Filter
Top Products
A-23
Cisco Intrusion Prevention System CLI Sensor Configuration Guide for IPS 7.1
OL-19892-01
Appendix A System Architecture
SensorApp
Web Server
The web server provides SDEE support, which enables the sensor to report security events, receive
IDIOM transactions, and serve IP logs. The web server supports HTTP 1.0 and 1.1. Communications
with the web server often include sensitive information, such as passwords, that would severely
compromise the security of the system if an attacker were able to eavesdrop. For this reason, sensors ship
with TLS enabled. The TLS protocol is an encryption protocol that is compatible with SSL.
Note We deprecated the RDEP event sever service in IPS 6.1, and deleted it from the IPS 7.0(1) system
architecture. The web server now uses the SDEE event server.
SensorApp
This section describes the SensorApp, and contains the following topics:
• Understanding the SensorApp, page A-23
• Inline, Normalization, and Event Risk Rating Features, page A-24
• SensorApp New Features, page A-25
• Packet Flow, page A-26
• Signature Event Action Processor, page A-26
Understanding the SensorApp
The SensorApp performs packet capture and analysis. Policy violations are detected through signatures
in the SensorApp and the information about the violations is forwarded to the Event Store in the form of
an alert. Packets flow through a pipeline of processors fed by a producer designed to collect packets from
the network interfaces on the sensor. Event actions can be associated with an event risk rating threshold
that must be surpassed for the actions to take place. Some of the processors call inspectors to perform
signature analysis. All inspectors can call the alarm channel to produce alerts as needed.
The SensorApp supports the following processors:
• Time Processor—This processor processes events stored in a time-slice calendar. Its primary task is
to make stale database entries expire and to calculate time-dependent statistics.
• Deny Filters Processor—This processor handles the deny attacker functions. It maintains a list of
denied source IP addresses. Each entry in the list expires based on the global deny timer, which you
can configure in the virtual sensor configuration.
• Signature Event Action Processor—This processor processes event actions. Event actions can be
associated with an event risk rating threshold that must be surpassed for the actions to take place. It
supports the following event actions:
–
Reset TCP flow
–
IP log
–
Deny packets
–
Deny flow
–
Deny attacker