String-Udp Engine Parameters; Sweep Engine - Cisco 4215 - Intrusion Detection Sys Sensor Configuration Manual

Appendix B Signature Engines

STRING-UDP Engine Parameters

Table B-27
Table B-27
Parameter
direction
service-ports
specify-exact-match-offset
specify-min-match-length
swap-attacker-victim
1. The second number in the range must be greater than or equal to the first number.

SWEEP Engine

The SWEEP engine analyzes traffic between two hosts or from one host to many hosts. You can tune the
existing signatures or create custom signatures. The SWEEP engine has protocol-specific parameters for
ICMP, UDP, and TCP.
The alert conditions of the SWEEP engine ultimately depend on the count of the unique parameter. The
unique parameter is the threshold number of distinct hosts or ports depending on the type of sweep. The
unique parameter triggers the alert when more than the unique number of ports or hosts is seen on the
address set within the time period. The processing of unique port and host tracking is called counting.
You can configure source and destination address filters, which means the sweep signature will exclude
these addresses from the sweep-counting algorithm.
Event action filters based on source and destination IP addresses do not function for the Sweep engine,
because they do not filter as regular signatures. To filter source and destination IP addresses in sweep
alerts, use the source and destination IP address filter parameters in the Sweep engine signatures. A
unique parameter must be specified for all signatures in the SWEEP engine. A limit of 2 through 40
(inclusive) is enforced on the sweeps. 2 is the absolute minimum for a sweep, otherwise, it is not a sweep
(of one host or port). 40 is a practical maximum that must be enforced so that the sweep does not
consume excess memory. More realistic values for unique range between 5 and 15.
TCP sweeps must have a TCP flag and mask specified to determine which sweep inspector slot in which
to count the distinct connections.
78-16527-01
lists the parameters specific to the STRING.UDP engine.
STRING.UDP Engine
Description
Direction of the traffic:
• Traffic from service port destined to client port.
• Traffic from client port destined to service port.
A comma-separated list of ports or port ranges where
the target service resides.
(Optional) Enables exact match offset:
exact-match-offset—The exact stream offset the
•
regular expression string must report for a match
to be valid.
(Optional) Enables minimum match length:
min-match-length—Minimum number of bytes
•
the regular expression string must match.
True if address (and ports) source and destination are
swapped in the alert message. False for no swap
(default).
Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0
SWEEP Engine
Value
from-service
to-service
1
0 to 65535
a-b[,c-d]
0 to 65535
0 to 65535
true | false
B-31