Appendix B
Signature Engines
Table B-22
Parameter
non-snmp-traffic-inspection
snmp-inspection
SERVICE.SSH Engine
The SERVICE.SSH engine specializes in port 22 SSH traffic. Because all but the setup of an SSH session
is encrypted, the engine only looks at the fields in the setup. There are two default signatures for SSH.
You can tune these signatures, but you cannot create custom signatures.
Table B-23
Table B-23
Parameter
length-type
service-ports
specify-packet-depth
1. The second number in the range must be greater than or equal to the first number.
STATE Engine
The STATE engine provides state-based regular expression-based pattern inspection of TCP streams. A
state engine is a device that stores the state of something and at a given time can operate on input to
transition from one state to another and/or cause an action or output to take place. State machines are
used to describe a specific event that causes an output or alarm.
78-16527-01
SERVICE.SNMP Engine Parameters (continued)
Description
Inspects for non-SNMP traffic destined for UDP
port 161.
Inspects SNMP traffic:
specify-community-name [yes | no]:
•
specify-object-id [yes | no]:
•
lists the parameters specific to the SERVICE.SSH engine.
SERVICE.SSH Engine Parameters
Description
Inspects for one of the following SSH length types:
key-length—Length of the SSH key to inspect for:
•
length—Keys larger than this fire the RSAREF
–
overflow.
user-length—User length SSH inspection:
•
length—Keys larger than this fire the RSAREF
–
overflow.
A comma-separated list of ports or port ranges where the
target service resides.
(Optional) Enables packet depth:
•
packet-depth—Number of packets to watch before
determining the session key was missed.
Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0
community-name—Searches for the
–
SNMP community name, that is, the
SNMP password.
object-id—Searches for the SNMP object
–
identifier.
STATE Engine
Value
—
community-name
object-id
Value
0 to 65535
1
0 to 65535
a-b[,c-d]
0 to 65535
B-27