B-31
Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0
78-16527-01
Appendix B Signature Engines
SWEEP Engine
STRING-UDP Engine Parameters
Table B-27
lists the parameters specific to the STRING.UDP engine.
SWEEP Engine
The SWEEP engine analyzes traffic between two hosts or from one host to many hosts. You can tune the
existing signatures or create custom signatures. The SWEEP engine has protocol-specific parameters for
ICMP, UDP, and TCP.
The alert conditions of the SWEEP engine ultimately depend on the count of the unique parameter. The
unique parameter is the threshold number of distinct hosts or ports depending on the type of sweep. The
unique parameter triggers the alert when more than the unique number of ports or hosts is seen on the
address set within the time period. The processing of unique port and host tracking is called counting.
You can configure source and destination address filters, which means the sweep signature will exclude
these addresses from the sweep-counting algorithm.
Event action filters based on source and destination IP addresses do not function for the Sweep engine,
because they do not filter as regular signatures. To filter source and destination IP addresses in sweep
alerts, use the source and destination IP address filter parameters in the Sweep engine signatures. A
unique parameter must be specified for all signatures in the SWEEP engine. A limit of 2 through 40
(inclusive) is enforced on the sweeps. 2 is the absolute minimum for a sweep, otherwise, it is not a sweep
(of one host or port). 40 is a practical maximum that must be enforced so that the sweep does not
consume excess memory. More realistic values for unique range between 5 and 15.
TCP sweeps must have a TCP flag and mask specified to determine which sweep inspector slot in which
to count the distinct connections.
Table B-27
STRING.UDP Engine
Parameter
Description
Value
direction
Direction of the traffic:
•
Traffic from service port destined to client port.
•
Traffic from client port destined to service port.
from-service
to-service
service-ports
A comma-separated list of ports or port ranges where
the target service resides.
0 to 65535
1
a-b[,c-d]
1.
The second number in the range must be greater than or equal to the first number.
specify-exact-match-offset
(Optional) Enables exact match offset:
•
exact-match-offset—The exact stream offset the
regular expression string must report for a match
to be valid.
0 to 65535
specify-min-match-length
(Optional) Enables minimum match length:
•
min-match-length—Minimum number of bytes
the regular expression string must match.
0 to 65535
swap-attacker-victim
True if address (and ports) source and destination are
swapped in the alert message. False for no swap
(default).
true | false