B-2
Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0
78-16527-01
Appendix B Signature Engines
About Signature Engines
Note
The AIC engines are new for IPS 5.0.
For more information on configuring the AIC engine signatures, see
Configuring AIC Signatures,
page 7-12
.
•
ATOMIC—The 5.0 ATOMIC engines are now combined into two engines with multi-level
selections. You can combine Layer-3 and Layer-4 attributes within one signature, for example IP +
TCP. The ATOMIC engine uses the standardized Regex support.
–
ATOMIC.IP —Inspects IP protocol packets and associated Layer-4 transport protocols.
This engine lets you specify values to match for fields in the IP and Layer-4 headers, and lets
you use Regex to inspect Layer-4 payloads.
Note
All IP packets are inspected by the ATOMIC.IP engine. This engine replaces the 4.x
ATOMIC.ICMP, ATOMIC.IPOPTIONS, ATOMIC.L3.IP, ATOMIC.TCP, and
ATOMIC.UDP engines.
–
ATOMIC.ARP—Inspects Layer-2 ARP protocol. The ATOMIC.ARP engine is different
because most engines are based on Layer-3-IP.
•
FlOOD—Detects ICMP and UDP floods directed at hosts and networks.
There are two FLOOD engines: FLOOD.HOST and FLOOD.NET.
•
META—Defines events that occur in a related manner within a sliding time interval. This engine
processes events rather than packets.
Note
The META engine is new for IPS 5.0.
•
NORMALIZER—Configures how the IP and TCP normalizer functions and provides configuration
for signature events related to the IP and TCP normalizer. Allows you to enforce RFC compliance.
•
SERVICE—Deals with specific protocols. SERVICE engine has the following protocol types:
–
DNS—Inspects DNS (TCP and UDP) traffic.
–
FTP—Inspects FTP traffic.
–
GENERIC—Decodes custom service and payload.
–
H225— Inspects VoIP traffic.
Helps the network administrator make sure the SETUP message coming in to the VoIP network
is valid and within the bounds that the policies describe. Is also helps make sure the addresses
and Q.931 string fields such as url-ids, email-ids, and display information adhere to specific
lengths and do not contain possible attack patterns.
–
HTTP—Inspects HTTP traffic.
The WEBPORTS variable defines inspection port for HTTP traffic.
–
IDENT—Inspects IDENT (client and server) traffic.
–
MSRPC—Inspects MSRPC traffic.
–
MSSQL—Inspects Microsoft SQL traffic.
–
NTP—Inspects NTP traffic.