Appendix B
Signature Engines
Table B-21
Parameter
specify-direction
specify-file-id
specify-function
specify-hit-count
specify-operation
specify-resource
specify-scan-interval
specify-set-count
specify-type
78-16527-01
SERVICE.SMB Engine Parameters (continued)
Description
(Optional) Enables traffic direction:
direction—Lets you specify the direction of traffic:
•
Traffic from service port destined to client
–
port.
Traffic from client port destined to service
–
port.
(Optional) Enables using a transaction file ID:
file-id—Transaction File ID.
•
This parameter may limit a signature to a
Note
specific exploit instance and its use should be
carefully considered.
(Optional) Enables named pipe function:
function—Named Pipe function.
•
(Optional) Enables hit counting:
hit-count—The threshold number of occurrences in
•
scan-interval to fire alerts.
(Optional) Enables MS RPC operation:
operation—MS RPC operation requested.
•
Required for SMB_COM_TRANSACTION
commands. An exact match is required.
(Optional) Enables resource:
resource—Specifies that pipe or the SMB filename
•
is used to qualify the alert. In ASCII format. An
exact match is required.
(Optional) Enables scan interval:
scan-interval—The interval in seconds used to
•
calculate alert rates.
(Optional) Enables counting setup words:
set-count—Number of Setup words.
•
(Optional) Enables searching for the Type field of an
MS RPC packet:
•
type —Type Field of MSRPC packet. 0 = Request;
2 = Response; 11 = Bind; 12 = Bind Ack
Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0
5
6
7
8
9
SERVICE Engines
Value
from service
to service
0 to 65535
0 to 65535
0 to 65535
0 to 65535
resource
0 to 131071
0 to 255
0 to 255
B-25