Which of the following signature microengines typically has the greatest effect on Cisco IOS IPS performance? (Select the best answer.)
Of the choices provided, the stringtcp signature microengine (SME) typically has the greatest effect on Cisco IOS Intrusion Prevention System (IPS) performance. An SME compiles a specific category of signatures and loads them into the IPS regular expression table. Within each category is a number of signatures that can analyze a packet or stream of packets for a particular pattern. For example, the atomicip SME contains signatures that can recognize a pattern in a single packet, whereas the servicehttp SME contains signatures than can recognize a pattern in a stream of Hypertext Transfer Protocol (HTTP) packets. In general, the more of a packet or stream of packets that an SME needs to analyze, the greater its impact on the available memory and CPU of the router. The stringtcp SME can analyze one or more Transmission Control Protocol (TCP) packets and search for a particular string of text.
The atomicip SME can analyze the Layer 3 and Layer 4 header fields of a single packet. Because the atomicip SME signatures operate on a single packet, they cannot preserve state information between packets. However, atomicip SME signatures do not consume large amounts of memory or CPU resources like stringbased SMEs can consume.
The servicehttp and servicesmbadvanced SMEs can analyze Layer 5 through 7 information for HTTP and Server Message Block (SMB) network services, respectively. Service SMEs are typically the most complicated SMEs because they understand and implement a significant portion of the network services for which they are designed. For example, the servicehttp SME can effectively mimic the characteristics of a web server in order analyze the HTTP payload between a web server and its client. Because service SMEs have a deep knowledge of their underlying protocols, they can be optimized to decode only particular portions of a data stream, thereby reducing their impact on the memory and CPU utilization.
The normalizer SME is targeted at fragmented IP datagrams. The normalizer SME reassembles the fragmented IP datagrams and then analyzes the completed datagram before deciding whether the datagram should be forwarded or discarded. If the normalizer SME decides that a datagram should be forwarded but the datagram is too large to transmit, it will refragment the datagram prior to forwarding it. If the normalizer SME had to analyze fragmented datagrams based on the many different ways that destination devices might reassemble them, it could consume a significant amount of memory and CPU resources? however, because the normalizer SME reassembles datagrams without regard to how the target device will receive them, the process can be optimized with regard to memory and CPU utilization.