- Cisco Home Security System User's Manual
7-32
Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2
OL-29168-01
Chapter 7 Defining Signatures
Configuring Signatures
sensor from creating alerts where a valid TCP session has not been established. There are known attacks
against sensors that try to get the sensor to generate alerts by simply replaying pieces of an attack. The
TCP session reassembly feature helps to mitigate these types of attacks against the sensor.
You configure TCP stream reassembly parameters per signature. You can configure the mode for TCP
stream reassembly.
TCP Stream Reassembly Signatures and Configurable Parameters
Table 7-6 lists TCP stream reassembly signatures with the parameters that you can configure for TCP
stream reassembly. TCP stream reassembly signatures are part of the Normalizer engine.
Table 7-6 TCP Stream Reassembly Signatures
Signature ID and Name Description
Parameter With
Default Value and
Range Default Actions
1301 TCP Session Inactivity Timeout
1
Fires when a TCP session has
been idle for a TCP Idle
Timeout.
TCP Idle Timeout
3600 (15-3600)
—
2
1302 TCP Session Embryonic Timeout
3
Fires when a TCP session has
not completes the three-way
handshake in TCP embryonic
timeout seconds.
TCP Embryonic
Timeout 15
(3-300)
—
4
1303 TCP Session Closing Timeout
5
Fires when a TCP session has
not closed completely in TCP
Closed Timeout seconds after
the first FIN.
TCP Closed Timeout
5 (1-60)
—
6
1304 TCP Session Packet Queue Overflow This signature allows for
setting the internal TCP Max
Queue size value for the
Normalizer engine. As a result
it does not function in
promiscuous mode. By default
this signature does not fire an
alert. If a custom alert event is
associated with this signature
and if the queue size is
exceeded, an alert fires.
Note
The IPS signature team
discourages modifying
this value.
TCP Max Queue 32
(0-128)
TCP Idle Timeout
3600
—
7
1305 TCP Urg Flag Set
8
Fires when the TCP urgent flag
is seen
TCP Idle Timeout
3600
Modify Packet Inline
9