialog box.
Each signature has a description and a default severity level. With appropriate privilege levels, an administrator can modify the severity level of a signature or disable a signature.
Every network-based signature has an option to turn logging off, even if the signature is associated with a log or prevent reaction due to the effective policy. However, in case of a prevent reaction, the operation is prevented, even if no event is logged.
You can create exceptions for network-based signatures; however, you cannot specify any additional parameter attributes such as operating system user and process name. Advanced details contains network specific parameters, for example IP addresses, which you can specify.
Events generated by network-based signatures are displayed along with the host-based events in the IPS Events tab and exhibit the same behavior as host-based events.