SERVICE Engines
Table B-15
Parameter
specify-max-request-length
specify-max-uri-field-length
regex
specify-arg-name-regex
specify-header-regex
specify-request-regex
specify-uri-regex
service-ports
swap-attacker-victim
1. The second number in the range must be greater than or equal to the first number.
SERVICE.IDENT Engine
The SERVICE.IDENT engine inspects TCP port 113 traffic. It has basic decode and provides parameters
to specify length overflows.
Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0
B-20
SERVICE.HTTP Engine Parameters (continued)
Description
(Optional) Enables maximum request field length:
max-request-length—Maximum length of the
•
request field.
(Optional) Enables the maximum URI field
length:
max-uri-field-length—Maximum length of
•
the URI field.
Regular expression grouping.
(Optional) Enables searching the Arguments field
for a specific regular expression:
arg-name-regex—Regular expression to
•
search for in the HTTP Arguments field (after
the ? and in the Entity body as defined by
Content-Length).
(Optional) Enables searching the Header field for
a specific regular expression:
header-regex—Regular Expression to search
•
in the HTTP Header field. The Header is
defined after the first CRLF and continues
until CRLFCRLF.
(Optional) Enables searching the Request field for
a specific regular expression:
request-regex—Regular expression to search
•
in both HTTP URI and HTTP Argument
fields.
specify-min-request-match-length—Enables
•
setting a minimum request match length.
(Optional) Regular expression to search in HTTP
URI field. The URI field is defined to be after the
HTTP method (GET, for example) and before the
first CRLF. The regular expression is protected,
which means you cannot change the value.
A comma-separated list of ports or port ranges
where the target service resides.
True if address (and ports) source and destination
are swapped in the alert message. False for no
swap (default).
Appendix B
Signature Engines
Value
0 to 65535
0 to 65535
—
—
—
0 to 65535
[/\\][a-zA-Z][a-
zA-Z][a-zA-Z]
[a-zA-Z][a-zA-
Z][a-zA-Z][a-z
A-Z][.]jpeg
1
0 to 65535
a-b[,c-d]
true | false
78-16527-01