Showing results for 
Search instead for 
Did you mean: 

IPS Traffic Analysis Methods


Hi everyone,


As usual, i am revisiting the CCNP security curriculum in order to refresh my memory and keep the information wet in my gray matter. Currently, i am reading the IPS cert guide book 642-627 and having difficulty to fully interpret two of the traffic analysis methods that the IPS does. Unfortunately, the book explains the information in plain text without some kind of drawings or further examples. I need a security expert who can help me to fully absorb the stuff. So let me get started.


1) Stateful Content Matching:


The IPS in this method reassembles layer 3 packets and layer 4 sessions between endpoints in order to extract a stream of bytes exchanged through an application session.This stream of bytes is used by the IPS to match certain things in the payload data.


So to apply this, i was trying to imagine that a host in a LAN initiates a HTTP connection to an internet Web server and the IPS in between. Normally, a TCP session negotiation starts. As i understood, the IPS here is looking for that stream of bytes by reassembling the TCP session. How does the IPS perform this?


I still don't fully get it. I need someone to draw how this stream of bytes look like and how it is used to match things in payload.



2) Protocol Decoding:


As i understood so far, this method solves the problem of the previous method which is, performance degradation. The IPS here directly parses the application layer protocol from the reassembled byte stream. So instead of searching the entire TCP session's byte stream, it can now search for malicious HTTP URLs in HTTP requests.


Again, i need a diagram to show the parsing process.



0 Replies 0
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers