Cisco Systems IPS 7.1 Home Security System User Manual


  Open as PDF
of 1042
 
B-48
Cisco Intrusion Prevention System CLI Sensor Configuration Guide for IPS 7.1
OL-19892-01
Appendix B Signature Engines
Service Engines
Before an HTTP packet can be inspected, the data must be deobfuscated or normalized to the same
representation that the target system sees when it processes the data. It is ideal to have a customized
decoding technique for each host target type, which involves knowing what operating system and web
server version is running on the target. The Service HTTP engine has default deobfuscation behavior for
the Microsoft IIS web server.
Table B-22 lists the parameters specific the Service HTTP engine.
Table B-22 Service HTTP Engine Parameters
Parameter Description Value
de-obfuscate Applies anti-evasive deobfuscation before
searching.
true | false
max-field-sizes Enables maximum field sizes grouping.
specify-max-arg-field-length
{yes | no}
(Optional) Enables maximum argument field
length:
max-arg-field-length—Specifies the
maximum length of the arguments field.
0 to 65535
specify-max-header-field-length
{yes | no}
(Optional) Enables maximum header field length:
max-header-field-length—Specifies the
maximum length of the header field.
0 to 65535
specify-max-request-length {yes
| no}
(Optional) Enables maximum request field length:
max-request-length—Specifies the maximum
length of the request field.
0 to 65535
specify-max-uri-field-length
{yes | no}
(Optional) Enables the maximum URI field
length:
max-uri-field-length—Specifies the
maximum length of the URI field.
0 to 65535
regex Enables regular expression grouping.
specify-arg-name-regex {yes |
no}
(Optional) Enables searching the Arguments field
for a specific regular expression:
arg-name-regex—Specifies the regular
expression to search for in the HTTP
Arguments field (after the ? and in the Entity
body as defined by Content-Length).
specify-header-regex {yes | no} (Optional) Enables searching the Header field for
a specific regular expression:
header-regex—Specifies the regular
expression to search in the HTTP Header
field.
Note The Header is defined after the first CRLF
and continues until CRLFCRLF.
 previous next