7-13
Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0
78-16527-01
Chapter 7 Defining Signatures
Configuring Signatures
The AIC engine runs when HTTP traffic is received on AIC web ports. If traffic is web traffic, but not
received on the AIC web ports, the Service.HTTP engine is executed. AIC inspection can be on any port
if it is configured as an AIC web port and the traffic to be inspected is HTTP traffic.
Caution
The AIC web ports are regular HTTP web ports. You can turn on AIC web ports to distinguish which
ports should watch for regular HTTP traffic and which ports should watch for AIC enforcement. You
might use AIC web ports, for example, if you have a proxy on port 82 and you need to monitor it. We
recommend that you do not configure separate ports for AIC enforcement.
AIC has the following categories of signatures:
•
HTTP request method
–
Define request method
–
Recognized request methods
For a list of signature IDs and descriptions, see
AIC Request Method Signatures, page 7-15
.
•
MIME type
–
Define content type
–
Recognized content type
For a list of signature IDs and descriptions, see
AIC MIME Define Content Type Signatures,
page 7-16
. For the procedure for creating a custom MIME signature, see
Example AIC MIME-Type
Signature, page 7-36
.
•
Define web traffic policy
There is one predefined signature, 12674, that specifies the action to take when noncompliant HTTP
traffic is seen. The command
alarm-on-non-http-traffic (true | false)
enables the signature. By
default this signature is enabled.
•
Transfer encodings
–
Associate an action with each method
–
List methods recognized by the sensor
–
Specify which actions need to be taken when a chunked encoding error is seen
For a list of signature IDs and descriptions, see
AIC Transfer Encoding Signatures, page 7-19
.
•
FTP commands
Associates an action with an FTP command. For a list of signature IDs and descriptions, see
AIC
FTP Commands Signatures, page 7-20
.
Configuring the Application Policy
Use the
application-policy
command in the signature definition submode to enable the web AIC feature.
You can configure the sensor to provide Layer 4 to Layer 7 packet inspection to prevent malicious attacks
related to web and FTP services.
The following options apply:
•
ftp-enable [true | false]
—Enables protection for FTP services. Set to true to require the sensor to
inspect FTP traffic.
The default is false.