Cisco Cisco IPS 4255 Sensor Notas de publicación
5
Release Notes for Cisco Intrusion Prevention System 7.0(2)E4
OL-21671-01
New and Changed Information
Use the following tools for monitoring Cisco IPS 7.0(2)E4 sensors:
•
Cisco IME 7.0.2
The IME now supports 10 devices.
Note
The current versions of the IME work with the E4 engine upgrade, but do not correctly
display the new values allowed in the Retired signature field. An updated version of the IME
is in progress and will be released shortly after the E4 engine update. The current versions
of the IME also do not have the expanded memory capability for the Java VM and may cause
problems when you tune signatures.
display the new values allowed in the Retired signature field. An updated version of the IME
is in progress and will be released shortly after the E4 engine update. The current versions
of the IME also do not have the expanded memory capability for the Java VM and may cause
problems when you tune signatures.
•
CSM 4.0 and later
Note
You may need to configure viewers that are already configured to monitor the Cisco IPS 6.2
sensors to accept a new SSL certificate for the Cisco IPS 7.0(2)E4 sensors.
sensors to accept a new SSL certificate for the Cisco IPS 7.0(2)E4 sensors.
New and Changed Information
Cisco IPS 7.0(2)E4 includes the new E4 signature engine.
The E4 signature engine update includes signature update 480, which is not available for separate
download. The E4 signature engine update contains the following new features:
download. The E4 signature engine update contains the following new features:
•
Port-agnostic HTTP inspection
The IPS now allows inspection of HTTP on any port. The Service HTTP engine now contains a
parameter (ALLPORTS) that aids you in configuring inspection of HTTP on any port.
parameter (ALLPORTS) that aids you in configuring inspection of HTTP on any port.
•
Meta engine enhancements
The purpose of the Meta engine is to detect a specified payload from an attacker and a corresponding
payload from the victim. It is also used to inspect streams at different offsets. The Meta engine
supports the AND and OR logical operators. ANDNOT capability has been added to the Meta
engine. This clause is a negative clause used to complement the existing positive clause-based
signatures. The previous signature format had the following form:
payload from the victim. It is also used to inspect streams at different offsets. The Meta engine
supports the AND and OR logical operators. ANDNOT capability has been added to the Meta
engine. This clause is a negative clause used to complement the existing positive clause-based
signatures. The previous signature format had the following form:
IF (A and B and C) then Alarm; alternatively, IF (A or B or C) then Alarm is also
supported; where A, B, and C are meta component signatures.
The addition of the negative clause allows for the following logic:
IF (A and/or B) AND NOT (C and/or D) then Alarm.
The (C and/or D) is the negative clause and is satisfied if (C and D) [alternatively (C or D)] do not
occur before the Meta Reset Interval time expires.
occur before the Meta Reset Interval time expires.
A component of the positive clause must occur before the negative clause(s) to establish the Meta
tracking state. The Meta engine cannot track the lack of past behavior.The state of the negative
clause is evaluated when the Meta Reset Interval time expires.
tracking state. The Meta engine cannot track the lack of past behavior.The state of the negative
clause is evaluated when the Meta Reset Interval time expires.
•
Signature load thresholding
The retired attribute of a signature has been changed to support the variable loading of signatures
based on platform. A signature can be retired or active with additional values that include low
memory retired (low-mem-retired) and medium memory retired (medium-mem-retired). Low
memory retired platforms have less that 1 GB of maximum sensor memory, and include the
based on platform. A signature can be retired or active with additional values that include low
memory retired (low-mem-retired) and medium memory retired (medium-mem-retired). Low
memory retired platforms have less that 1 GB of maximum sensor memory, and include the