Which of the following signature microengines typically…

Which of the following signature microengines typically has the greatest effect on Cisco IOS IPS performance?
(Select the best answer.)

Which of the following signature microengines typically has the greatest effect on Cisco IOS IPS performance?
(Select the best answer.)

A.
atomic-ip

B.
normalizer

C.
service-http

D.
service-smb-advanced

E.
string-tcp

Explanation:
Of the choices provided, the stringtcp signature microengine (SME) typically has the greatest effect on Cisco
IOS Intrusion Prevention System (IPS) performance. An SME compiles a specific category of signatures and
loads them into the IPS regular expression table. Within each category is a number of signatures that can
analyze a packet or stream of packets for a particular pattern. For example, the atomicip SME contains
signatures that can recognize a pattern in a single packet, whereas the servicehttp SME contains signatures
than can recognize a pattern in a stream of Hypertext Transfer Protocol (HTTP) packets. In general, the more
of a packet or stream of packets that an SME needs to analyze, the greater its impact on the available memory
and CPU of the router. The stringtcp SME can analyze one or more Transmission Control Protocol (TCP)
packets and search for a particular string of text.
The atomicip SME can analyze the Layer 3 and Layer 4 header fields of a single packet. Because the atomicip
SME signatures operate on a single packet, they cannot preserve state information between packets. However,
atomicip SME signatures do not consume large amounts of memory or CPU resources like stringbased SMEs
can consume.
The servicehttp and servicesmbadvanced SMEs can analyze Layer 5 through 7 information for HTTP and
Server Message Block (SMB) network services, respectively. Service SMEs are typically the most complicated
SMEs because they understand and implement a significant portion of the network services for which they are
designed. For example, the servicehttp SME can effectively mimic the characteristics of a web server in order
analyze the HTTP payload between a web server and its client. Because service SMEs have a deep knowledge
of their underlying protocols, they can be optimized to decode only particular portions of a data stream, thereby
reducing their impact on the memory and CPU utilization.
The normalizer SME is targeted at fragmented IP datagrams. The normalizer SME reassembles the
fragmented IP datagrams and then analyzes the completed datagram before deciding whether the datagram
should be forwarded or discarded. If the normalizer SME decides that a datagram should be forwarded but the
datagram is too large to transmit, it will refragment the datagram prior to forwarding it. If the normalizer SME
had to analyze fragmented datagrams based on the many different ways that destination devices might
reassemble them, it could consume a significant amount of memory and CPU resources? however, because
the normalizer SME reassembles datagrams without regard to how the target device will receive them, the
process can be optimized with regard to memory and CPU utilization.

Cisco: Cisco Intrusion Prevention System Device Manager Configuration Guide for IPS 5.1: Example String
TCP Signature



Leave a Reply 0

Your email address will not be published. Required fields are marked *