A-26
Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0
78-16527-01
Appendix A System Architecture
SensorApp
Figure A-4
Signature Event Through SEAP
New Features
SensorApp contains the following new features:
•
Processing packets inline
When the sensor is processing packets in the data path, all packets are forwarded without any
modifications unless explicitly denied by policy configuration. Because of TCP normalization it is
possible that some packets will be delayed to ensure proper coverage. When policy violations are
encountered, SensorApp allows for the configuration of actions. Additional actions are available in
inline mode, such as deny packet, deny flow, and deny attacker.
All packets that are unknown or of no interest to the IPS are forwarded to the paired interface with
no analysis. All bridging and routing protocols are forwarded with no participation other than a
possible deny due to policy violations. There is no IP stack associated with any interface used for
inline (or promiscuous) data processing. The current support for 802.1q packets in promiscuous
mode is extended to inline mode.
•
Enhanced configuration
Consumed
signature event
132188
Signature event with
configured action
Signature event
Add action based on RR
Subtract action based on
signature, address, port, RR, etc.
Subtract action based on
current summary mode
Perform action
Event count
Signature event
action override
Signature event
action filter
Signature event
summary filter
Signature event
action handler