B-69
Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2
OL-29168-01
Appendix B Signature Engines
Sweep Engines
per-stream/per-source/per-destination basis The data node containing the sweep determines when the
sweep should expire. The data node stops a sweep when the data no de has not seen any traffic for x
number of seconds (depending on the protocol).
There are several adaptive timeouts for the data nodes. The data node expires after 30 seconds of idle
time on the address set after all of the contained objects have been removed. Each contained object has
various timeouts, for example, TCP Stream has a one-hour timeout for established co nnections. Most
other objects have a much shorter expiration time, such as 5 or 60 seconds.
Tabl e B-37 lists the parameters specific to the Sweep engine.
TableB-37 Sweep Engine Parameters
Parameter Description Value
dst-addr-filter Specifies the destination IP address to exclude from the
sweep counting algorithm.
<A.B.C.D>-
<A.B.C.D>
[,<A.B.C.D>-
<A.B.C.D>]
src-addr-filter Specifies the source IP address to exclude from the
sweep counting algorithm.
<A.B.C.D>-
<A.B.C.D>
[,<A.B.C.D>-
<A.B.C.D>]
protocol Specifies the protocol of interest for this inspector. icmp
udp
tcp
specify-icmp-type
{yes | no}
(Optional) Enables the ICMP header type:
icmp-type—Specifies the value of the ICMP header
TYPE.
0 to 255
specify-port-range
{yes | no}
(Optional) Enables using a port range for inspection:
port-range—Specifies the UDP port range u sed in
inspection.
0 to 65535
a-b[,c-d]
fragment-status Specifies whether fragments are wanted or not:
Any fragment status
Do not inspect fragments
Inspect fragments
any
no-fragments
want-fragments
inverted-sweep Uses source port instead of destination port for unique
counting.
true | false
mask Specifies the mask used in TCP flags comparison:
URG bit
ACK bit
PSH bit
RST bit
SYN bit
FIN bit
urg
ack
psh
rst
syn
fin