B-23
Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0
78-16527-01
Appendix B Signature Engines
SERVICE Engines
You can tune this signature and create custom signatures based on NTP protocol values, such as mode
and size of control packets.
Table B-19
lists the parameters specific to the SERVICE.NTP engine.
SERVICE.RPC Engine
The SERVICE.RPC engine specializes in RPC protocol and has full decode as an anti-evasive strategy.
It can handle fragmented messages (one message in several packets) and batch messages (several
messages in a single packet).
The RPC portmapper operates on port 111. Regular RPC messages can be on any port greater than 550.
RPC sweeps are like TCP port sweeps, except that they only count unique ports when a valid RPC
message is sent. RPC also runs on UDP.
Table B-20
lists the parameters specific to the SERVICE.RPC engine.
Table B-19
SERVICE.NTP Engine Parameters
Parameter
Description
Value
inspection-type
Type of inspection to perform.
inspect-ntp-packets
Inspects NTP packets:
•
control-opcode—Opcode number of an NTP control
packet according to RFC1305, Appendix B.
•
max-control-data-size—Maximum allowed amount of
data sent in a control packet.
•
mode —Mode of operation of the NTP packet per RFC
1305.
0 to 65535
is-invalid-data-packet
Looks for invalid NTP data packets. Checks the structure of
the NTP data packet to make sure it is the correct size.
true | false
is-non-ntp-traffic
Checks for nonNTP packets on an NTP port.
true | false
Table B-20
SERVICE.RPC Engine Parameters
Parameter
Description
Value
direction
Direction of traffic:
•
Traffic from service port destined to client port.
•
Traffic from client port destined to service port.
from-service
to-service
protocol
Protocol of interest.
tcp
udp
service-ports
A comma-separated list of ports or port ranges where
the target service resides.
0 to 65535
1
a-b[,c-d]
specify-is-spoof-src
(Optional) Enables the spoof source address:
•
is-spoof-src—Fires an alert when the source
address is 127.0.0.1.
true | false