Intrusion Prevention
Cisco's IOS-based Intrusion Prevention System (IPS) and the earlier Intrusion Dectection System (IDS) both monitor traffic received or transmitted on a particular interface looking for defined patterns or signatures. These signatures are divided into four main overlapping categories.
Atomic signatures represent threats that can be seen in a single packet. This would include, for example, a TCP packet with an illegal set of flags, or packets with spoofed addresses.
Compound signatures look for threats that span many packets. A network address or port scan would be caught by a compound signature.
Info signatures try to detect reconnaissance type patterns such as port scans. These are usually not an immediate threat like denial of service or access type attacks so you might opt to respond to these events differently.
Finally, Attack signatures analyze traffic looking for active and immediate attacks. In these events, a person or program is actively attempting to access or disrupt your network.
These categories overlap so that you have Info Atomic, Info Compound, Attack Atomic, and Attack Compound signatures.
You can configure the router to respond to attacks in three different possible ways. The IPS system can simply log the event to a server, it can drop any packets that are detected by the signature, or, for TCP packets, you can opt to forward the packet through to the destination, but with the RST flag set. Setting this flag tells the end device to immediately drop the session.