Foundation Summary

Cisco IPS monitors network traffic by using a suite of signature engines. The signature engines fall into the categories shown in Table 6-49.

Table 6-49. Signature Engine Categories

Engine Category



Used to provide deep-packet inspection from Layer 4 through Layer 7


Used for single-packet conditions


Used to detect denial-of-service (DoS) attempts


Used to create meta signatures based on multiple individual signatures


Used to normalize fragmented and TCP streams when in inline mode (cannot create custom signatures); also performs stream reassembly for promiscuous mode


Used when services at OSI Layers 5, 6, and 7 require protocol analysis


Used when stateful inspection is required


Used for string pattern matching


Used to detect network reconnaissance scans


Includes various signature engines (such as Traffic ICMP and Trojan horse signature engines)

To identify the traffic that a specific signature searches for, you must define signatures by specifying a set of parameters. Each parameter falls into one of the following groups:

  • Basic signature fields

  • Signature description fields

  • Engine-specific fields

  • Event counter fields

  • Alert frequency fields

  • Status fields

Currently, application policy enforcement is available through the following signature engines:



Atomic signatures are handled by the following signature engines:

  • Atomic ARP

  • Atomic IP

Flood signatures are handled by the following signature engines:

  • Flood Net

  • Flood Host

The various service signature engines are shown in Table 6-50.

Table 6-50. Service Signature Engines



Service DNS

Examines TCP and UDP DNS packets

Service FTP

Examines FTP port command traffic

Service Generic

Emergency response engine to support rapid signature response

Service H225

Examines VoIP traffic based on the H.225 protocol

Service HTTP

Examines HTTP traffic by using string-based pattern matching

Service Ident

Examines IDENT protocol (RFC 1413) traffic

Service MSRPC

Examines Microsoft remote-procedure call (MSRPC) traffic

Service MSSQL

Examines traffic used by the Microsoft SQL (MSSQL) server

Service NTP

Examines Network Time Protocol (NTP) traffic

Service RPC

Examines remote-procedure call (RPC) traffic

Service SMB

Examines Server Message Block (SMB) traffic

Service SNMP

Examines Simple Network Management Protocol (SNMP) traffic

Service SSH

Examines Secure Shell (SSH) traffic

The State Signature engine supports the following three state machines:

  • Cisco Login

  • Line Printer Remote (LPR) Format String

  • Simple Mail Transport Protocol (SMTP)

String signatures are handled by the following three signature engines:

  • String ICMP

  • String TCP

  • String UDP

Sweep signatures are handled by the following two signature engines:

  • Sweep

  • Sweep Other TCP

The Trojan horse signatures are handled by the signature engines shown in Table 6-51.

Table 6-51. Trojan Horse Signature Engines



Trojan Bo2K

Detects the presence of BO2K by using the TCP protocol

Trojan Tfn2K

Detects the presence of the TFN2K Trojan horse by examining UDP, TCP, and ICMP traffic

Trojan UDP

Detects the presence of BO and BO2K by using the UDP protocol

CCSP IPS Exam Certification Guide
CCSP IPS Exam Certification Guide
ISBN: 1587201461
EAN: 2147483647
Year: 2004
Pages: 119
Authors: Earl Carter

Similar book on Amazon © 2008-2017.
If you may any questions please contact us: