B-19
Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0
78-16527-01
Appendix B Signature Engines
SERVICE Engines
SERVICE.HTTP Engine
This section describes the SERVICE.HTTP engine, and contains the following topics:
•
Overview, page B-19
•
SERVICE.HTTP Engine Parameters, page B-19
Overview
The SERVICE.HTTP engine is a service-specific string-based pattern-matching inspection engine. The
HTTP protocol is one of the most commonly used in today’s networks. In addition, it requires the most
amount of preprocessing time and has the most number of signatures requiring inspection making it
critical to the system’s overall performance.
The SERVICE.HTTP engine uses a Regex library that can combine multiple patterns into a single
pattern-matching table allowing a single search through the data. This engine searches traffic directed to
web services only to web services, or HTTP requests. You cannot inspect return traffic with this engine.
You can specify separate web ports of interest in each signature in this engine.
HTTP deobfuscation is the process of decoding an HTTP message by normalizing encoded characters
to ASCII equivalent characters. It is also known as ASCII normalization.
Before an HTTP packet can be inspected, the data must be deobfuscated or normalized to the same
representation that the target system sees when it processes the data. It is ideal to have a customized
decoding technique for each host target type, which involves knowing what operating system and web
server version is running on the target. The SERVICE.HTTP engine has default deobfuscation behavior
for the Microsoft IIS web server.
For an example SERVICE.HTTP custom signature, refer to “Example SERVICE.HTTP Signature,” in
Configuring the Cisco Intrusion Prevention System Sensor Using the Command Line Interface 5.0
.
SERVICE.HTTP Engine Parameters
Table B-15
lists the parameters specific the SERVICES.HTTP engine.
1.
The second number in the range must be greater than or equal to the first number.
Table B-15
SERVICE.HTTP Engine Parameters
Parameter
Description
Value
de-obfuscate
Applies anti-evasive deobfuscation before
searching.
true | false
max-field-sizes
Maximum field sizes grouping.
specify-max-arg-field-length
(Optional) Enables maximum argument field
length:
•
max-arg-field-length—Maximum length of
the arguments field.
0 to 65535
specify-max-header-field-length
(Optional) Enables maximum header field length:
•
max-header-field-length—Maximum length
of the header field.
0 to 65535