Cisco Cisco IPS 4255 Sensor
5
Release Notes for Cisco Intrusion Prevention System 6.1(3)E3
OL-20114-01
New and Changed Information
You can search for security alerts and signatures at this URL:
New and Changed Information
Cisco IPS 6.1(3)E3 includes the E3 Signature Engine update and the S399 Signature update. The E3
Signature Engine update has the following new features:
Signature Engine update has the following new features:
•
Signature date and type
The signature date represents the date at which the signature was first created. The date is stored in
the format YYYYMMDD. The signature type represents the category in which a specific signature
falls. Signatures are broadly classified as vulnerability, exploit, anomaly, component, or other. The
default is other.
the format YYYYMMDD. The signature type represents the category in which a specific signature
falls. Signatures are broadly classified as vulnerability, exploit, anomaly, component, or other. The
default is other.
•
Duplicate packet detector statistics
Duplicate packet statistics are now added to the TCP Normalizer Stage Statistics section of the show
statistics virtual sensor command output. Large numbers of duplicate packets being reported by
the Normalizer can aid in the detection of sensor deployment and configuration problems. Duplicate
packets are often seen in situations where a single virtual sensor is monitoring two or more
networks, and is seeing a TCP connection crossing two or more of these networks. In this situation
you can reconfigure the sensor to monitor each network using a different virtual sensor. If both
networks must be monitored by a single virtual sensor, configure the virtual sensor with the
inline-TCP-session-tracking-mode parameter set to either interface-and-vlan or vlan-only.
statistics virtual sensor command output. Large numbers of duplicate packets being reported by
the Normalizer can aid in the detection of sensor deployment and configuration problems. Duplicate
packets are often seen in situations where a single virtual sensor is monitoring two or more
networks, and is seeing a TCP connection crossing two or more of these networks. In this situation
you can reconfigure the sensor to monitor each network using a different virtual sensor. If both
networks must be monitored by a single virtual sensor, configure the virtual sensor with the
inline-TCP-session-tracking-mode parameter set to either interface-and-vlan or vlan-only.
•
UDP length parameter in Atomic engines
A new parameter to match a specific UDP length was added. This engine parameter is added in the
Atomic IP Advanced and Atomic IP engine for l4-protocol UDP. The purpose of this parameter is
to check if UDP total length falls within a specific range.
Atomic IP Advanced and Atomic IP engine for l4-protocol UDP. The purpose of this parameter is
to check if UDP total length falls within a specific range.
•
Changes from CSCsu77935
The idle time algorithm of the sensor has been modified. Additional CPU has been applied to polling
the NICs to decrease the polling interval and reduce latency. The CPU usage is thus reported as
higher than in previous releases, including external tools such as top and ps. You will notice the
additional CPU load on single-CPU platforms and on the primary CPU of multicore systems.
the NICs to decrease the polling interval and reduce latency. The CPU usage is thus reported as
higher than in previous releases, including external tools such as top and ps. You will notice the
additional CPU load on single-CPU platforms and on the primary CPU of multicore systems.
Because the additional CPU load reported while polling is actually available to process packets, and
is reduced as inspection load goes up, it does not negatively affect the overall throughput of the IPS.
is reduced as inspection load goes up, it does not negatively affect the overall throughput of the IPS.
Use the show statistics virtual-sensor command to see the sensor load. It is listed under Processing
Load Percentage in the output. You can also view the sensor load on the IME Device List pane.
Load Percentage in the output. You can also view the sensor load on the IME Device List pane.
For More Information
•
For the procedure for using the show statistics command, refer to
.
•
For a description of the IME Device List pane, refer to
.
MySDN Decommissioned
Because MySDN has been decommissioned, the URL in older versions of IDM and IME is no longer
functional. If you are using IPS 6.0 or later, we recommend that you upgrade your version of IDM and
IME.
functional. If you are using IPS 6.0 or later, we recommend that you upgrade your version of IDM and
IME.