Foundation Summary


Cisco IPS monitors network traffic by using a suite of signature engines. The signature engines fall into the categories shown in Table 6-49.

Table 6-49. Signature Engine Categories

Engine Category

Usage

AIC

Used to provide deep-packet inspection from Layer 4 through Layer 7

Atomic

Used for single-packet conditions

Flood

Used to detect denial-of-service (DoS) attempts

Meta

Used to create meta signatures based on multiple individual signatures

Normalizer

Used to normalize fragmented and TCP streams when in inline mode (cannot create custom signatures); also performs stream reassembly for promiscuous mode

Service

Used when services at OSI Layers 5, 6, and 7 require protocol analysis

State

Used when stateful inspection is required

String

Used for string pattern matching

Sweep

Used to detect network reconnaissance scans

Miscellaneous

Includes various signature engines (such as Traffic ICMP and Trojan horse signature engines)


To identify the traffic that a specific signature searches for, you must define signatures by specifying a set of parameters. Each parameter falls into one of the following groups:

  • Basic signature fields

  • Signature description fields

  • Engine-specific fields

  • Event counter fields

  • Alert frequency fields

  • Status fields

Currently, application policy enforcement is available through the following signature engines:

  • AIC FTP

  • AIC HTTP

Atomic signatures are handled by the following signature engines:

  • Atomic ARP

  • Atomic IP

Flood signatures are handled by the following signature engines:

  • Flood Net

  • Flood Host

The various service signature engines are shown in Table 6-50.

Table 6-50. Service Signature Engines

Engine

Description

Service DNS

Examines TCP and UDP DNS packets

Service FTP

Examines FTP port command traffic

Service Generic

Emergency response engine to support rapid signature response

Service H225

Examines VoIP traffic based on the H.225 protocol

Service HTTP

Examines HTTP traffic by using string-based pattern matching

Service Ident

Examines IDENT protocol (RFC 1413) traffic

Service MSRPC

Examines Microsoft remote-procedure call (MSRPC) traffic

Service MSSQL

Examines traffic used by the Microsoft SQL (MSSQL) server

Service NTP

Examines Network Time Protocol (NTP) traffic

Service RPC

Examines remote-procedure call (RPC) traffic

Service SMB

Examines Server Message Block (SMB) traffic

Service SNMP

Examines Simple Network Management Protocol (SNMP) traffic

Service SSH

Examines Secure Shell (SSH) traffic


The State Signature engine supports the following three state machines:

  • Cisco Login

  • Line Printer Remote (LPR) Format String

  • Simple Mail Transport Protocol (SMTP)

String signatures are handled by the following three signature engines:

  • String ICMP

  • String TCP

  • String UDP

Sweep signatures are handled by the following two signature engines:

  • Sweep

  • Sweep Other TCP

The Trojan horse signatures are handled by the signature engines shown in Table 6-51.

Table 6-51. Trojan Horse Signature Engines

Engine

Description

Trojan Bo2K

Detects the presence of BO2K by using the TCP protocol

Trojan Tfn2K

Detects the presence of the TFN2K Trojan horse by examining UDP, TCP, and ICMP traffic

Trojan UDP

Detects the presence of BO and BO2K by using the UDP protocol




CCSP IPS Exam Certification Guide
CCSP IPS Exam Certification Guide
ISBN: 1587201461
EAN: 2147483647
Year: 2004
Pages: 119
Authors: Earl Carter

Similar book on Amazon

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net