B-9
Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0
78-16527-01
Appendix B Signature Engines
ATOMIC Engine
ATOMIC.IP Engine
The ATOMIC.IP engine defines signatures that inspect IP protocol headers and associated Layer-4
transport protocols (TCP, UDP, and ICMP) and payloads.
Note
The ATOMIC engines do not store persistent data across packets. Instead they can fire an alert from the
analysis of a single packet.
Table B-6
lists the parameters that are specific to the ATOMIC.IP engine.
Table B-5
ATOMIC.ARP Engine Parameters
Parameter
Description
specify-mac-flip
Fires an alert when the MAC address changes more than this many
times for this IP address.
specify-type-of-arp-sig
Specifies the type of ARP signatures you want to fire on:
•
Source Broadcast (default)—Fires an alarm for this signature when
it sees an ARP source address of 255.255.255.255.
•
Destination Broadcast—Fires an alarm for this signature when it
sees an ARP destination address of 255.255.255.255.
•
Same Source and Destination—Fires an alarm for this signature
when it sees an ARP destination address with the same source and
destination MAC address
•
Source Multicast—Fires an alarm for this signature when it sees an
ARP source MAC address of 01:00:5e:(00-7f).
specify-request-inbalance
Fires an alert when there are this many more requests than replies on
the IP address.
specify-arp-operation
The ARP operation code for this signature.
Table B-6
ATOMIC.IP Engine Parameters
Parameter
Description
fragment-status
Specifies whether or not fragments are wanted.
specify-ip-payload-length
Specifies IP datagram payload length.
specify-ip-header-length Specifies IP datagram header length.
specify-ip-addr-options
Specifies IP addresses.
specify-ip-id
Specifies IP identifier.
specify-ip-total-length
Specifies IP datagram total length.
specify-ip-option-inspection
Specifies IP options inspection.
specify-l4-protocol
Specifies Layer-4 protocol.
specify-ip-tos
Specifies type of server.
specify-ip-ttl
Specifies time to live.
specify-ip-version
Specifies IP protocol version.