User manual

ManualsBrandsCisco Systems ManualsSoftwareHome Security System IPS4510K9

211

212

213

214

215

216

217

218

219

220

7-35

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

Chapter 7 Defining Signatures

Configuring Signatures

1330 7 TCP Drop - Bad WinScale Option

Value

Fires when a TCP packet has a

bad window scale value.

Modify Packet Inline

sets the value to the

closest constraint

value.

Modify Packet Inline

1330 8 TCP Drop - SACK Allow Without

SYN

Fires when the TCP SACK

allowed option is seen in a

packet without the SYN flags

set.

Modify Packet Inline

clears the SACK

allowed option.

Modify Packet Inline

1330 9 TCP Drop - Data in SYN|ACK Fires when TCP packet with

SYN and ACK flags set also

contains data.

— Deny Packet Inline

1330 10 TCP Drop - Data Past FIN Fires when TCP data is

sequenced after FIN.

— Deny Packet Inline

1330 11 TCP Drop - Timestamp not

Allowed

Fires when TCP packet has

timestamp option when

timestamp option is not

allowed.

— Deny Packet Inline

1330 12 TCP Drop - Segment Out of Order Fires when TCP segment is out

of order and cannot be queued.

— Deny Packet Inline

1330 13 TCP Drop - Invalid TCP Packet Fires when TCP packet has

invalid header.

— Deny Packet Inline

1330 14 TCP Drop - RST or SYN in

window

Fires when TCP packet with

RST or SYN flag was sent in

the sequence window but was

not the next sequence.

— Deny Packet Inline

1330 15 TCP Drop - Segment Already

ACKed

Fires when TCP packet

sequence is already ACKed by

peer (excluding keepalives).

— Deny Packet Inline

1330 16 TCP Drop - PAWS Failed Fires when TCP packet fails

PAWS check.

— Deny Packet Inline

1330 17 TCP Drop - Segment out of State

Order

Fires when TCP packet is not

proper for the TCP session

state.

— Deny Packet Inline

1330 18 TCP Drop - Segment out of

Window

Fires when TCP packet

sequence number is outside of

allowed window.

— Deny Packet Inline

3050 Half Open SYN Attack syn-flood-max-embry

onic 5000

3250 TCP Hijack max-old-ack 200

3251 TCP Hijack Simplex Mode max-old-ack 100

1. The timer is reset to 0 after each packet on the TCP session. by default, this signature does not produce an alert. You can choose to produce alerts for

expiring TCP connections if desired. A statistic of total number of expired flows is updated any time a flow expires.

Table 7-6 TCP Stream Reassembly Signatures (continued)

Signature ID and Name Description

Parameter With

Default Value and

Range Default Actions