Cisco 4215 - Intrusion Detection Sys Sensor Configuration Manual page 399

Appendix B Signature Engines
•
For more information on configuring the AIC engine signatures, see
page
AIC Engine Parameters
AIC provides deep analysis of web traffic. It provides granular control over HTTP sessions to prevent
abuse of the HTTP protocol. It allows administrative control over applications, such as instant messaging
and gotomypc, that try to tunnel over specified
messaging are possible if these applications are running over HTTP.
AIC also provides a way to inspect FTP traffic and control the commands being issued.
You can enable or disable the predefined signatures or you can create policies through custom signatures.
The AIC engine runs when HTTP traffic is received on AIC web ports. If traffic is web traffic, but not
received on the AIC web ports, the SERVICE.HTTP engine is executed. AIC inspection can be on any
port if it is configured as an AIC web port and the traffic to be inspected is HTTP traffic.
The AIC web ports are regular HTTP web ports. You can turn on AIC web ports to distinguish which
Caution
ports should watch for regular HTTP traffic and which ports should watch for AIC enforcement. You
might use AIC web ports, for example, if you have a proxy on port 82 and you need to monitor it. We
recommend that you do not configure separate ports for AIC enforcement.
Table B-3
Table B-3
Parameter
signature-type
content-types
define-web-traffic-policy
max-outstanding-requests-overrun
78-16527-01
Message size enforcement according to policy configured and the header
–
Tunneling, P2P and instant messaging enforcement.
–
This enforcement is done using regular expressions. There are predefined signature but you can
expand the list.
FTP traffic:
FTP command authorization and enforcement
–
7-12.
lists the parameters that are specific to the AIC.HTTP engine:
AIC.HTTP Engine Parameters
Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0
ports. Inspection and policy checks for P2P and instant
Description
Specifies the type of AIC signature.
AIC signature that deals with MIME types:
• define-content-type associates actions such as denying a
specific MIME type (image/gif), defining a message-size
violation, and determining that the MIME-type mentioned in
the header and body do not match.
define-recognized-content-types lists content types
•
recognized by the sensor.
Specifies the action to take when noncompliant HTTP traffic is
seen. The alarm-on-non-http-traffic [true | false] command
enables the signature.
Maximum allowed HTTP requests per connection (1 to 16).
AIC Engine
Configuring AIC Signatures,
B-7