Cross Agreement signature alternation 6000 series
Cross agreement signatures ascertain attacks that amount assorted protocols. For example, RPC casework advance both TCP and UDP. DNS and affidavit failures are some of the added action covered in the 6000 series.
6001-Normal SATAN Probe: This is a supersignature that is accursed back a anchorage ambit arrangement produced by the SATAN apparatus is detected.
6002-Heavy SATAN Probe: This is a supersignature that is accursed back a anchorage ambit arrangement produced by the SATAN apparatus is detected.
6050-DNS HINFO Request: This signature fires on an advance to admission HINFO annal from a DNS server.
6051-DNS Area Transfer: This signature fires on accustomed DNS area transfers, in which the antecedent anchorage is 53.
6052-DNS Area Alteration from High Port: This signature fires on an adulterine DNS area transfer, in which the antecedent anchorage is not according to 53.
6053-DNS Appeal for All Records: This signature fires on a DNS appeal for all records. Similar to a area alteration in that it provides a adjustment for appointment DNS annal from a server to addition requesting host.
6054-DNS Adaptation Request: This signature fires back a appeal for the adaptation of a DNS server is detected.
6055-DNS Inverse Concern Absorber Overflow: This signature fireswhen an IQUERY appeal arrives with a abstracts area that is beyond than 255 characters.
6056-DNS NXT Absorber Overflow: This signature fireswhen a DNS server acknowledgment arrives that has a continued NXT ability area the breadth of the ability abstracts is > 2069 bytes OR the breadth of the TCP beck absolute the NXT ability is > 3000 bytes.
6057-DNS SIG Absorber Overflow: This signature fireswhen a DNS server acknowledgment arrives that has a continued SIG ability area the breadth of the ability abstracts is > 2069 bytes OR the breadth of the TCP beck absolute the SIG ability is > 3000 bytes.
6058-DNS SRV DoS: Alarms back a DNS concern blazon SRV and DNS concern chic IN is detected with added than ten arrow all-overs in the SRV ability record.
6059-DNS TSIG Overflow: Alarms back a DNS concern blazon TSIG is detected and the area name is greater than 255.
6060-DNS accuse overflow: Alarms back an NS almanac is detected with a area name greater than 255 and the IP abode is 0.0.0.0, 255.255.255.255 or a multicast of anatomy 224.X.X.X.
6061-DNS infoleak: Alarms back a DNS IQUERY is detected with a almanac abstracts Breadth greater than 4 and Chic IN.
6062-DNS authors request: Alarms back a DNS concern blazon TXT chic CHAOS is detected with cord "Authors.Bind". This is not case sensitive.
6063-DNS Incremental area transfer: Alarms back a DNS concern blazon of 251 is detected.
6064-BIND Ample OPT Almanac DoS: This signature will blaze if a DNS appeal with a OPT ability almanac absolute a ample UDP burden breadth is detected.
6100-RPC Anchorage Registration: This signature fires back attempts are fabricated to annals new RPC casework on a ambition host.
6101-RPC Anchorage Unregistration: This signature fires back attempts are fabricated to unregister absolute RPC casework on a ambition host.
6102-RPC Dump: This signature fires back an RPC dump appeal is issued to a ambition host.
6103-Proxied RPC Request: This signature fires back a proxied RPC appeal is beatific to the portmapper of a ambition host.
6104-RPC Set Spoof: This signature fires back an RPC set appeal with a antecedent abode of 127.x.x.x is detected.
6105-RPC Unset Spoof: This signature fires back an RPC unset appeal with a antecedent abode of 127.x.x.x is detected.
6110-RPC RSTATD Sweep: This signature fires back RPC requests are fabricated to abounding ports for the RSTATD program.
6111-RPC RUSERSD Sweep: This signature fires back RPC requests are fabricated to abounding ports for the RUSERSD program.
6112-RPC NFS Sweep: This signature fires back RPC requests are fabricated to abounding ports for the NFS program.
6113-RPC MOUNTD Sweep: This signature fires back RPC requests are fabricated to abounding ports for the MOUNTD program.
6114-RPC YPPASSWDD Sweep: This signature fires back RPC requests are fabricated to abounding ports for the YPPASSWDD program.
6115-RPC SELECTION_SVC Sweep: This signature fires back RPC requests are fabricated to abounding ports for the SELECTION_SVC program.
6116-RPC REXD Sweep: This signature fires back RPC requests are fabricated to abounding ports for the REXD program.
6117-RPC STATUS Sweep: This signature fires back RPC requests are fabricated to abounding ports for the STATUS program.
6118-RPC ttdb Sweep: This signature fires on an advance to admission the tooltalk database apparition on assorted ports on a distinct host.
6150-ypserv Portmap Request: This signature fires back a appeal is fabricated to the portmapper for the YP server apparition (ypserv) port.
6151-ypbind Portmap Request: This signature fires back a appeal is fabricated to the portmapper for the YP bind apparition (ypbind) port.
6152-yppasswdd Portmap Request: This signature fires back a appeal is fabricated to the portmapper for the YP countersign apparition (yppasswdd) port.
6153-ypupdated Portmap Request: This signature fires back a appeal is fabricated to the portmapper for the YP amend apparition (ypupdated) port.
6154-ypxfrd Portmap Request: This signature fires back a appeal is fabricated to the portmapper for the YP alteration apparition (ypxfrd) port.
6155-mountd Portmap Request: This signature fires back a appeal is fabricated to the portmapper for the arise apparition (mountd) port.
6175-rexd Portmap Request: This signature fires back a appeal is fabricated to the portmapper for the alien beheading apparition (rexd) port.
6180-rexd Attempt: This signature fires back a anxiety to the rexd affairs is made. The alien beheading apparition is the server amenable for alien affairs execution.
6188-statd dot dot: This signature alarms aloft audition a dot dot carve (../) arrangement beatific to the statd RPC service.
6189-statd automount attack: This signature alarms aloft audition a statd animation advance on the automount process.
Note Signatures 6188 and 6189 are alone accessible in Cisco IDS versions 4.0 and newer.
6190-statd Absorber Overflow: This signature fires back a ample statd appeal is sent. This could be an advance to overflow a absorber and accretion admission to arrangement resources.
6191-RPC.tooltalk absorber overflow: This signature fires back an advance is fabricated to overflow an centralized absorber in the tooltalk rpc program.
6192-RPC mountd Absorber Overflow: This signature fires on an advance to overflow a absorber in the RPC mountd application.
6193-RPC CMSD Absorber Overflow: This signature fires back an advance is fabricated to overflow an centralized absorber in the Calendar Manager Account Daemon, rpc.cmsd.
6194-sadmind RPC Absorber Overflow: This signature fires back a anxiety to RPC affairs cardinal 100232 action 1 with a UDP packet breadth > 1024 bytes is detected.
6195-RPC amd Absorber Overflow: Signature 6195 will ascertain the corruption of the RPC AMD Absorber Overflow vulnerability.
6196-snmpXdmid Absorber Overflow: This signature fires back an abnormally continued anxiety to the RPC affairs 100249 (snmpXdmid) and action 257 is detected.
6197-rpc yppaswdd overflow: This anxiety blaze back an overflow advance is detected back beatific to yppaswdd RCP-based application.
6198-rwalld Cord Format: This signature fires if an almighty continued bulletin is detected actuality beatific to the RPC account rwalld.
6199-cachefsd Overflow: This anxiety blaze back an overflow advance is detected back beatific to cachefsd, an RCP-based application.
6200-Ident Absorber Overflow: This signature fires back a server allotment an IDENT acknowledgment that is too large.
6201-Ident Newline: This signature fires back a server allotment an IDENT acknowledgment that includes a newline followed by added data.
6210-LPRng architecture Cord Overflow: Alarms back an the aboriginal lpr command in a datastream is invalid (first byte != 1-9 ascii) and the breadth to the aboriginal LF is greater than 256.
6250-FTP Authorization Failure: This signature fires back a user has bootless to accredit three times in a row, while aggravating to authorize an FTP session.
6251-Telnet Authorization Failure: This signature fires back a user has bootless to accredit three times in a row, while aggravating to authorize a telnet session.
6252-Rlogin Authorization Failure: This signature fires back a user has bootless to accredit three times in a row, while aggravating to authorize an rlogin session.
6253-POP3 Authorization Failure: This signature fires back a user has bootless to accredit three times in a row, while aggravating to authorize a POP3 session.
6255-SMB Authorization Failure: This signature fireswhen a applicant fails Windows NTs (or Sambas) user affidavit three or added after times aural a distinct SMB session.
6256- HTTP Authorization Failure: This signature fires back a user has bootless to accredit three times in a row, while aggravating to log into a anchored HTTP website.
6275-SGI fam Attempt: This signature detects accesses to the SGI fam RPC daemon. Attackers can use this account to accretion advice about files on the accessible system.
6276-TooltalkDB overflow: This signature will anxiety aloft audition an rpc affiliation to rpc affairs cardinal 100083 application action 103 with an absorber greater than 1024.
6277-Show Arise Recon: This signature alarms aloft audition an RPC anxiety to appearance all mounts on an NFS server.
6300-Loki ICMP Tunneling: Loki is a apparatus advised to run an alternate affair that is hidden aural ICMP traffic.
6302-General Loki ICMP Tunneling: This signature fires back an alterity of ICMP answer replies to answer requests is detected.
6350-SQL Concern Abuse: This signature fires if a baddest concern is issued application the OPENROWSET() action with an ad hoc exec account in it.
6500-RingZero Trojan: The RingZero Trojan consists of an advice alteration (ITS) abettor and a anchorage scanning (PST) agent.
6501-TFN Applicant Request: TFN audience and servers by default, acquaint application ICMP answer acknowledgment packets. This signature looks for ICMP answer acknowledgment packets absolute abeyant TFN commands beatific from a TFN CLIENT —TO-> a SERVER.
6502-TFN Server Reply: TFN audience and servers by default, acquaint application ICMP answer acknowledgment packets. This signature looks for ICMP answer acknowledgment packets absolute abeyant TFN commands beatific from a TFN SERVER —TO-> CLIENT.
6503-Stacheldraht Applicant Request: Stacheldraht audience and servers by default, acquaint application ICMP answer acknowledgment packets. This signature looks for ICMP answer acknowledgment packets absolute abeyant commands beatific from a Stacheldraht CLIENT —TO—> SERVER.
6504-Stacheldraht Server Reply: Stacheldraht audience and servers by default, acquaint application ICMP answer acknowledgment packets. This signature looks for ICMP answer acknowledgment packets absolute abeyant commands beatific from a Stacheldraht SERVER —TO—> CLIENT.
6505-Trinoo Applicant Request: Trinoo audience acquaint by absence on UDP anchorage 27444 application a absence command set.
6506-Trinoo Server Reply: Trinoo servers acknowledgment to audience by absence on UDP anchorage 31335 application a absence command set.
6507-TFN2K Ascendancy Traffic: TFN2K is a Distributed Denial of Account tool.
6508-Mstream Ascendancy Traffic: This signature identifies the ascendancy cartage amid both the antagonist <-> applicant (aka handler), and amid the applicant (aka handler) <-> server (aka abettor or daemon).
6901-Net Flood ICMP Reply: This signature fires back a configurable beginning for ICMP Blazon 0 (Echo Reply) cartage is crossed.
6902-Net Flood ICMP Request: This signature fires back a configurable beginning for ICMP Blazon 8 (Echo Request) cartage is crossed.
6903-Net Flood ICMP Any: This signature fires back a configurable beginning for all ICMP cartage is crossed.
6910-Net Flood UDP: This signature fires back a configurable beginning for all UDP cartage is crossed.
6920-Net Flood TCP: This signature fires back a configurable beginning for all TCP cartage is crossed.
Note By default, signatures 6901, 6902, 6903, 6910, and 6920 are disabled. To use either or all of these signatures aboriginal accredit them, set the "Rate" constant to zero, and run for a aeon of time. This is what is alleged analytic mode. They are a amazing ability hog and should not be larboard on.