Cisco 4215 - Intrusion Detection Sys Sensor Configuration Manual page 141

Chapter 7 Defining Signatures
Specify the IP fragment reassembly signature ID and subsignature ID:
Step 3
sensor(config-sig)# signatures 1200 0
Specify the engine:
Step 4
sensor(config-sig-sig)# engine normalizer
Enter edit default signatures submode:
Step 5
sensor(config-sig-sig-nor)# edit-default-sigs-only default-signatures-only
Enable and change the default setting (if desired) of the one IP fragment reassembly parameter for
Step 6
signature 1200:
sensor(config-sig-sig-nor-def)# specify-max-fragments yes
sensor(config-sig-sig-nor-def-yes)# max-fragments 20000
Verify the settings:
Step 7
sensor(config-sig-sig-nor-def-yes)# show settings
yes
-----------------------------------------------
-----------------------------------------------
sensor(config-sig-sig-nor-def-yes)#
Exit signature definition submode:
Step 8
sensor(config-sig-sig-nor-def-yes)# exit
sensor(config-sig-sig-nor-def)# exit
sensor(config-sig-sig-nor)# exit
sensor(config-sig-sig)# exit
sensor(config-sig)# exit
Apply Changes:?[yes]:
Press Enter for apply the changes or type
Step 9
Configuring the Method for IP Fragment Reassembly
Use the fragment-reassembly command in the signature definition submode to configure the method
the sensor will use to reassemble fragments. You can configure this option if your sensor is operating in
promiscuous mode. If your sensor is operating in line mode, the method is NT only.
The following options apply:
•
78-16527-01
max-fragments: 20000 default: 10000
ip-reassemble-mode—Identifies the method the sensor uses to reassemble the fragments based on
the operating system.
– nt—Windows systems.
– solaris—Solaris systems.
– linux—GNU/Linux systems.
bsd—BSD UNIX systems.
–
The default is nt.
Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0
to discard them.
no
Configuring Signatures
7-23