Overview; Normalizer Engine Parameters - Cisco 4215 - Intrusion Detection Sys Sensor Configuration Manual

NORMALIZER Engine

Overview

The NORMALIZER engine deals with IP fragment reassembly and TCP stream reassembly. With the
NORMALIZER engine you can set limits on system resource usage, for example, the maximum number
of fragments the sensor tries to track at the same time.
Note You cannot add custom signatures to the NORMALIZER engine. You can tune the existing ones.
•
•
Sensors in promiscuous mode report alerts on violations. Sensors in inline mode perform the action
specified in the event-action parameter, such as produce-alert, deny-packet-inline, and
modify-packet-inline.
For the procedures for configuring signatures in the NORMALIZER engine, see
Fragment Reassembly Parameters, page
page

NORMALIZER Engine Parameters

Table B-10
Table B-10
Parameter
edit-default-sigs-only
specify-fragment-reassembly-timeout
specify-hijack-max-old-ack
specify-max-dgram-size
specify-max-fragments
Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0
B-12
IP Fragmentation Normalization
Intentional or unintentional fragmentation of IP datagrams can hide exploits making them difficult
or impossible to detect. Fragmentation can also be used to circumvent access control policies like
those found on firewalls and routers. And different operating systems use different methods to queue
and dispatch fragmented datagrams. If the sensor has to check for all possible ways that the end host
will reassemble the datagrams, the sensor becomes vulnerable to denial of service attacks.
Reassembling all fragmented datagrams inline and only forwarding completed datagrams,
refragmenting the datagram if necessary, prevents this. The IP Fragmentation Normalization unit
performs this function.
TCP Normalization
Through intentional or natural TCP session segmentation, some classes of attacks can be hidden. To
make sure policy enforcement can occur with no false positives and false negatives, the state of the
two TCP endpoints must be tracked and only the data that is actually processed by the real host
endpoints should be passed on. Overlaps in a TCP stream can occur, but are extremely rare except
for TCP segment retransmits. Overwrites in the TCP session should not occur. If overwrites do
occur, someone is intentionally trying to elude the security policy or the TCP stack implementation
is broken. Maintaining full information about the state of both endpoints is not possible unless the
sensor acts as a TCP proxy. Instead of the sensor acting as a TCP proxy, the segments will be ordered
properly and the normalizer will look for any abnormal packets associated with evasion and attacks.
7-24.
lists the parameters that are specific to the NORMALIZER engine:
NORMALIZER Engine Parameters
7-22, and Configuring TCP Stream Reassembly Parameters,
Description
Editable signatures.
(Optional) Enables fragment reassembly timeout.
(Optional) Enables hijack-max-old-ack.
(Optional) Enables maximum datagram size.
(Optional) Enables maximum fragments.
Appendix B Signature Engines
Configuring IP
78-16527-01