Chapter 6. Cisco IPS Signature Engines


This chapter covers the following subjects:

  • Cisco IPS Signatures

  • Cisco IPS Signature Engines

  • Application Inspection and Control (AIC) Signature Engines

  • Atomic Signature Engines

  • Flood Signature Engines

  • Meta Signature Engine

  • Normalizer Signature Engine

  • Service Signature Engines

  • State Signature Engine

  • String Signature Engines

  • Sweep Signature Engines

  • Trojan Horse Signature Engines

The heart of the Cisco IPS solution is the various signature engines that enable signature designers and customers to easily and efficiently develop IPS signatures that cover a wide range of protocols and applications. Each signature engine supports various parameters that are used to create signatures.

Cisco IPS supports numerous signature engines that are each designed to support signatures for a specific function, application, or protocol. The operation of the signature is regulated by specific parameters. Some parameters are unique to a specific signature engine, whereas other parameters are used by multiple engines. Understanding the Cisco IPS signature engines and their parameters is vital to tuning and customizing your Cisco IPS solution to your network environment.

"Do I Know This Already?" Quiz

The purpose of the "Do I Know This Already?" quiz is to help you decide if you really need to read the entire chapter. If you already intend to read the entire chapter, you do not necessarily need to answer these questions now.

The 10-question quiz, derived from the major sections in the "Foundation and Supplemental Topics" portion of the chapter, helps you determine how to spend your limited study time.

Table 6-1 outlines the major topics discussed in this chapter and the "Do I Know This Already?" quiz questions that correspond to those topics.

Table 6-1. "Do I Know This Already?" Foundation and Supplemental Topics Mapping

Foundation or Supplemental Topic

Questions Covering This Topic

Cisco IPS Signature Engines

-

Application Inspection and Control (AIC) Signature Engines

4, 7, 8

Atomic Signature Engines

1, 5

Flood Signature Engines

-

Meta Signature Engine

2, 6

Normalizer Signature Engine

-

Service Signature Engines

9

State Signature Engine

10

String Signature Engines

-

Sweep Signature Engines

3

Trojan Horse Signature Engines

-


Caution

The goal of self-assessment is to gauge your mastery of the topics in this chapter. If you do not know the answer to a question or are only partially sure of the answer, you should mark this question wrong for purposes of the self-assessment. Giving yourself credit for an answer you correctly guess skews your self-assessment results and might provide you with a false sense of security.


1.

Which signature engine would you use to create a signature that searches for the pattern "Confidential" in a single packet?

  1. Atomic IP

  2. String TCP

  3. Meta

  4. AIC FTP

  5. Service Generic

2.

Which signature engine would you use to create a signature that will trigger when the following three HTTP signatures occur: 3202, 3209, and 3217?

  1. AIC HTTP

  2. Service HTTP

  3. Normalizer

  4. Meta

  5. State

3.

Which parameter do you configure when creating a TCP port sweep signature that you do not configure for a TCP host sweep signature?

  1. TCP Mask

  2. Port Range

  3. Unique

  4. Swap Attacker Victim

  5. Storage Key

4.

Which signature engine can you use to create a signature that verifies that no application is using port 80 for any traffic except for HTTP?

  1. Service Generic

  2. Service HTTP

  3. AIC HTTP

  4. Normalizer

  5. State

5.

Which parameter would you use to require a regex match to be at least 20 bytes when you are creating an Atomic TCP signature?

  1. Min Match Length

  2. Min Match Offset

  3. Max Match Offset

  4. Min Regex Size

  5. Exact Match Offset

6.

What is in the Component Count field in a meta signatures?

  1. The number of component signatures in the meta signatures

  2. The number of times a meta signatures triggers

  3. The number of component signatures that have triggered for a meta signature

  4. The number of times a component signature must be detected for the component signature entry to match

7.

Which of the following is not a valid signature type for the AIC HTTP signature engine?

  1. Max Outstanding Requests Overrun

  2. Request Methods

  3. Define Web Traffic Policy

  4. Content Types

  5. URL Link Pattern

8.

Which of the following is not a valid option for the FTP Command parameter of the AIC FTP signature engine?

  1. site

  2. anon

  3. retr

  4. pwd

  5. stor

9.

Which of the following fields is not a valid regex field for the Service HTTP signature engine?

  1. Uri Regex

  2. Arg Name Regex

  3. Arg Value Regex

  4. Header Regex

  5. Body Regex

10.

Which of the following is not a state machine supported by the State signature engine?

  1. Cisco Login

  2. SMTP

  3. SNMP

  4. LPR Format String

The answers to the "Do I Know This Already?" quiz are found in the appendix. The suggested choices for your next step are as follows:

  • 8 or less overall score Read the entire chapter. This includes the "Foundation and Supplemental Topics" and "Foundation Summary" sections and the Q&A section.

  • 9 or 10 overall score If you want more review on these topics, skip to the "Foundation Summary" section and then go to the Q&A section. Otherwise, move to the next chapter.



CCSP IPS Exam Certification Guide
CCSP IPS Exam Certification Guide
ISBN: 1587201461
EAN: 2147483647
Year: 2004
Pages: 119
Authors: Earl Carter

Similar book on Amazon

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net