Filter
Top Products
6-4
Cisco Intrusion Prevention System CLI Sensor Configuration Guide for IPS 7.1
OL-19892-01
Chapter 6 Configuring Virtual Sensors
Normalization and Inline TCP Evasion Protection Mode
The following inline TCP session tracking modes apply:
• Interface and VLAN—All packets with the same session key (AaBb) in the same VLAN (or inline
VLAN pair) and on the same interface belong to the same session. Packets with the same key but on
different VLANs are tracked separately.
• VLAN Only—All packets with the same session key (AaBb) in the same VLAN (or inline VLAN
pair) regardless of the interface belong to the same session. Packets with the same key but on
different VLANs are tracked separately.
• Virtual Sensor—All packets with the same session key (AaBb) within a virtual sensor belong to the
same session. This is the default and almost always the best option to choose.
Normalization and Inline TCP Evasion Protection Mode
Note For the ASA IPS modules (ASA 5500 AIP SSM, ASA 5500-X IPS SSP, and ASA 5585-X IPS SSP),
normalization is performed by the adaptive security appliance and not the IPS.
Normalization only applies when the sensor is operating in inline mode. The default is strict evasion
protection, which is full enforcement of TCP state and sequence tracking. The Normalizer enforces
duplicate packets, changed packets, out-of-order packets, and so forth, which helps prevent attackers
from evading the IPS.
Asymmetric mode disables most of the Normalizer checks. Use asymmetric mode only when the entire
stream cannot be inspected, because in this situation, attackers can now evade the IPS.
HTTP Advanced Decoding
Note HTTP advanced decoding is supported in IPS 7.1(5)E4 and later.
HTTP advanced decoding facilitates analysis of encoded HTTP return web traffic by using on-the-fly
decoding. Changes to HTTP advanced decoding take effect immediately and only affect the new traffic
flows.
The following restrictions apply when you enable HTTP advanced decoding:
• Although HTTP advanced decoding does not fire any new signatures, drop packets, or modify
traffic, it allows existing signatures to match on content that was previously not detectable because
of encodings.
• HTTP advanced decoding only acts on return web response traffic.
Caution Enabling HTTP advanced decoding severely impacts system performance.