Cisco Systems IPS 7.1 Home Security System User Manual


  Open as PDF
of 1042
 
8-37
Cisco Intrusion Prevention System CLI Sensor Configuration Guide for IPS 7.1
OL-19892-01
Chapter 8 Defining Signatures
Configuring Signatures
For More Information
For more information about the Normalizer engine, see Normalizer Engine, page B-37.
Configuring TCP Stream Reassembly Signatures
To configure TCP stream reassembly for a specific signature, follow these steps:
Step 1 Log in to the CLI using an account with administrator or operator privileges.
Step 2 Enter signature definition submode.
sensor# configure terminal
sensor(config)# service signature-definition sig1
Step 3 Specify the TCP stream reassembly signature ID and subsignature ID.
sensor(config-sig)# signatures 1313 0
Step 4 Specify the engine.
sensor(config-sig-sig)# engine normalizer
Step 5 Enter edit default signatures submode.
sensor(config-sig-sig-nor)# edit-default-sigs-only default-signatures-only
Step 6 Enable and change the default setting (if desired) of the maximum MSS parameter for signature 1313.
sensor(config-sig-sig-nor-def)# specify-tcp-max-mss yes
sensor(config-sig-sig-nor-def-yes)# tcp-max-mss 1380
Note Changing this parameter from the default of 1460 to 1380 helps prevent fragmentation of traffic
going through a VPN tunnel.
Step 7 Verify the settings.
sensor(config-sig-sig-nor-def-yes)# show settings
yes
-----------------------------------------------
tcp-max-mss: 1380 default: 1460
-----------------------------------------------
sensor(config-sig-sig-nor-def-yes)#
Step 8 Exit signature definition submode.
sensor(config-sig-sig-nor-def-yes)# exit
sensor(config-sig-sig-nor-def)# exit
20. 2.4.21-15.EL.cisco.1 Modify Packet Inline raises the MSS value to TCP Min MSS. Deny Connection Inline drops the current packet and the TCP session.
Deny Packet Inline drops the packet 2.4.21-15.EL.cisco.1.
21. Modify Packet Inline lowers the MSS value to TCP Max MSS. Deny Connection Inline drops the current packet and the TCP session. Deny Packet Inline
drops the packet 2.4.21-15.EL.cisco.1.
22. Modify Packet Inline has no effect on this signature. Deny Connection Inline drops the current packet and the TCP session. Deny Packet Inline drops the
packet.
23. Modify Packet Inline, Deny Connection Inline, and Deny Packet Inline have no effect on this signature. By default, the 1330 signatures drop packets for
which this signature sends alerts.
24. These subsignatures represent the reasons why the Normalizer might drop a TCP packet. By default these subsignatures drop packets. These subsignatures
let you permit packets that fail the checks in the Normalizer through the IPS. The drop reasons have an entry in the TCP statistics. By default these
subsignatures do not produce an alert.
 previous next