Signature Engine AIC Atomic ARP meta Engine

1.1.1.1 Signature Engine

A signature engine is a part of the IPS that is designed to support many signatures in a specific category. Every engine has a set of factors that have acceptable ranges or sets of values.

IPS 6.0 consist of the following signature engines:

AIC (Application Inspection of Control) Engine that provides by analysis of web traffic. The AIC engine provides control over HTTP sessions to prevent harmful traffic of the HTTP protocol. It has the ability of administrative control over different software, such as instant messaging etc. AIC can also be used to inspect FTP (File Transfer Protocol) traffic and control the commands being issued.

There are two AIC engines:

F AIC FTP

F AIC HTTP

Atomic Engine these engines are now combined into two engines with more than one level selection. Layer 3 and Layer 4 attributes can also be combined within one signature, such as IP and TCP.

Atomic ARP Engine is used to inspects Layer 2 ARP protocol. The Atomic ARP engine is quite different because mostly engines are based on Layer 3 IP protocol. They inspect IP protocol packets and are associated Layer 4 transport protocols.This engine has an option to specify values to match for fields in the IP and Layer 4 headers.

Flood Engine Detects ICMP and UDP floods directed at specific users and networks.

There are two Flood engines:

F Flood Host

F Flood Net

Meta Engine is used to describe events that occur in a related manner within a certain time interval. This engine processes events and alerts instead of packets.

Multi String Engine is used to inspects Layer 4 transport protocols and data by matching several strings for one specific signature.

This engine inspects the following categorizes

F Stream based TCP

F single UDP

F ICMP packets

Normalizer Engine is used to configure how the IP and TCP normalizer operates and provides general configuration for signature events related to the IP and TCP normalizer. It has the ability to enforce RFC compliance.

Service Engine is used to deal with certain specific protocols. Service engine has the following protocol categorizes:

F DNS is used to inspects DNS (TCP and UDP) traffic.

F FTP is used for the inspection of FTP traffic.

F Generic has a function to decode custom service and payload.

F Generic Advanced Analyzes traffic flow based on the mini-applications that are written to check the packets.

F H225 is used for the inspection of VoIP traffic.

State Engine is designed for Stateful searches of strings in protocols such as SMTP.

The state engine consists of the hidden configuration document that is used to define the state transitions so new state definitions can be delivered in a upcoming or updated signature.

String Engine is used to search on Regex strings based on ICMP, TCP, or UDP protocol.

There are three different String engines:

F String ICMP

F String TCP

F String UDP.

Sweep Engine is used to analyze sweeps from a single host (ICMP and TCP), from destination ports (UDP and TCP).

Traffic Anomaly Engine is used for the inspection UDP, TCP, and other traffic for worms or viruses.

Traffic ICMP Engine is used to analyze protocols, such as DDOS. There are only two such type of signatures with configurable parameters.

Trojan Engine is used to analyze traffic from different protocols like UDP. Users are not able to configure these engines.

Popular posts from this blog

History of Labor Day

Relationships Ruined by the Internet