Cisco Systems IPS4510K9 manual Appendix B Signature Engines Understanding Signature Engines

Appendix B Signature Engines

Understanding Signature Engines

Cisco IPS contains the following signature engines:

•AIC—Provides thorough analysis of web traffic. The AIC engine provides granular control over HTTP sessions to prevent abuse of the HTTP protocol. It allows administrative control over applications, such as instant messaging and gotomypc, that try to tunnel over specified ports. You can also use AIC to inspect FTP traffic and control the commands being issued. There are two AIC engines: AIC FTP and AIC HTTP.

•Atomic—The Atomic engines are combined into four engines with multi-level selections. You can combine Layer 3 and Layer 4 attributes within one signature, for example IP + TCP. The Atomic engine uses the standardized Regex support. The Atomic engines consist of the following types:

–Atomic ARP—Inspects Layer 2 ARP protocol. The Atomic ARP engine is different because most engines are based on Layer 3 IP protocol.

–Atomic IP Advanced—Inspects IPv6 Layer 3 and ICMPv6 Layer 4 traffic.

–Atomic IP—Inspects IP protocol packets and associated Layer 4 transport protocols. This engine lets you specify values to match for fields in the IP and Layer 4 headers, and lets you use Regex to inspect Layer 4 payloads.

Note All IP packets are inspected by the Atomic IP engine. This engine replaces the 4.x Atomic ICMP, Atomic IP Options, Atomic L3 IP, Atomic TCP, and Atomic UDP engines.

–Atomic IPv6—Detects two IOS vulnerabilities that are stimulated by malformed IPv6 traffic.

•Fixed—Performs parallel regular expression matches up to a fixed depth, then stops inspection using a single regular expression table. There are three Fixed engines: ICMP, TCP, and UDP.

•Flood—Detects ICMP and UDP floods directed at hosts and networks. There are two Flood engines: Flood Host and Flood Net.

•Meta—Defines events that occur in a related manner within a sliding time interval. This engine processes events rather than packets.

•Multi String—Inspects Layer 4 transport protocols and payloads by matching several strings for one signature. This engine inspects stream-based TCP and single UDP and ICMP packets.

•Normalizer—Configures how the IP and TCP Normalizer functions and provides configuration for signature events related to the IP and TCP Normalizer. Allows you to enforce RFC compliance.

•Service—Deals with specific protocols. The Service engines are divided in to the following protocol types:

–DNS—Inspects DNS (TCP and UDP) traffic.

–FTP—Inspects FTP traffic.

–FTP V2—Supports IOS IPS. This signature engine provides a protocol decode engine tuned for IOS IPS. If you try to use this engine, you receive an error message.

–Generic—Decodes custom service and payload, and generically analyzes network protocols.

–H225—Inspects VoIP traffic. Helps the network administrator make sure the SETUP message coming in to the VoIP network is valid and within the bounds that the policies describe. Is also helps make sure the addresses and Q.931 string fields such as url-ids, email-ids, and display information adhere to specific lengths and do not contain possible attack patterns.

–HTTP—Inspects HTTP traffic. The WEBPORTS variable defines inspection port for HTTP traffic.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2