Cisco 4215 - Intrusion Detection Sys Sensor Configuration Manual page 394

About Signature Engines
Note
For more information on configuring the AIC engine signatures, see
page
ATOMIC—The 5.0 ATOMIC engines are now combined into two engines with multi-level
•
selections. You can combine Layer-3 and Layer-4 attributes within one signature, for example IP +
TCP. The ATOMIC engine uses the standardized Regex support.
–
–
FlOOD—Detects ICMP and UDP floods directed at hosts and networks.
•
There are two FLOOD engines: FLOOD.HOST and FLOOD.NET.
META—Defines events that occur in a related manner within a sliding time interval. This engine
•
processes events rather than packets.
Note
NORMALIZER—Configures how the IP and TCP normalizer functions and provides configuration
•
for signature events related to the IP and TCP normalizer. Allows you to enforce RFC compliance.
SERVICE—Deals with specific protocols. SERVICE engine has the following protocol types:
•
–
–
–
–
–
–
–
–
–
Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0
B-2
The AIC engines are new for IPS 5.0.
7-12.
ATOMIC.IP —Inspects IP protocol packets and associated Layer-4 transport protocols.
This engine lets you specify values to match for fields in the IP and Layer-4 headers, and lets
you use Regex to inspect Layer-4 payloads.
Note All IP packets are inspected by the ATOMIC.IP engine. This engine replaces the 4.x
ATOMIC.ICMP, ATOMIC.IPOPTIONS, ATOMIC.L3.IP, ATOMIC.TCP, and
ATOMIC.UDP engines.
ATOMIC.ARP—Inspects Layer-2 ARP protocol. The ATOMIC.ARP engine is different
because most engines are based on Layer-3-IP.
The META engine is new for IPS 5.0.
DNS—Inspects DNS (TCP and UDP) traffic.
FTP—Inspects FTP traffic.
GENERIC—Decodes custom service and payload.
H225— Inspects VoIP traffic.
Helps the network administrator make sure the SETUP message coming in to the VoIP network
is valid and within the bounds that the policies describe. Is also helps make sure the addresses
and Q.931 string fields such as url-ids, email-ids, and display information adhere to specific
lengths and do not contain possible attack patterns.
HTTP—Inspects HTTP traffic.
The WEBPORTS variable defines inspection port for HTTP traffic.
IDENT—Inspects IDENT (client and server) traffic.
MSRPC—Inspects MSRPC traffic.
MSSQL—Inspects Microsoft SQL traffic.
NTP—Inspects NTP traffic.
Appendix B Signature Engines
Configuring AIC Signatures,
78-16527-01