Filter
Top Products
B-14
Cisco Intrusion Prevention System CLI Sensor Configuration Guide for IPS 7.1
OL-19892-01
Appendix B Signature Engines
Atomic Engine
For More Information
• For the procedures for configuring AIC engine signatures, see Configuring AIC Signatures,
page 8-17.
• For an example of a custom AIC signature, see Creating an AIC Signature, page 8-26.
• For more information on the parameters common to all signature engines, see Master Engine,
page B-4.
Atomic Engine
The Atomic engine contains signatures for simple, single packet conditions that cause alerts to be fired.
This section describes the Atomic engine, and contains the following topics:
• Atomic ARP Engine, page B-14
• Atomic IP Advanced Engine, page B-15
• Atomic IP Engine, page B-25
• Atomic IPv6 Engine, page B-29
Atomic ARP Engine
The Atomic ARP engine defines basic Layer 2 ARP signatures and provides more advanced detection
of the ARP spoof tools dsniff and ettercap. Table B-7 lists the parameters that are specific to the Atomic
ARP engine.
Table B-7 Atomic ARP Engine Parameters
Parameter Description Value
specify-arp-operation {yes |
no}
(Optional) Enables ARP operation:
• arp-operation—Specifies the type of ARP
operation to inspect.
0 to 65535
specify-mac-flip {yes | no} (Optional) Enables MAC address flip times:
• mac-flip—Specifies how many times to flip
the MAC address in the alert.
0 to 65535
specify-request-inbalance
{yes | no}
(Optional) Enables request inbalance:
• request-inbalance—Specifies the value for
firing an alert when there are this many more
requests than replies on the IP address.
0 to 65535