Support User Manuals

Cisco Systems IPS 7.1 Home Security System User Manual

Open as PDF

of 1042

A-26

Cisco Intrusion Prevention System CLI Sensor Configuration Guide for IPS 7.1

OL-19892-01

Appendix A System Architecture

SensorApp

• Clear Flow state—Lets you clear the database, which causes the sensor to start fresh just as in a

restart.

• Restart status—Reports periodically the current start and restart stages of the sensor.

Packet Flow

Packets are received by the NIC and placed in the kernel user-mapped memory space by the IPS-shared

driver. The packet is prepended by the IPS header. Each packet also has a field that indicates whether to

pass or deny the packet when it reaches Signature Event Action Processor.

The producer pulls packets from the shared-kernel user-mapped packet buffer and calls the process

function that implements the processor appropriate to the sensor model. The following orders occur:

• Single processor execution

Time Processor --> Layer 2 Processor --> Deny Filters Processor --> Fragment Reassembly

Processor --> Statistics Processor --> Database Processor --> Signature Analysis Processor -->

Stream Reassembly Processor --> Signature Event Action Processor

• Dual processor execution

Execution Thread 1 Time Processor --> Layer 2 Processor --> Deny Filters Processor --> Fragment

Reassembly Processor --> Statistics Processor --> Database Processor --> Signature Analysis

Processor --> Slave Dispatch Processor --> | Execution Thread 2 Database Processor --> Stream

Reassembly Processor --> Signature Event Action Processor

Signature Event Action Processor

The Signature Event Action Processor coordinates the data flow from the signature event in the Alarm

Channel to processing through the Signature Event Action Override, the Signature Event Action Filter,

and the Signature Event Action Handler. It consists of the following components:

• Alarm Channel—The unit that represents the area to communicate signature events from the

SensorApp inspection path to signature event handling.

• Signature Event Action Override—Adds actions based on the risk rating value. Signature Event

Action Override applies to all signatures that fall in the range of the configured risk rating threshold.

Each Signature Event Action Override is independent and has a separate configuration value for

each action type.

• Signature Event Action Filter—Subtracts actions based on the signature ID, addresses, and risk

rating of the signature event. The input to the Signature Event Action Filter is the signature event

with actions possibly added by the Signature Event Action Override.

Note The Signature Event Action Filter can only subtract actions, it cannot add new actions.

The following parameters apply to the Signature Event Action Filter:

–

Signature ID

–

Subsignature ID

–

Attacker address

–

Attacker port

–

Victim address

previous next