| This chapter covers the following subjects: Cisco IPS Signatures Cisco IPS Signature Engines Application Inspection and Control (AIC) Signature Engines Atomic Signature Engines Flood Signature Engines Meta Signature Engine Normalizer Signature Engine Service Signature Engines State Signature Engine String Signature Engines Sweep Signature Engines Trojan Horse Signature Engines
The heart of the Cisco IPS solution is the various signature engines that enable signature designers and customers to easily and efficiently develop IPS signatures that cover a wide range of protocols and applications. Each signature engine supports various parameters that are used to create signatures. Cisco IPS supports numerous signature engines that are each designed to support signatures for a specific function, application, or protocol. The operation of the signature is regulated by specific parameters. Some parameters are unique to a specific signature engine, whereas other parameters are used by multiple engines. Understanding the Cisco IPS signature engines and their parameters is vital to tuning and customizing your Cisco IPS solution to your network environment. "Do I Know This Already?" Quiz The purpose of the "Do I Know This Already?" quiz is to help you decide if you really need to read the entire chapter. If you already intend to read the entire chapter, you do not necessarily need to answer these questions now. The 10-question quiz, derived from the major sections in the "Foundation and Supplemental Topics" portion of the chapter, helps you determine how to spend your limited study time. Table 6-1 outlines the major topics discussed in this chapter and the "Do I Know This Already?" quiz questions that correspond to those topics. Table 6-1. "Do I Know This Already?" Foundation and Supplemental Topics MappingFoundation or Supplemental Topic | Questions Covering This Topic |
|---|
Cisco IPS Signature Engines | - | Application Inspection and Control (AIC) Signature Engines | 4, 7, 8 | Atomic Signature Engines | 1, 5 | Flood Signature Engines | - | Meta Signature Engine | 2, 6 | Normalizer Signature Engine | - | Service Signature Engines | 9 | State Signature Engine | 10 | String Signature Engines | - | Sweep Signature Engines | 3 | Trojan Horse Signature Engines | - |
Caution The goal of self-assessment is to gauge your mastery of the topics in this chapter. If you do not know the answer to a question or are only partially sure of the answer, you should mark this question wrong for purposes of the self-assessment. Giving yourself credit for an answer you correctly guess skews your self-assessment results and might provide you with a false sense of security.
| 1. | Which signature engine would you use to create a signature that searches for the pattern "Confidential" in a single packet? Atomic IP String TCP Meta AIC FTP Service Generic
| | 2. | Which signature engine would you use to create a signature that will trigger when the following three HTTP signatures occur: 3202, 3209, and 3217? AIC HTTP Service HTTP Normalizer Meta State
| | 3. | Which parameter do you configure when creating a TCP port sweep signature that you do not configure for a TCP host sweep signature? TCP Mask Port Range Unique Swap Attacker Victim Storage Key
| | 4. | Which signature engine can you use to create a signature that verifies that no application is using port 80 for any traffic except for HTTP? Service Generic Service HTTP AIC HTTP Normalizer State
| | 5. | Which parameter would you use to require a regex match to be at least 20 bytes when you are creating an Atomic TCP signature? Min Match Length Min Match Offset Max Match Offset Min Regex Size Exact Match Offset
| | 6. | What is in the Component Count field in a meta signatures? The number of component signatures in the meta signatures The number of times a meta signatures triggers The number of component signatures that have triggered for a meta signature The number of times a component signature must be detected for the component signature entry to match
| | 7. | Which of the following is not a valid signature type for the AIC HTTP signature engine? Max Outstanding Requests Overrun Request Methods Define Web Traffic Policy Content Types URL Link Pattern
| | 8. | Which of the following is not a valid option for the FTP Command parameter of the AIC FTP signature engine? site anon retr pwd stor
| | 9. | Which of the following fields is not a valid regex field for the Service HTTP signature engine? Uri Regex Arg Name Regex Arg Value Regex Header Regex Body Regex
| | 10. | Which of the following is not a state machine supported by the State signature engine? Cisco Login SMTP SNMP LPR Format String
|
The answers to the "Do I Know This Already?" quiz are found in the appendix. The suggested choices for your next step are as follows: 8 or less overall score Read the entire chapter. This includes the "Foundation and Supplemental Topics" and "Foundation Summary" sections and the Q&A section. 9 or 10 overall score If you want more review on these topics, skip to the "Foundation Summary" section and then go to the Q&A section. Otherwise, move to the next chapter.
| 