Atomic Engine; Atomic.arp Engine - Cisco 4215 - Intrusion Detection Sys Sensor Configuration Manual

ATOMIC Engine

Table B-3
Parameter
msg-body-pattern
request-methods
transfer-encodings
Table B-4
Table B-4
Parameter
signature-type
ftp-commands
unrecognized-ftp-command
ATOMIC Engine
The ATOMIC engine contains signatures for simple, single packet conditions that cause alerts to be
fired. This section describes the ATOMIC engine, and contains the following topics:
•
•

ATOMIC.ARP Engine

The ATOMIC.ARP engine defines basic Layer-2 ARP signatures and provides more advanced detection
of the ARP spoof tools dsniff and ettercap.
Table B-5 on page B-9
Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0
B-8
AIC.HTTP Engine Parameters (continued)
lists the parameters that are specific to the AIC.FTP engine:
AIC.FTP Engine Parameters
ATOMIC.ARP Engine, page B-8
ATOMIC.IP Engine, page B-9
lists the parameters that are specific to the ATOMIC.ARP engine.
Description
Uses Regex to define signatures that look for specific patterns in
the message body.
AIC signature that allows actions to be associated with HTTP
request methods:
define-request-method, such as get, put, and so forth.
•
recognized-request-methods lists methods recognized by the
•
sensor.
AIC signature that deals with transfer encodings:
define-transfer-encoding associates an action with each
•
method, such as compress, chunked, and so forth.
recognized-transfer-encodings lists methods recognized by
•
the sensor.
chunked-transfer-encoding-error specifies actions to be
•
taken when a chunked encoding error is seen.
Description
Specifies the type of AIC signature.
Associates an action with an FTP command:
ftp-command—Lets you choose the FTP command you want to
inspect.
Inspects unrecognized FTP commands.
Appendix B Signature Engines
78-16527-01