Support User Manuals

Cisco Systems IPS 7.1 Home Security System User Manual

Open as PDF

of 1042

B-37

Cisco Intrusion Prevention System CLI Sensor Configuration Guide for IPS 7.1

OL-19892-01

Appendix B Signature Engines

Normalizer Engine

For More Information

• For more information on the parameters common to all signature engines, see Master Engine,

page B-4.

• For a list of the signature regular expression syntax, see Regular Expression Syntax, page B-9.

Normalizer Engine

Note You cannot add custom signatures to the Normalizer engine. You can tune the existing ones.

The Normalizer engine deals with IP fragment reassembly and TCP stream reassembly. With the

Normalizer engine you can set limits on system resource usage, for example, the maximum number of

fragments the sensor tries to track at the same time. Sensors in promiscuous mode report alerts on

violations. Sensors in inline mode perform the action specified in the event action parameter, such as

produce-alert, deny-packet-inline, and modify-packet-inline.

port-selection Specifies the type of TCP or UDP port to

inspect:

• both-ports—Specifies both source and

destination port.

• dest-ports—Specifies a range of

destination ports.

• source-ports—Specifies a range of source

ports.

1

0 to 65535

2

exact-spacing Specifies the exact number of bytes that must

be between this Regex string and the one

before, or from the beginning of the

stream/packet if it is the first entry in the list.

0 to 4294967296

min-spacing Specifies the minimum number of bytes that

must be between this Regex string and the one

before, or from the beginning of the

stream/packet if it is the first entry in the list.

0 to 4294967296

swap-attacker-victim Swaps the attacker and victim addresses and

ports (source and destination) in the alert

message and in any actions taken.

true | false (default)

1. Port matching is performed bidirectionally for both the client-to-server and server-to-client traffic flow directions. For

example, if the source-ports value is 80, in a client-to-server traffic flow direction, inspection occurs if the client port

is 80. In a server-to-client traffic flow direction, inspection occurs if the server port is port 80.

2. A valid value is a comma- separated list of integer ranges a-b[,c-d] within 0 to 65535. The second number in the range

must be greater than or equal to the first number.

Table B-16 Multi String Engine Parameters (continued)

Parameter Description Value

previous next