Cisco IPS monitors network traffic by using a suite of signature engines. The signature engines fall into the categories shown in Table 6-49. Table 6-49. Signature Engine CategoriesEngine Category | Usage |
---|
AIC | Used to provide deep-packet inspection from Layer 4 through Layer 7 | Atomic | Used for single-packet conditions | Flood | Used to detect denial-of-service (DoS) attempts | Meta | Used to create meta signatures based on multiple individual signatures | Normalizer | Used to normalize fragmented and TCP streams when in inline mode (cannot create custom signatures); also performs stream reassembly for promiscuous mode | Service | Used when services at OSI Layers 5, 6, and 7 require protocol analysis | State | Used when stateful inspection is required | String | Used for string pattern matching | Sweep | Used to detect network reconnaissance scans | Miscellaneous | Includes various signature engines (such as Traffic ICMP and Trojan horse signature engines) |
To identify the traffic that a specific signature searches for, you must define signatures by specifying a set of parameters. Each parameter falls into one of the following groups: Currently, application policy enforcement is available through the following signature engines: Atomic signatures are handled by the following signature engines: Flood signatures are handled by the following signature engines: The various service signature engines are shown in Table 6-50. Table 6-50. Service Signature EnginesEngine | Description |
---|
Service DNS | Examines TCP and UDP DNS packets | Service FTP | Examines FTP port command traffic | Service Generic | Emergency response engine to support rapid signature response | Service H225 | Examines VoIP traffic based on the H.225 protocol | Service HTTP | Examines HTTP traffic by using string-based pattern matching | Service Ident | Examines IDENT protocol (RFC 1413) traffic | Service MSRPC | Examines Microsoft remote-procedure call (MSRPC) traffic | Service MSSQL | Examines traffic used by the Microsoft SQL (MSSQL) server | Service NTP | Examines Network Time Protocol (NTP) traffic | Service RPC | Examines remote-procedure call (RPC) traffic | Service SMB | Examines Server Message Block (SMB) traffic | Service SNMP | Examines Simple Network Management Protocol (SNMP) traffic | Service SSH | Examines Secure Shell (SSH) traffic |
The State Signature engine supports the following three state machines: String signatures are handled by the following three signature engines: String ICMP String TCP String UDP Sweep signatures are handled by the following two signature engines: The Trojan horse signatures are handled by the signature engines shown in Table 6-51. Table 6-51. Trojan Horse Signature EnginesEngine | Description |
---|
Trojan Bo2K | Detects the presence of BO2K by using the TCP protocol | Trojan Tfn2K | Detects the presence of the TFN2K Trojan horse by examining UDP, TCP, and ICMP traffic | Trojan UDP | Detects the presence of BO and BO2K by using the UDP protocol |
|