Filter
Top Products
B-72
Cisco Intrusion Prevention System CLI Sensor Configuration Guide for IPS 7.1
OL-19892-01
Appendix B Signature Engines
Traffic Anomaly Engine
For More Information
For more information on the parameters common to all signature engines, see Master Engine, page B-4.
Sweep Other TCP Engine
The Sweep Other TCP engine analyzes traffic between two hosts looking for abnormal packets typically
used to fingerprint a victim. You can tune the existing signatures or create custom signatures. TCP
sweeps must have a TCP flag and mask specified. You can specify multiple entries in the set of TCP
flags. And you can specify an optional port range to filter out certain packets. Table B-38 lists the
parameters specific to the Sweep Other TCP engine.
For More Information
For more information on the parameters common to all signature engines, see Master Engine, page B-4.
Traffic Anomaly Engine
Note You can edit or tune anomaly detection signatures but you cannot create custom anomaly detection
signatures.
The Traffic Anomaly engine contains nine anomaly detection signatures covering the three protocols
(TCP, UDP, and other). Each signature has two subsignatures, one for the scanner and the other for the
worm-infected host (or a scanner under worm attack). When anomaly detection discovers an anomaly, it
triggers an alert for these signatures. All anomaly detection signatures are enabled by default and the
alert severity for each one is set to high.
Table B-38 Sweep Other TCP Engine Parameters
Parameter Description Value
specify-port-range
{yes | no}
(Optional) Enables using a port range for inspection:
• port-range—Specifies the UDP port range used in
inspection.
0 to 65535
a-b[,c-d]
set-tcp-flags Lets you set TCP flags to match.
• tcp-flags—Specifies the TCP flags used in this
inspection:
–
URG bit
–
ACK bit
–
PSH bit
–
RST bit
–
SYN bit
–
FIN bit
urg
ack
psh
rst
syn
fin