Filter
Top Products
B-2
Cisco Intrusion Prevention System CLI Sensor Configuration Guide for IPS 7.1
OL-19892-01
Appendix B Signature Engines
Understanding Signature Engines
Cisco IPS contains the following signature engines:
• AIC—Provides thorough analysis of web traffic. The AIC engine provides granular control over
HTTP sessions to prevent abuse of the HTTP protocol. It allows administrative control over
applications, such as instant messaging and gotomypc, that try to tunnel over specified ports. You
can also use AIC to inspect FTP traffic and control the commands being issued. There are two AIC
engines: AIC FTP and AIC HTTP.
• Atomic—The Atomic engines are combined into four engines with multi-level selections. You can
combine Layer 3 and Layer 4 attributes within one signature, for example IP + TCP. The Atomic
engine uses the standardized Regex support. The Atomic engines consist of the following types:
–
Atomic ARP—Inspects Layer 2 ARP protocol. The Atomic ARP engine is different because
most engines are based on Layer 3 IP protocol.
–
Atomic IP Advanced—Inspects IPv6 Layer 3 and ICMPv6 Layer 4 traffic.
–
Atomic IP—Inspects IP protocol packets and associated Layer 4 transport protocols. This
engine lets you specify values to match for fields in the IP and Layer 4 headers, and lets you use
Regex to inspect Layer 4 payloads.
Note All IP packets are inspected by the Atomic IP engine. This engine replaces the 4.x
Atomic ICMP, Atomic IP Options, Atomic L3 IP, Atomic TCP, and Atomic UDP
engines.
–
Atomic IPv6—Detects two IOS vulnerabilities that are stimulated by malformed IPv6 traffic.
• Fixed—Performs parallel regular expression matches up to a fixed depth, then stops inspection using
a single regular expression table. There are three Fixed engines: ICMP, TCP, and UDP.
• Flood—Detects ICMP and UDP floods directed at hosts and networks. There are two Flood engines:
Flood Host and Flood Net.
• Meta—Defines events that occur in a related manner within a sliding time interval. This engine
processes events rather than packets.
• Multi String—Inspects Layer 4 transport protocols and payloads by matching several strings for one
signature. This engine inspects stream-based TCP and single UDP and ICMP packets.
• Normalizer—Configures how the IP and TCP Normalizer functions and provides configuration for
signature events related to the IP and TCP Normalizer. Allows you to enforce RFC compliance.
• Service—Deals with specific protocols. The Service engines are divided in to the following protocol
types:
–
DNS—Inspects DNS (TCP and UDP) traffic.
–
FTP—Inspects FTP traffic.
–
FTP V2—Supports IOS IPS. This signature engine provides a protocol decode engine tuned for
IOS IPS. If you try to use this engine, you receive an error message.
–
Generic—Decodes custom service and payload, and generically analyzes network protocols.
–
H225—Inspects VoIP traffic. Helps the network administrator make sure the SETUP message
coming in to the VoIP network is valid and within the bounds that the policies describe. Is also
helps make sure the addresses and Q.931 string fields such as url-ids, email-ids, and display
information adhere to specific lengths and do not contain possible attack patterns.
–
HTTP—Inspects HTTP traffic. The WEBPORTS variable defines inspection port for HTTP
traffic.