Support User Manuals

Cisco Systems IPS 7.1 Home Security System User Manual

Open as PDF

of 1042

B-49

Cisco Intrusion Prevention System CLI Sensor Configuration Guide for IPS 7.1

OL-19892-01

Appendix B Signature Engines

Service Engines

For More Information

• For an example Service HTTP custom signature, see Example Service HTTP Engine Signature,

page 8-44.

• For more information on the parameters common to all signature engines, see Master Engine,

page B-4.

• For a list of the signature regular expression syntax, see Regular Expression Syntax, page B-9.

Service IDENT Engine

The Service IDENT engine inspects TCP port 113 traffic. It has basic decode and provides parameters

to specify length overflows. For example, when a user or program at computer A makes an IDENT

request of computer B, it may only ask for the identity of users of connections between A and B. The

IDENT server on B listens for connections on TCP port 113. The client at A establishes a connection,

then specifies which connection it wants identification for by sending the numbers of the ports on A and

B that the connection is using. The server at B determines what user is using that connection, and replies

to A with a string that names that user. The Service IDENT engine inspects the TCP port 113 for IDENT

abuse.

specify-request-regex {yes | no} (Optional) Enables searching the Request field for

a specific regular expression:

• request-regex—Specifies the regular

expression to search in both HTTP URI and

HTTP Argument fields.

• specify-min-request-match-length—Enables

setting a minimum request match length:

–

min-request-match-length—Specifies

the minimum request match length.

0 to 65535

specify-uri-regex {yes | no} (Optional) Specifies the regular expression to

search in HTTP URI field.

Note The URI field is defined to be after the

HTTP method (GET, for example) and

before the first CRLF.

Note The regular expression is protected, which

means you cannot change the value.

[/\\][a-zA-Z][a-

zA-Z][a-zA-Z]

[a-zA-Z][a-zA-

Z][a-zA-Z][a-z

A-Z][.]jpeg

service-ports Specifies a comma-separated list of ports or port

ranges where the target service resides.

0 to 65535

1

a-b[,c-d]

swap-attacker-victim Swaps the attacker and victim addresses and ports

(source and destination) in the alert message and

in any actions taken.

true | false

(default)

1. The second number in the range must be greater than or equal to the first number.

Table B-22 Service HTTP Engine Parameters (continued)

Parameter Description Value

previous next