Filter
Top Products
8-32
Cisco Intrusion Prevention System CLI Sensor Configuration Guide for IPS 7.1
OL-19892-01
Chapter 8 Defining Signatures
Configuring Signatures
sensor from creating alerts where a valid TCP session has not been established. There are known attacks
against sensors that try to get the sensor to generate alerts by simply replaying pieces of an attack. The
TCP session reassembly feature helps to mitigate these types of attacks against the sensor.
You configure TCP stream reassembly parameters per signature. You can configure the mode for TCP
stream reassembly.
TCP Stream Reassembly Signatures and Configurable Parameters
Table 8-6 lists TCP stream reassembly signatures with the parameters that you can configure for TCP
stream reassembly. TCP stream reassembly signatures are part of the Normalizer engine.
Table 8-6 TCP Stream Reassembly Signatures
Signature ID and Name Description
Parameter With
Default Value and
Range Default Actions
1301 TCP Session Inactivity Timeout
1
Fires when a TCP session
has been idle for a TCP
Idle Timeout.
TCP Idle Timeout
3600 (15-3600)
—
2
1302 TCP Session Embryonic Timeout
3
Fires when a TCP session
has not completes the
three-way handshake in
TCP embryonic timeout
seconds.
TCP Embryonic
Timeout 15
(3-300)
—
4
1303 TCP Session Closing Timeout
5
Fires when a TCP session
has not closed
completely in TCP
Closed Timeout seconds
after the first FIN.
TCP Closed Timeout
5 (1-60)
—
6
1304 TCP Session Packet Queue Overflow This signature allows for
setting the internal TCP
Max Queue size value for
the Normalizer engine.
As a result it does not
function in promiscuous
mode. By default this
signature does not fire an
alert. If a custom alert
event is associated with
this signature and if the
queue size is exceeded,
an alert fires.
Note The IPS signature
team discourages
modifying this
value.
TCP Max Queue 32
(0-128)
TCP Idle Timeout
3600
—
7
1305 TCP Urg Flag Set
8
Fires when the TCP
urgent flag is seen
TCP Idle Timeout
3600
Modify Packet Inline
9