Cisco IDS Sensor Signatures
Overview
IP Signatures 1000 Series
The 1000 alternation signatures appraise IP options, IP fragmentation, and bad IP packets. IP headers are advised for actual IP options and blaze alarms based on the agreeable of the IP header. If the abstracts independent aural the IP advance does not accommodated the requirements for IP headers these signatures blaze an alarm. IP breach signatures appraise the bits of a packet for apprehensive activity. Bad IP packets focus on invalid or crafted packets.
1001-IP Options-Record Packet Route: This signature fires back an IP datagram is accustomed with the IP advantage 7, Record Packet Route, set in the datagram.
1002-IP Options-Timestamp: This signature fires back an IP datagram is accustomed with the IP advantage 4, Timestamp, set in the datagram.
1004-IP Options-Loose Antecedent Route: This signature fires back an IP datagram is accustomed with the IP advantage Loose Antecedent Route (option 3) is set in the datagram.
1006-IP Options-Strict Antecedent Route: This signature fires back an IP datagram is accustomed with the IP advantage Strict Antecedent Routing (option 2) is set in the datagram.
1100-IP Fragment Attack: This signature fires back IP datagrams are accustomed with a account bulk greater than 0 but beneath that 5 in the account field.
1101-Unknown IP Protocol: This signature fires back an IP datagram is accustomed with the agreement acreage set to 134 or greater.
1102-Impossible IP Packet: This signature fires back an IP packet arrives with antecedent according to destination address.
1103-IP Bits Overlap: This signature is accursed back two bits independent aural the aforementioned IP datagram accept offsets that announce that they allotment accession aural the datagram.
1104-IP Localhost Antecedent Spoof: This signature fires back an IP packet with a abode of 127.0.0.1 is detected.
1105-Broadcast Antecedent Address: This signature fires back an IP packet with a antecedent abode of 255.255.255.255 is detected.
1106-Multicast IP Antecedent Address: This signature fires back an IP packet with a antecedent abode of 224.x.x.x is detected.
1107-RFC 1918 Addresses Seen: Legitimate arrangement cartage may account this signature to fire. Verify if accurate RFC1918 abode ranges are in use on your centralized networks.
1108-IP Packet with Agreement 11: This signature alarms aloft audition IP cartage with the agreement set to 11.
1109-Cisco IOS Interface DoS: This anxiety will blaze aloft audition a "specially crafted packet" that may block the IOS ascribe chain if that IOS angel is vulnerable.
1200-IP Breach Buffer Full: This signature is accursed back there is an amazing bulk of abridged burst cartage detected on the adequate network.
1201-IP Fragment Overlap: This signature is accursed back two bits independent aural the aforementioned IP datagram accept offsets that announce that they allotment accession aural the datagram.
1202-IP Fragment Overrun - Datagram Too Long: This signature fires back a reassembled burst datagram would beat the declared IP abstracts breadth or the best datagram length. Anxiety akin 5.
1203-IP Fragment Overwrite - Abstracts is Overwritten: This signature fires back an IP fragment that overlaps a antecedent fragment. This behavior is constant with the 'Ping of Death'.
1204-IP Fragment Missing Antecedent Fragment: This signature fires back a datagram can not be reassembled due to missing antecedent data.
1205-IP Fragment Too Many Datagrams: This signature is accursed back there is an boundless cardinal of abridged burst datagrams detected on the network.
1206-IP Fragment Too Small: This signature fires back any fragment added than the final fragment is beneath than 400 bytes, advertence that the fragment is acceptable carefully crafted.
1207-IP Fragment Too Many Fragmentss: This signature is accursed back there is an boundless cardinal of bits for a accustomed datagram. This is best acceptable either a abnegation of account (DOS) advance or an attack to bypass aegis measures.
1208-IP Fragment Abridged Datagram: This signature fires back a datagram can not be absolutely reassembled due to missing data.
1220-Jolt2 Fragment Reassembly DoS Attack: This anxiety will blaze back assorted bits are received, all claiming to be the aftermost fragment of an IP datagram.
1300-TCP Segment Overwrite: This signature fires back one or added TCP segments in the aforementioned beck overwrite abstracts from a one or added segments amid beforehand in the stream.