Cisco Ios Ips Functions

Cisco IOS IPS has two main components: signature definition files (SDF) and signature microengines (SME).

The SDF contains the signature definitions and configurable actions for each signature. This file is in Extensible Markup Language (XML) format. Cisco IOS IPS loads and compiles the SDF and populates its internal tables with the information necessary to detect each signature. The location of the SDF file is definable, and it can reside locally on the router's Flash file system or on a remote server capable of Trivial File Transfer Protocol (TFTP), File Transfer Protocol (FTP), Secure Copy Protocol (SCP), or Remote Copy Protocol (RCP). Access routers with Cisco IOS Software Release 12.3(8)T or higher contain a preconfigured SDF called the Attack-drop.sdf in Flash, which provides the up-to-date, highly severe worm and attack signatures. For a list of signatures provided in Attack-drop.sdf, refer to the Cisco IOS documentation at Cisco.com .

An SME loads the SDF and scans signatures for various conditions that match a defined pattern. The SME signature engine parses values from the packet and passes them to the regular-expression engine for inspection. The regular-expression engine searches for multiple patterns simultaneously. The current version of Cisco IOS IPS 12.3(11)T contains Atomic.IP, Atomic.ICMP, Atomic.IPOPTIONS, Atomic.UDP, Atomic.TCP, Service.DNS, Service.RPC, Service.SMTP, Service.HTTP, and Service.FTP SMEs. The SDF normally contains signature definitions from several of these engines.

0 0

Post a comment