B-1
Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0
78-16527-01
A P P E N D I X
B
Signature Engines
This appendix describes the IPS signature engines. It contains the following sections:
•
About Signature Engines, page B-1
•
MASTER Engine, page B-3
•
AIC Engine, page B-6
•
ATOMIC Engine, page B-8
•
FLOOD Engine, page B-10
•
META Engine, page B-10
•
NORMALIZER Engine, page B-11
•
SERVICE Engines, page B-13
•
STATE Engine, page B-27
•
STRING Engines, page B-29
•
SWEEP Engine, page B-31
•
TRAFFIC ICMP Engine, page B-33
•
TROJAN Engines, page B-34
About Signature Engines
A signature engine is a component of the Cisco IPS that is designed to support many signatures in a
certain category. An engine is composed of a parser and an inspector. Each engine has a set of parameters
that have allowable ranges or sets of values.
Note
The 5.0 engines support a standardized Regex.
IPS 5.0 contains the following signature engines:
•
AIC—Provides deep analysis of web traffic.
It provides granular control over HTTP sessions to prevent abuse of the HTTP protocol. It allows
administrative control over applications, such as instant messaging and gotomypc, that try to tunnel
over specified ports
.
You can also use AIC to inspect FTP traffic and control the commands being
issued.
There are two AIC engines: AIC.FTP and AIC.HTTP.