B-70
Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2
OL-29168-01
Appendix B Signature Engines
Sweep Engines
For More Information
For more information on the parameters common to all signature engines, see Master Engine, page B-4.
Sweep Other TCP Engine
The Sweep Other TCP engine analyzes traffic between two hosts looking for abnormal packets typically
used to fingerprint a victim. You can tune the existing signatures or create custom signatures.
TCP sweeps must have a TCP flag and mask specified. You can specify multiple entries in the set of TCP
flags. And you can specify an optional port range to filter out certain packets.
storage-key Specifies the type of address key used to store persistent
data:
•
Attacker address
•
Attacker and victim addresses
•
Attacker address and victim port
Axxx
AxBx
Axxb
suppress-reverse Does not fire when a sweep has fired in the reverse
direction on this address set.
true| false
swap-attacker-victim Swaps the attacker and victim addresses and ports
(source and destination) in the alert message and in any
actions taken.
true| false (default)
tcp-flags Specifies the TCP flags to match when masked by
mask:
•
URG bit
•
ACK bit
•
PSH bit
•
RST bit
•
SYN bit
•
FIN bit
urg
ack
psh
rst
syn
fin
unique Specifies the threshold number of unique port
connections between the two hosts.
0 to 65535
Table B-37 Sweep Engine Parameters (continued)
Parameter Description Value