Preventing from Invalid Command Execution
As mentioned previously, CBAC can parse commands of some TCP-based application layer protocols. SMTP and Extended Simple Mail Transfer Protocol (ESMTP) fall into this category. Although it is sufficient to inspect TCP for SMTP/ESMTP connections, you must inspect SMTP/ESMTP to ensure protocol conformation as per Request For Comment (RFC) through the CBAC router. To block the illegal commands execution by users using SMTP/ESMTP, you need to inspect SMTP/EMTP using the following commands:
ip inspect myfw smtp
ip inspect myfw esmtp
For SMTP inspection, CBAC effectively checks for command violation based on RFC 821 and issues alerts when it detects an SMTP attack (there is more on alerts in a later section). The RFC 821 commands allowed are HELO MAIL, RCPT, DATA, RSET, NOOP, and QUIT by CBAC when SMTP is inspected.
For ESMTP inspection, CBAC inspects the commands defined in RFC 1869, which are AUTH, DATA, EHLO, ETRN, HELO, HELP, MAIL, NOOP, QUIT, RCPT, RSET, SAML, SEND, SOML and VRFY. All others are considered illegal, and when CBAC encounters others it generates alerts.
The CBAC router detects a limited number of SMTP attack signatures. A signature in a SYSLOG message indicates a possible attack against the protected network, such as the detection of illegal SMTP commands in a packet. Whenever a signature is detected, the connection is reset.
There are 11 "IDS Sensor" attack signatures. Five have always been integrated into the Cisco IOS Firewall SMTP implementation, which is shown in Table 5-2.
| Signature | Description |
|---|---|
| Mail: bad rcpt | Triggers on any mail message with a "pipe" ( | ) symbol in the recipient field. |
| Mail: bad from | Triggers on any mail message with a "pipe" (|) symbol in the "From:" field. |
| Mail: old attack | Triggers when "wiz" or "debug" commands are sent to the SMTP port. |
| Mail: decode | Triggers on any mail message with a ": decode@" in the header. |
| Majordomo | A bug in the Majordomo program allows remote users to execute arbitrary commands at the privilege level of the server. |