Cisco 4215 - Intrusion Detection Sys Sensor Configuration Manual page 424

SWEEP Engine
The ICMP sweeps must have an ICMP type specified to discriminate among the various types of ICMP
packets.
Table B-28
Table B-28
Parameter
dst-addr-filter
src-addr-filter
protocol
specify-icmp-type
specify-port-range
fragment-status
inverted-sweep
mask
storage-key
suppress-reverse
Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0
B-32
lists the parameters specific to the SWEEP engine.
SWEEP Engine Parameters
Description
Destination IP address to exclude from the sweep counting
algorithm.
Source IP address to exclude from the sweep counting
algorithm.
Protocol of interest for this inspector.
(Optional) Enables the ICMP header type:
icmp-type—ICMP header TYPE value.
•
(Optional) Enables using a port range for inspection:
port-range—UDP port range used in inspection.
•
Specifies whether fragments are wanted or not:
• Any fragment status.
• Do not inspect fragments.
• Inspect fragments.
Uses source port instead of destination port for unique
counting.
Mask used in TCP flags comparison:
URG bit
•
ACK bit
•
PSH bit
•
RST bit
•
SYN bit
•
FIN bit
•
Type of address key used to store persistent data:
Attacker address
•
Attacker and victim addresses
•
Attacker address and victim port
•
Does not fire when a sweep has fired in the reverse direction
on this address set.
Appendix B Signature Engines
Value
<A.B.C.D>-
<A.B.C.D>
[,<A.B.C.D>-
<A.B.C.D>]
<A.B.C.D>-
<A.B.C.D>
[,<A.B.C.D>-
<A.B.C.D>]
icmp
udp
tcp
0 to 255
0 to 65535
a-b[,c-d]
any
no-fragments
want-fragments
true | false
urg
ack
psh
rst
syn
fin
Axxx
AxBx
Axxb
true | false
78-16527-01