Support User Manuals

Cisco Systems IPS 7.1 Home Security System User Manual

Open as PDF

of 1042

B-47

Cisco Intrusion Prevention System CLI Sensor Configuration Guide for IPS 7.1

OL-19892-01

Appendix B Signature Engines

Service Engines

For More Information

• For more information on the parameters common to all signature engines, see Master Engine,

page B-4.

• For a list of the signature regular expression syntax, see Regular Expression Syntax, page B-9.

Service HTTP Engine

The Service HTTP engine is a service-specific string-based pattern-matching inspection engine. The

HTTP protocol is one of the most commonly used in networks of today. In addition, it requires the most

amount of preprocessing time and has the most number of signatures requiring inspection making it

critical to the overall performance of the system.

The Service HTTP engine uses a Regex library that can combine multiple patterns into a single

pattern-matching table allowing a single search through the data. This engine searches traffic directed

only to web services, or HTTP requests. You cannot inspect return traffic with this engine. You can

specify separate web ports of interest in each signature in this engine.

HTTP deobfuscation is the process of decoding an HTTP message by normalizing encoded characters

to ASCII equivalent characters. It is also known as ASCII normalization.

specify-regex-string {yes |

no}

Specifies the regular expression to look for

when the policy type is Regex:

• regex-string—Specifies a regular

expression to search for in a single

TCP packet.

• (Optional)

specify-min-match-length—Enables

minimum match length for use:

–

min-match-length—Specifies the

minimum length of the Regex

match required to constitute a

match.

Note This is never set for TPKT

signatures.

string

0 to 65535

specify-value-range {yes |

no}

Enables value range for use:

• value-range—Specifies the range of

values.

Note Valid for the length or value policy

types (0x00 to 6535). Not valid for

other policy types.

0 to 65535

1

a-b

swap-attacker-victim Swaps the attacker and victim addresses

and ports (source and destination) in the

alert message and in any actions taken.

true | false (default)

1. The second number in the range must be greater than or equal to the first number.

Table B-21 Service H.225 Engine Parameters (continued)

Parameter Description Value

previous next