Cisco Systems IPS 7.1 Home Security System User Manual


  Open as PDF
of 1042
 
B-25
Cisco Intrusion Prevention System CLI Sensor Configuration Guide for IPS 7.1
OL-19892-01
Appendix B Signature Engines
Atomic Engine
For More Information
For an example custom IPv6 signature, see Example IPv6 Engine Signature, page 8-51.
For a list of the signature regular expression syntax, see Regular Expression Syntax, page B-9.
For more information on the parameters common to all signature engines, see Master Engine,
page B-4.
Atomic IP Engine
The Atomic IP engine defines signatures that inspect IP protocol headers and associated Layer 4
transport protocols (TCP, UDP, and ICMP) and payloads. The Atomic engines do not store persistent
data across packets. Instead they can fire an alert from the analysis of a single packet.
Table B-9 lists the parameters that are specific to the Atomic IP engine.
specify-udp-valid-length {yes |
no}
(Optional) Enables inspection of the Layer 4
UDP valid length:
udp-valid-length—Specifies the UDP
packet lengths that are considered valid
and should not be inspected.
0 to 65535
specify-udp-length-mismatch
{yes | no}
(Optional) Enables inspection of the Layer 4
UDP length mismatch:
udp-length-mismatch—Fires an alert
when IP Data length is less than the UDP
Header length.
0 to 65535
1. When a packet is GRE, IPIP, IPv4inIPv6, or MPL the sensor skips the Layer 3 encapsulation header and the encapsulation
header, and all inspection is done starting from the second Layer 3. The encapsulation enumerator allows the engine to look
backward to see if there is an encapsulation header before the Layer 3 in question.
2. Use the following syntax: x.x.x.x-z.z.z.z, for example, 10.10.10.1-10.10.10.254.
Table B-8 Atomic IP Advanced Engine Parameters (continued)
Parameter Description Value
Table B-9 Atomic IP Engine Parameters
Parameter Description Value
specify-ip-addr-options {yes | no} (Optional) Enables IP address options:
ip-addr-options—Specifies the IP
address options.
address-with-localhost
ip-addr
1
rfc-1918-address
src-ip-eq-dst-ip
specify-ip-header-length {yes | no} (Optional) Enables inspection of the IP
header length:
ip-header-length—Specifies the
length of the IP header to inspect.
0 to 16
 previous next