Normalizer Engine - Cisco 4215 - Intrusion Detection Sys Sensor Configuration Manual

Appendix B Signature Engines
All signature events are handed off to the META engine by SEAP. SEAP hands off the event after
processing the minimum hits option. Summarization and event action are processed after the META
engine has processed the component events.
A large number of META signatures could adversely affect overall sensor performance.
Caution
Table B-9
Table B-9
Parameter
meta-reset-interval
component-list
meta-key
unique-victim-ports
component-list-in-order Whether to fire the component list in order.
For an example of a custom META engine signature, see

NORMALIZER Engine

The NORMALIZER engine deals with IP fragmentation and TCP normalization. This section describes
the NORMALIZER engine, and contains the following topics:
•
•
78-16527-01
lists the parameters specific to the META engine.
META Engine Parameters
Description
Time in seconds to reset the META signature.
List of META components:
•
•
•
Storage type for the META signature:
•
•
•
•
Number of unique victims ports required per META
signature.
Overview, page B-12
NORMALIZER Engine Parameters, page B-12
Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0
edit—Edits an existing entry
insert—Inserts a new entry into the list:
begin—Places the entry at the beginning of the
–
active list
end—Places the entry at the end of the active list
–
inactive—Places the entry into the inactive list
–
before—Places the entry before the specified entry
–
– after—Places the entry after the specified entry
move—Moves an entry in the list
Attacker address
Attacker and victim addresses
Attacker and victim addresses and ports
Victim address
NORMALIZER Engine
Example MEG Signature, page
Value
0 to 3600
name1
AaBb
AxBx
Axxx
xxBx
1 to 256
true | false
7-33.
B-11