Cisco Cisco IPS 4255 Sensor Technisches Handbuch
anomaly−detection−name nameName of the anomaly detection policy
♦
operational−modeAnomaly detection mode (inactive, learn, detect)
♦
descriptionDescription of the virtual sensor
•
event−action−rulesName of the event action rules policy
•
inline−TCP−evasion−protection−modeLets you choose which type of Normalizer mode you need
for traffic inspection:
for traffic inspection:
asymmetricCan only see one direction of bidirectional traffic flow. Asymmetric mode
protection relaxes the evasion protection at the TCP layer.
protection relaxes the evasion protection at the TCP layer.
Note: Asymmetric mode lets the sensor synchronize state with the flow and maintain
inspection for those engines that do not require both directions. Asymmetric mode lowers
security because full protection requires both sides of traffic to be seen.
inspection for those engines that do not require both directions. Asymmetric mode lowers
security because full protection requires both sides of traffic to be seen.
♦
strictIf a packet is missed for any reason, all packets after the missed packet are not
processed. Strict evasion protection provides full enforcement of TCP state and sequence
tracking.
processed. Strict evasion protection provides full enforcement of TCP state and sequence
tracking.
Note: Any out−of−order packets or missed packets can produce Normalizer engine signatures
1300 or 1330 firings, which try to correct the situation, but can result in denied connections.
1300 or 1330 firings, which try to correct the situation, but can result in denied connections.
♦
•
inline−TCP−session−tracking−modeAdvanced method that allows you to identify duplicate TCP
session in inline traffic. The default is virtual sensor, which is almost always the best choice.
session in inline traffic. The default is virtual sensor, which is almost always the best choice.
virtual−sensor All packets with the same session key (AaBb) within a virtual sensor belong
to the same session.
to the same session.
♦
interface−and−vlanAll packets with the same session key (AaBb) in the same VLAN (or
inline VLAN pair) and on the same interface belong to the same session. Packets with the
same key but on different VLANs or interfaces are tracked independently.
inline VLAN pair) and on the same interface belong to the same session. Packets with the
same key but on different VLANs or interfaces are tracked independently.
♦
vlan−onlyAll packets with the same session key (AaBb) in the same VLAN (or inline
VLAN pair) regardless of the interface belong to the same session. Packets with the same key
but on different VLANs are tracked independently.
VLAN pair) regardless of the interface belong to the same session. Packets with the same key
but on different VLANs are tracked independently.
♦
•
signature−definitionName of the signature definition policy
•
logical−interfacesName of the logical interfaces (inline interface pairs)
•
physical−interfacesName of the physical interfaces (promiscuous, inline VLAN pairs, and VLAN
groups)
groups)
subinterface−numberThe physical subinterface number. If the subinterface−type is none,
the value of 0 indicates the entire interface is assigned in promiscuous mode.
the value of 0 indicates the entire interface is assigned in promiscuous mode.
♦
noRemoves an entry or selection
♦
•
In order to add a virtual sensor, complete these steps:
Log in to the CLI with an account with administrator privileges.
1.
Enter service analysis mode.
sensor# configure terminal
sensor(config)# service analysis−engine
sensor(config−ana)#
2.
Add a virtual sensor.
sensor(config−ana)# virtual−sensor vs2
sensor(config−ana−vir)#
3.
Add a description for this virtual sensor.
4.