Cisco 4215 - Intrusion Detection Sys Sensor Configuration Manual page 378

SensorApp
•
•
•
•
Some of the processors call inspectors to perform signature analysis. All inspectors can call the alarm
channel to produce alerts as needed.
SensorApp also supports the following units:
•
•
Packet Flow
Packets are received by the NIC and placed in the kernel user-mapped memory space by the IPS-shared
driver. The packet is prepended by the IPS header. Each packet also has a field that indicates whether to
pass or deny the packet when it reaches SEAP.
The producer pulls packets from the shared-kernel user-mapped packet buffer and calls the process
function that implements the processor appropriate to the sensor model. The following orders occur:
•
•
Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0
A-24
Fragment Reassembly Processor (FRP)
This processor reassembles fragmented IP datagrams. It is also responsible for normalization of IP
fragments when the sensor is in inline mode.
Stream Reassembly Processor (SRP)
This processor reorders TCP streams to ensure the arrival order of the packets at the various
stream-based inspectors. It is also responsible for normalization of the TCP stream. The normalizer
engine lets you enable or disable alert and deny actions.
The TCP SRP normalizer has a hold-down timer, which lets the stream state rebuild after a
reconfiguration event. You cannot configure the timer. During the hold-down interval, the system
synchronizes stream state on the first packet in a stream that passes through the system. When the
hold down has expired, sensorApp enforces your configured policy. If this policy calls for a denial
of streams that have not been opened with a 3-way handshake, established streams that were
quiescent during the hold-down period will not be forwarded and will be allowed to timeout. Those
streams that were synchronized during the hold-down period are allowed to continue.
Signature Analysis Processor (SAP)
This processor dispatches packets to the inspectors that are not stream-based and that are configured
for interest in the packet in process.
Slave Dispatch Processor (SDP)
A process found only on dual CPU systems.
Analysis Engine
The analysis engine handles sensor configuration. It maps the interfaces and also the signature and
alarm channel policy to the configured interfaces.
Alarm Channel
The alarm channel processes all signature events generated by the inspectors. Its primary function
is to generate alerts for each event it is passed.
Single processor execution
TP --> L2P --> DFP --> FRP --> SP --> DBP --> SAP --> SRP --> EAP
Dual processor execution
Execution Thread 1 TP --> L2P --> DFP --> FRP --> SP --> DBP --> SAP --> SDP --> | Execution
Thread 2 DBP --> SRP --> EAP
Appendix A System Architecture
78-16527-01