Filter
Top Products
B-70
Cisco Intrusion Prevention System CLI Sensor Configuration Guide for IPS 7.1
OL-19892-01
Appendix B Signature Engines
Sweep Engines
The alert conditions of the Sweep engine ultimately depend on the count of the unique parameter. The
unique parameter is the threshold number of distinct hosts or ports depending on the type of sweep. The
unique parameter triggers the alert when more than the unique number of ports or hosts is seen on the
address set within the time period. The processing of unique port and host tracking is called counting.
Caution Event action filters based on source and destination IP addresses do not function for the Sweep engine,
because they do not filter as regular signatures. To filter source and destination IP addresses in sweep
alerts, use the source and destination IP address filter parameters in the Sweep engine signatures.
A unique parameter must be specified for all signatures in the Sweep engine. A limit of 2 through 40
(inclusive) is enforced on the sweeps. 2 is the absolute minimum for a sweep, otherwise, it is not a sweep
(of one host or port). 40 is a practical maximum that must be enforced so that the sweep does not
consume excess memory. More realistic values for unique range between 5 and 15.
TCP sweeps must have a TCP flag and mask specified to determine which sweep inspector slot in which
to count the distinct connections. ICMP sweeps must have an ICMP type specified to discriminate
among the various types of ICMP packets.
Data Nodes
When an activity related to Sweep engine signatures is seen, the IPS uses a data node to determine when
it should stop monitoring for a particular host. The data node contains various persistent counters and
variables needed for cross-packet reassembly of streams and for tracking the inspection state on a
per-stream/per-source/per-destination basis The data node containing the sweep determines when the
sweep should expire. The data node stops a sweep when the data node has not seen any traffic for x
number of seconds (depending on the protocol).
There are several adaptive timeouts for the data nodes. The data node expires after 30 seconds of idle
time on the address set after all of the contained objects have been removed. Each contained object has
various timeouts, for example, TCP Stream has a one-hour timeout for established connections. Most
other objects have a much shorter expiration time, such as 5 or 60 seconds.
Table B-37 lists the parameters specific to the Sweep engine.
Table B-37 Sweep Engine Parameters
Parameter Description Value
dst-addr-filter Specifies the destination IP address to exclude from the
sweep counting algorithm.
<A.B.C.D>-
<A.B.C.D>
[,<A.B.C.D>-
<A.B.C.D>]
src-addr-filter Specifies the source IP address to exclude from the sweep
counting algorithm.
<A.B.C.D>-
<A.B.C.D>
[,<A.B.C.D>-
<A.B.C.D>]
protocol Specifies the protocol of interest for this inspector. icmp
udp
tcp