Filter
Top Products
B-15
Cisco Intrusion Prevention System CLI Sensor Configuration Guide for IPS 7.1
OL-19892-01
Appendix B Signature Engines
Atomic Engine
For More Information
For more information on the parameters common to all signature engines, see Master Engine, page B-4.
Atomic IP Advanced Engine
The Atomic IP Advanced engine parses and interprets the IPv6 header and its extensions, the
IPv4 header and its options, ICMP, ICMPv6, TCP, and UDP, and seeks out anomalies that indicate
unusual activity.
Atomic IP Advanced engine signatures do the following:
• Inspect for anomalies in IP addresses, for example, spoofed addresses.
• Inspect for bad information in the length fields of the packet.
• Fire informational alerts about the packet.
• Fire higher severity alerts for the limited set of known vulnerabilities.
• Duplicate any IPv6-specific signatures in Engine Atomic IP that can also apply to IPv6.
• Provide default signatures for identifying tunneled traffic based on IP address, port, protocol, and
limited information from the packet data.
specify-type-of-arp-sig {yes
| no}
(Optional) Enables the ARP signature type:
• type-of-arp-sig—Specifies the type of ARP
signatures you want to fire on:
–
Destination Broadcast—Fires an alert
for this signature when it sees an ARP
destination address of 255.255.255.255.
–
Same Source and Destination—Fires an
alert for this signature when it sees an
ARP destination address with the same
source and destination MAC address
–
Source Broadcast (default)—Fires an
alert for this signature when it sees an
ARP source address of 255.255.255.255.
–
Source Multicast—Fires an alert for this
signature when it sees an ARP source
MAC address of 01:00:5e:(00-7f).
dst-broadcast
same-src-dst
src-broadcast
src-multicast
storage-key Specifies the type of address key used to store
persistent data:
• Attacker address
• Attacker and victim addresses
• Victim address
• Global
Axxx
AxBx
xxBx
xxxx
Table B-7 Atomic ARP Engine Parameters (continued)
Parameter Description Value