Filter
Top Products
8-29
Cisco Intrusion Prevention System CLI Sensor Configuration Guide for IPS 7.1
OL-19892-01
Chapter 8 Defining Signatures
Configuring Signatures
For More Information
For more information about the Normalizer engine, see Normalizer Engine, page B-37.
1204 IP Fragment Missing
Initial Fragment
Fires when the datagram is
incomplete and missing the initial
fragment.
— Deny Packet Inline
Produce Alert
6
1205 IP Fragment Too
Many Datagrams
Fires when the total number of partial
datagrams in the system exceeds the
threshold set by Max Partial
Datagrams.
Specify Max Partial Datagrams
1000 (0-10000)
Deny Packet Inline
Produce Alert
7
1206 IP Fragment Too
Small
Fires when there are more than Max
Small Frags of a size less than Min
Fragment Size in one datagram.
8
Specify Max Small Frags 2
(8-1500)
Specify Min Fragment Size 400
(1-8)
Deny Packet Inline
Produce Alert
9
1207 IP Fragment Too
Many Fragments in a
Datagram
Fires when there are more than Max
Fragments per Datagram in one
datagram.
Specify Max Fragments per
Datagram 170 (0-8192)
Deny Packet Inline
Produce Alert
6
1208 IP Fragment
Incomplete Datagram
Fires when all of the fragments for a
datagram have not arrived during the
Fragment Reassembly Timeout.
10
Specify Fragment Reassembly
Timeout 60 (0-360)
Deny Packet Inline
Produce Alert
6
1225 Fragment Flags
Invalid
Fires when a bad combination of
fragment flags is detected.
—
11
—
1. Modify Packet Inline and Deny Connection Inline have no effect on this signature. Deny Packet Inline drops the packets and all associated fragments for
this datagram. If you disable this signature, the default values are still used and packets are dropped (inline mode) or not analyzed (promiscuous mode)
and no alert is sent.
2. This signature does not fire when the datagram is an exact duplicate. Exact duplicates are dropped in inline mode regardless of the settings. Modify Packet
Inline removes the overlapped data from all but one fragment so there is no ambiguity about how the endpoint treats the datagram. Deny Connection
Inline has no effect on this signature. Deny Packet Inline drops the packet and all associated fragments for this datagram.
3. Modify Packet Inline and Deny Connection Inline have no effect on this signature. Deny Packet Inline drops the packet and all associated fragments for
this datagram. Regardless of the actions set the datagram is not processed by the IPS if the datagram is larger than the Max Datagram size.
4. This is a very unusual event.
5. Modify Packet Inline removes the overlapped data from all but one fragment so there is no ambiguity about how the endpoint treats the datagram. Deny
Connection Inline has no effect on this signature. Deny Packet Inline drops the packets and all associated fragments for this datagram.
6. IPS does not inspect a datagram missing the first fragments regardless of the settings. Modify Packet Inline and Deny Connection Inline have no effect
on this signature. Deny Packet Inline drops the packet and all associated fragments for this datagram.
7. Modify Packet Inline and Deny Connection Inline have no effect on this signature. Deny Packet Inline drops the packet and all associated fragments for
this datagram.
8. IPS does not inspect the datagram if this signature is on and the number of small fragments is exceeded.
9. Modify Packet Inline and Deny Connection Inline have no effect on this signature. Deny Packet Inline drops the packet and all associated fragments for
this datagram.
10. The timer starts when the packet for the datagram arrives.
11. Modify Packet Inline modifies the flags to a valid combination. Deny Connection Inline has no effect on this signature. Deny Packet Inline drops the
packet and all associated fragments for this datagram.
Table 8-5 IP Fragment Reassembly Signatures (continued)
Signature ID and Name Description
Parameter With Default Value
and Range Default Action