7-22
Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0
78-16527-01
Chapter 7 Defining Signatures
Configuring Signatures
IP Fragment Reassembly
This section describes IP fragment reassembly, and contains the following topics:
•
Overview, page 7-22
•
Configuring IP Fragment Reassembly Parameters, page 7-22
•
Configuring the Method for IP Fragment Reassembly, page 7-23
Overview
You can configure the sensor to reassemble a datagram that has been fragmented over multiple packets.
You can specify boundaries that the sensor uses to determine how many datagrams and how long to wait
for more fragments of a datagram. The goal is to ensure that the sensor does not allocate all its resources
to datagrams that cannot be completely reassembled, either because the sensor missed some frame
transmissions or because an attack has been launched that is based on generating random fragmented
datagrams.
You configure the IP fragment reassembly per signature.
Configuring IP Fragment Reassembly Parameters
Table 7-5
lists IP fragment reassembly signatures with the parameters that you can configure for IP
fragment reassembly. The IP fragment reassembly signatures are part of the NORMALIZER engine.
To configure IP fragment reassembly parameters, follow these steps:
Step 1
Log in to the CLI using an account with administrator or operator privileges.
Step 2
Enter signature definition submode:
sensor#
configure terminal
sensor(config)#
service signature-definition sig0
Table 7-5
IP Fragment Reassembly Signatures
IP Fragment Reassembly Signature
Parameter With Default Value
1200 IP Fragmentation Buffer Full
Specify Max Fragments 10000
1201 IP Fragment Overlap
None
1202 IP Fragment Overrun - Datagram Too Long
Specify Max Datagram Size 65536
1203 IP Fragment Overwrite - Data is Overwritten
None
1204 IP Fragment Missing Initial Fragment
None
1205 IP Fragment Too Many Datagrams
Specify Max Partial Datagrams 1000
1206 IP Fragment Too Small
Specify Max Small Frags 2
Specify Min Fragment Size 400
1207 IP Fragment Too Many Datagrams
Specify Max Fragments per Datagram 170
1208 IP Fragment Incomplete Datagram
Specify Fragment Reassembly Timeout 60
1220 Jolt2 Fragment Reassembly DoS attack
Specify Max Last Fragments 4
1225 Fragment Flags Invalid
None