TCP Signatures 3000 Series

TCP Signatures 3000 Series

TCP signatures are specific to TCP activity. TCP requires a three-way-handshake and several of the signatures are compared to the TCP traffic on the network. Other activity that is examined is scans, sweeps, and attacks that attempt to make connections to systems using TCP over specific ports. Some of these signatures even take into consideration bad or abnormal TCP packets.

  • 3001-TCP Port Sweep: This signature fires when a series of TCP connections to a number of different privileged ports (having port number less than 1024) on a specific host have been initiated.

  • 3002-TCP SYN Port Sweep: This signature fires when a series of TCP SYN packets have been sent to a number of different destination ports on a specific host.

  • 3003-TCP Frag SYN Port Sweep: This signature fires when a series of fragmented TCP SYN packets are sent to a number of different destination ports on a specific host.

  • 3005-TCP FIN Port Sweep: This signature fires when a series of TCP FIN packets have been sent to a number of different privileged ports (having port number less than 1024) ports on a specific host.

  • 3006-TCP Frag FIN Port Sweep: This signature fires when a series of fragmented TCP FIN packets have been sent to a number of different privileged ports (having port number less than 1024) destination ports on a specific host.

  • 3010-TCP High Port Sweep: This signature fires when a series of TCP connections to a number of different high-numbered ports (having port number greater than 1023) on a specific host have been initiated.

  • 3011-TCP FIN High Port Sweep: This signature fires when a series of TCP FIN packets have been sent to a number of different destination high-numbered ports (having port number greater than 1023) on a specific host.

  • 3012-TCP Frag FIN High Port Sweep: This signature fires when a series of fragmented TCP FIN packets have been sent to a number of different destination high-numbered ports (having port number greater than 1023) on a specific host.

  • 3015-TCP Null Port Sweep: This signature fires when a series of TCP packets with none of the SYN, FIN, ACK, or RST flags set have been sent to a number of different destination ports on a specific host.

  • 3016-TCP Frag Null Port Sweep: This signature fires when a series of fragmented TCP packets with none of the SYN, FIN, ACK, or RST flags set have been sent to a number of different destination ports on a specific host.

  • 3020-TCP SYN FIN Port Sweep: This signature fires when a series of TCP packets with both the SYN and FIN flags set have been sent to a number of different destination ports on a specific host.

  • 3021-TCP Frag SYN FIN Port Sweep: This signature fires when a series of fragmented TCP packets with both the SYN and FIN flags set have been sent to a number of different destination ports on a specific host.

  • 3030-TCP SYN Host Sweep: This signature fires when a series of TCP SYN packets have been sent to the same destination port on a number of different hosts.

  • 3031-TCP Frag SYN Host Sweep: This signature fires when a series of fragmented TCP SYN packets have been sent to the same destination port on a number of different hosts.

  • 3032-TCP FIN Host Sweep: This signature fires when a series of TCP FIN packets have been sent to the same destination port on a number of different hosts.

  • 3033-TCP Frag FIN Host Sweep: This signature fires when a series of TCP FIN packets have been sent to the same destination port on a number of different hosts.

  • 3034-TCP NULL Host Sweep: This signature fires when a series of TCP packets with none of the SYN, FIN, ACK, or RST flags set have been sent to the same destination port on a number of different hosts.

  • 3035-TCP Frag NULL Host Sweep: This signature fires when a series of fragmented TCP packets with none of the SYN, FIN, ACK, or RST flags set have been sent to the same destination port on a number of different hosts.

  • 3036-TCP SYN FIN Host Sweep: This signature fires when a series of TCP packets with both the SYN and FIN flags set have been sent to the same destination port on a number of different hosts.

  • 3037-TCP Frag SYN FIN Host Sweep: This signature fires when a series of TCP packets with both the SYN and FIN flags set have been sent to the same destination port on a number of different hosts.

  • 3038-Fragmented NULL TCP Packet: This signature fires when a single fragmented TCP packet with none of the SYN, FIN, ACK, or RST flags set has been sent to a specific host.

  • 3039-Fragmented Orphaned FIN Packet: This signature fires when a single fragmented orphaned TCP FIN packet is sent to a privileged port (having port number less than 1024) on a specific host.

  • 3040-NULL TCP Packet: This signature fires when a single TCP packet with none of the SYN, FIN, ACK, or RST flags set has been sent to a specific host.

  • 3041-SYN/FIN Packet: This signature fires when a single TCP packet with the SYN and FIN flags are set and is sent to a specific host.

  • 3042-Orphaned FIN Packet: This signature fires when a single orphaned TCP FIN packet is sent to a privileged port (having port number less than 1024) on a specific host.

  • 3043-Fragmented SYN/FIN Packet: This signature fires when a single fragmented TCP packet with the SYN and FIN flags are set and is sent to a specific host.

  • 3045-Queso Sweep: This signature fires after having detected a FIN, SYN-FIN, and a PUSH sent from a specific host bound for a specific host.

  • 3046-NMAP OS Fingerprint: This signature looks for a unique combination of TCP packets that the NMAP tool uses to fingerprint a remote operating system.

  • 3050-Half-open SYN Attack: This signature fires when multiple TCP sessions have been improperly initiated on any of several well-known service ports.

  • 3100-Smail Attack: This signature fires on the very common smail attack against e-mail servers.

  • 3101-Sendmail Invalid Recipient: This signature fires on any mail message with a pipe (|) symbol in the recipient field.

  • 3102-Sendmail Invalid Sender: This signature fires on any mail message with a pipe (|) symbol in the From: field.

  • 3103-Sendmail Reconnaissance: This signature fires when expn or vrfy commands are issued to the SMTP port.

  • 3104-Archaic Sendmail Attacks: This signature fires when wiz or debug commands are sent to the SMTP port.

  • 3105-Sendmail Decode Alias: This signature fires on any mail message with decode@ in the header.

  • 3106-Mail Spam: Counts number of Rcpt to: lines in a single mail message and alarms after a user-definable maximum has been exceeded. The user default is 250 recipients.

  • 3107-Majordomo Execute Attack: A bug in the Majordomo program will allow remote users to execute arbitrary commands at the privilege level of the server.

  • 3108-MIME Overflow Bug: This signature fires when an SMTP mail message has a MIME "Content-" field that is excessively long.

  • 3109-Long SMTP Command: This signature fires when an attempt is made to pass an overly long command string to a mail server

  • 3110-Suspicious Mail Attachment: A suspicious mail attachment was found in a mail message.

  • 3111-W32 Sircam Malicious Code: Alarms when SirCam virus e-mail attachment is sent.

  • 3111:1-W32 Sircam Malicious Code: Alarms when SirCam virus e-mail attachment is received.

  • 3112-Lotus Domino Mail Loop DoS: Alarms when a To: field in the mail is detected greather than 100 characters

  • 3114-FetchMail Arbitrary Code Execution: Alarms when an e-mail command containing a list of large integers is encountered.

  • 3115-Sendmail Data Header Overflow: Alarms when an e-mail command containing a list of large integers is encountered.

  • 3116-Netbus: Alarm fires upon detecting a Netbus communications channel setup.

  • 3117-KLEZ Worm: The alarm fires when a filename gn.exe is found as a audio/x-wav attachment to an e-mail.

  • 3118-rwhoisd Format String: This sig fires upon detecting a 'soa' command sent to a rwhois server with a large argument.

  • 3119-WS_FTP STAT Overflow: This signature fires when a stat command with an argument that is greater than 450 characters.

  • 3120-ANTS virus: The alarm fires when a e-mail is found with the attachment ants3set.exe

  • 3121-Vintra MailServer EXPN DoS: This signature fires when '*@' is detected as the argument to the SMTP command expn.

  • 3122-SMTP EXPN Root Recon: This signature fires when an attempt to expand the e-mail alias of the 'root' user with SMTP command expn is detected.

  • 3123-NetBus Pro Traffic: Alarm fires upon detecting a Netbus Pro communications channel setup.

  • 3124-Sendmail Prescan Memory Corruption: This signature looks for an abnormally long (1000+ characters). The subsignatures are:

    • SubSig 0: MAIL FROM

    • SubSig 1: RCPT TO

  • 3150-FTP Remote Command Execution: This signature fires when someone tries to execute the Ftp site command.

  • 3151-FTP SYST Command Attempt: This signature fires when someone tries to execute the FTP SYST command.

  • 3152-FTP CWD ~root: This signature fires when someone tries to execute the CWD ~root command.

  • 3153-FTP Improper Address Specified: This signature fires if a port command is issued with an address that is not the same as the requesting host.

  • 3154-FTP Improper Port Specified: This signature fires if a port command is issued with a data port specified that is less than 1024 or greater than 65535.

  • 3155-FTP RETR Pipe Filename Command Execution: The ftp client can be tricked into running arbitrary commands supplied by the remote server.

  • 3156-FTP STOR Pipe Filename Command Execution: The ftp client can be tricked into running arbitrary commands supplied by the remote server.

  • 3157-FTP PASV Port Spoof: Possible attempt has been made to open connections through a firewall to a protected FTP server to a non-FTP port.

  • 3158-FTP SITE EXEC Format String: Affected versions of Wu-ftpd are missing some character-formatting arguments in several function calls that implement the site exec command functionality.

  • 3159-FTP PASS Suspicious Length: In order to exploit some Wu-ftpd vulnerabilities (sig3158), a malicious user must supply shell code in the password field of the ftp login.

  • 3160-Cesar FTP Buffer Overflow: Alarms when a HELP command is followed by 200 or more characters

  • 3161-FTP realpath Buffer Overflow: This signature fires when an attempt is detected to create or delete a directory during a FTP session using a path argument containing executable machine code, also know as shellcode.

  • 3162-glFtpD LIST DoS: This signature fires when an abnormally long FTP list command is detected with and argument that is composed only of the character '*'.

  • 3163-wu-ftpd Heap Corruption Vulnerability: This signature fires when an unbalanced '{' is detected in FTP traffic.

  • 3164- Instant Server Mini Portal Directory Traversal: This signature fires when .../ is detected in a FTP connection.

  • 3165-FTP SITE EXEC: This alarms when a SITE EXEC command is attempted within FTP traffic. There is a potential danger if the SITE EXEC command is allowed when FTP servers are incorrectly configured.

  • 3166-FTP USER Suspicious Length: The signature fires when a longer than normal username is detected during an FTP session. This could cause a buffer overflow.

  • 3167-Format String in FTP Username: This signature fires when a percent sign (%) is detected as a username argument of an ftp login. A percent signs indicate a format string attack when part of the username.

  • 3168-FTP SITE EXEC Directory Traversal: This signature fires when a SITE EXEC command is attempted with arguments of a directory traversal (../) within the FTP traffic. There is a potential danger if the SITE EXEC command is allowed when ftp servers are incorrectly configured. Directory traversal attempts are indicators of command execution attacks.

  • 3169-FTP SITE EXEC tar: This signature fires when a SITE EXEC command is attempted with arguments of an piped tar command in the FTP traffic. There is a potential danger if the SITE EXEC command is allowed when FTP servers are incorrectly configured. Piped tar command attempts are indicators of malicious traffic.

  • 3170-WS_FTP SITE CPWD Buffer Overflow: This signature fires when it detects a SITE CPWD command with an argument greater than 100 characters in length.

  • 3171-FTP Privileged Login: The signature fires when it detects an FTP login for a privileged user (root or administrator). Ftp activity with privileged users is dangerous because passwords are sent in the clear (plaintext) across the network.

  • 3172-FTP CWD Overflow: This signature fires when it detects the FTP command CWD with abnormally long argument. This is a good sign of a buffer overflow attack.

  • 3173-Long FTP Command: Normal FTP commands may cause false positives. If you receive false positives, you can tune the signature by increasing the default value of the MinMatchLength parameter until false positives are eliminated.

  • 3174-SuperStack 3 NBX FTP Dos: This signature fires when the FTP command cel is received with more than 2048 bytes of arguments.

  • 3175-ProFTPD STAT DoS: This signature fires when a FTP STAT command has several '/*' contiguous character combinations. This is a sign of a denial of service attack.

  • 3176-Cisco ONS FTP DoS: This signature fires when a long "CEL" FTP command is detected.

  • 3200-WWW phf Attack: This signature fires when the phf attack is detected. This is an indicator that an attempt has been made to illegally access system resources.

  • 3201-Unix Password File Access Attempt: These alarms fire when any cgi-bin script attempts to retrieve password files on various operating systems. Examples of such password files are:

    • /etc/passwd (Sub ID 1)

    • /etc/shadow (Sub ID 2)

    • /etc/master.passwd (Sub ID 3)

    • /etc/master.shadow (Sub ID 4)

    • /etc/security/passwd (Sub ID 5)

    • /etc/security/opasswd (Sub ID 6)

    Signature 3201 is a good indicator that illegal attempts are being made to access system resources.

  • 3202-WWW .URL File Requested: This signature fires when a user attempts to get any .URL file. There is a flaw in Microsoft Internet Explorer that could allow illegal access to system resources when .URL files are accessed using the HTTP GET command.

  • 3203-WWW .LNK File Requested: This signature fires when a user attempts to get any .LNK file. There is a fllaw in Microsoft Internet Explorer that could allow illegal access to system resources when .LNK files are accessed using the HTTP GET command.

  • 3204-WWW .BAT File Requested: This signature fires when a user attempts to get any .BAT file. There is a flaw in Microsoft Internet Explorer that could allow illegal access to system resources when .BAT files are accessed using the HTTP GET command.

  • 3205-HTML File Has .URL Link: This signature fires when a file has a .URL link. This signature sends a warning to the user before he/she can click on the damaging link. Signature 3202 will fire on any attempts to click on the link, but it can cause damage before defensive measures are taken. There is a flaw in Microsoft Internet Explorer that could allow illegal access to system resources when .URL files are accessed using the HTTP GET command.

  • 3206-HTML File Has .LNK Link: This signature fires when a file has a .LNK link. This signature sends a warning to the user before he/she can click on the damaging link. Signature 3203 will fire on any attempts to click on the link, but it can cause damage before defensive measures are taken. There is a flaw in Microsoft Internet Explorer that could allow illegal access to system resources when .LNK files are accessed using the HTTP GET command.

  • 3207-HTML File Has .BAT Link: This signature fires when a file has a .BAT link. This signature sends a warning to the user before they can click on the damaging link. Signature 3204 will fire on any attempts to click on the link, but it can cause damage before defensive measures are taken. There is a flaw in Microsoft Internet Explorer that could allow illegal access to system resources when .BAT files are accessed using the HTTP GET command.

  • 3208-WWW Campas Attack: This signature fires when attempts are made to pass commands to the CGI program campas. A problem in the CGI program campas, included in the NCSA Web Server distribution, allows attackers to execute commands on the host machine. These commands will execute at the privilege level of the HTTP server.

  • 3209-WWW Glimpse Server Attack: This signature fires when attempts are made to pass commands to the perl script GlimpseHTTP. These could allow attackers to execute commands on the host machine. The GlimpseHTTP is an interface to the Glimpse search tool.

  • 3210-WWW IIS View Source Attack: If a request to a Microsoft IIS server is formatted in a certain way, executable files are read instead of being executed. Passwords, scripts, and database information can be revealed. Analysis of the scripts could turn up vulnerabilities. This signature fires when a request is made to an HTTP server attempting to view the source.

  • 3211-WWW IIS Hex View Source Attack: If a request to a Microsoft IIS server is formatted in a certain way, executable files are read instead of being executed. Passwords, scripts, and database information can be revealed. Analysis of the scripts could turn up vulnerabilities. This signature fires when a request is made to an HTTP server with an embedded escape code, %2E, in place of a ".". This is a sign someone is trying to view the source of a protected web page script.

  • 3212-WWW NPH-TEST-CGI Attack: This signature fires when attempts are made to view directory listings with the script nph-test-cgi. Some but not all HTTP servers include this script. The script can be used to list directories on a server. This script is for testing purposes and should be removed on production servers.

  • 3213-WWW TEST-CGI Attack: This signature fires when attempts are made to view directory listings with the script test-cgi. Some but not all HTTP servers include this script. The script can be used to list directories on a server. This script is for testing purposes and should be removed on production servers.

  • 3214-IIS DOT DOT VIEW Attack: This signature fires on attempts to view files above the chrooted directory using Microsoft IIS. The result of this attack is the viewing of files not intended for public access. The chroot directory is supposed to be the topmost directory to which HTTP clients have access.

  • 3215-IIS DOT DOT EXECUTE Attack: Fires on attempts to cause Microsoft IIS to execute commands. Valid URL requests can cause false positives. Verify the target system from where the signature is firing to see if it is vulnerable.

  • 3216-WWW Directory Traversal ../..: This signature fires when attempts to traverse directories on the web server using "../.." are detected. This is a sign attempts are being made to gain access to files and directories outside the root directory of the Web server.

  • 3217-WWW PHP View File Attack: This signature fires when someone attempts to use the PHP cgi-bin program to view a file. This is an indicator illegal attempts are being made to access system resources.

  • 3218-WWW SGI Wrap Attack: This signature fires attempts to view or list files using a program called wrap. This was distributed with the IRIX Web Server. There could be legitimate uses that cause false positives Validate its use.

  • 3219-WWW PHP Buffer Overflow: This signature fires when an oversized query is sent to the PHP cgi-bin program. This is an indicator of a buffer overflow attack to gain system access.

  • 3220-IIS Long URL Crash Bug: This fires when a large URL is sent to a Web server in attempts to crash the system.

  • 3221-WWW cgi-viewsource Attack: This signature fires when someone attempts to use the cgi-viewsource script to view files above the HTTP root directory.

  • 3222-WWW PHP Log Scripts Read Attack: This signature fires when someone attempts to use the PHP scripts mlog or mylog to view files on a machine.

  • 3223-WWW IRIX cgi-handler Attack: This signature fires when someone attempts to use the cgi-handler script to execute commands.

  • 3224-HTTP WebGais: This signature fires when someone attempts to use the webgais script to run arbitrary commands.

  • 3225-WWW websendmail File Access: This signature fires when unauthorized attempts are made to read a file using the websendmail CGI program.

  • 3226-WWW Webdist Bug: This signature fires when attempts are made to use the webdist program. False postive alarms will fire from legitimate use of the webdist program.

  • 3227-WWW Htmlscript Bug: This signature fires when attempts are made to view files above the HMTL root directory.

  • 3228-WWW Performer Bug: This signature fires when attempts are made to view files above the HTML root directory.

  • 3229-Website Win-C-Sample Buffer Overflow: This signature fires when attempts are made to access the win-c-sample program in the Web site server distribution. Testing new Web site servers or upgrades using the win-c-sample program can cause false positives. This script is for testing purposes and should be removed on production servers.

  • 3230-Web Site Uploader: This signature fires when attempts are made to access the uploader program in the Web site server distribution.

  • 3231-Novell Convert: This signature fires when a user has attempted view files illegally using the convert.bas program included with Novell web server distribution.

  • 3232-WWW finger attempt: This signature fires when an attempt is made to run the finger.pl program using the http server. Legitimate use can cause false positives. Unneeded CGI scripts should be removed from the cgi-bin directory.

  • 3233-WWW count-cgi Overflow: This signature fires when attempt are made to cause a buffer overflow in the cgi count program.

  • 3250-TCP Hijack: This signature fires when both data streams of a TCP connection indicate that TCP hijacking has occurred. TCP Hijacking is used to gain illegal access to system resources. False positives are possible.

  • 3251-TCP Hijacking Simplex Mode: This signature fires when both data streams of a TCP connection indicate that TCP hijacking has occurred. TCP Hijacking is a method used to gain illegal access to system resources. Simplex mode means that only one command is sent, followed by a connection RESET packet. This is the discriminating factor between signature 3251 and 3250 False positives are possible. The most common network event that may trigger this signature is an idle telnet session. The TCP Hijack attack is a low-probability, high level-of-effort event. If it is successfully launched it could lead to serious consequences, including system compromise. The source of these alarms should be investigated thoroughly before any actions are taken. Recommend security professional consultation to assist in the investigation.

  • 3300-NetBIOS OOB Data: This signature fires when an attempt to send data Out Of Band to port 139 is detected. This can be used to crash Windows machines.

  • 3303-Windows Guest Login: This signature fires when a client establishes a connection to an SMB server (WinNT or Samba), it provides an account name and password for authentication. If the server does not recognize the account name, it may log the user in as a guest. This is optional behavior by the server and guest privileges should be limited. As a general security precaution, users should not be allowed access as guest.

  • 3305-Windows Password File Access: This signature fires when a client attempts to access a .PWL on Windows 95 or other servers. The .PWL files is the password file.

  • 3306-Windows Registry Access: This signature fires when a client attempts to access the registry on the Windows server. False positives are possible because every attempt to access the registry will cause an alarm to fire.

  • 3307-Windows RedButton Attack: This signature fires when the RedButton tool is run against a server. The tool is use to show the security flaw in Windows NT 4.0 that allows remote registry access without a valid user account.

  • 3308-Windows LSARPC Access: This signature fires when an attempt has been made to access the LSARPC service on a Windows system. When the source is from an external source, the traffic should be considered suspect. LSARPC can be used to gather system information that would be useful in launching subsequent attacks.

  • 3309-Windows SRVSVC Access: This signature fires when an attempt is made to access the SRVSVC on a Windows system. SRVSVC may be used to gather system information that would be useful in launching subsequent attacks.

  • 3310-Netbios Enum Share DoS: This signature fires when a malformed netbios enum share packet.

  • 3311-SMB: Remote SAM Service Access Attempt: This signature fires when an attempt has been made to access the SAM security service on a Windows system. This service may be used to gather system information that would be useful in launching subsequent attacks. This is normal traffic on Windows networks and is included as an informational signature.


    Note

    Signature 3311 is only available in Cisco IDS versions 4.0 and newer.

  • 3312-SMB .EML E-mail File Remote Access: This signature fires on any attempt to create or open a remote file with a .EML file extension. The NIMDA worm and variants drop files with the .EML e-mail file extension on open remote shares.


    Note

    Signature 3312 is only available in Cisco IDS versions 4.0 and newer.

  • 3313-SMB Suspicous Password Usage: This signature fires because the client portion of an SMB login or authentication transaction uses passwords in the clear.


    Note

    Signature 3313 is only available in Cisco IDS versions 4.0 and newer.

  • 3314-Windows Locator Service Overflow: This signature fires when attempts are made to pass an extremely long name to the Windows Locator service. This is a sign of a buffer overflow attack. Normal SMB traffic can cause false positives. In most cases only domain controllers are vulnerable.

  • 3320-SMB: ADMIN$ Hidden Share Access Attempt: This signature fires when attempts are made to connect to the hidden windows administration share ADMIN$. This share point does not appear in normal browsing and may access attempts are indicators that an attempt to break into the system is occurring.


    Note

    Signature 3320 is only available in Cisco IDS versions 4.0 and newer.

  • 3321-SMB: User Enumeration: A Microsoft Remote Procedure Call (MSRPC) system call has been made to enumerate the users on the target machine. This is normal Windows NT/2000/XP network activity. It should be considered suspect if it occurs from a source outside of your network.


    Note

    Signature 3321is only available in Cisco IDS versions 4.0 and newer.

  • 3322-SMB: Windows Share Enumeration: A remote network call has been made to Microsoft Windows' built-in resource enumeration interface. This interface is used to browse or otherwise enumerate resources being advertised to the network. Normal Windows browsing will cause false positives. It should be considered suspect if it occurs from a source outside of your network.


    Note

    Signature 3322 is only available in Cisco IDS versions 4.0 and newer.

  • 3323-SMB: RFPoison Attack: This signature fires when a specially malformed share enumeration request is made. The attacker can cause the Service Control Manager (Server service) to misbehave and access illegal memory areas. The result is the server service being terminated, creating a denial of service in the loss of remote services to the affect machine including services that use named pipes.


    Note

    This signature is only available in Cisco IDS versions 4.0 and newer.

  • 3324-SMB NIMDA infected file transfer: The NIMDA worm creates a file name desktop.eml on remote accessible shares as a means of propogation. This signature fireswhen an attempt to create or open remote file with the specific name of desktop.eml. False positives can be generated only when a remote file with the name desktop.eml is accessed.


    Note

    Signature 3324 is only available in Cisco IDS versions 4.0 and newer.

  • 3325-Samba call_trans2open Overflow: This signature fires when a buffer overflow attempt to exploit the call_trans2open function of Samba is detected.

  • 3326-Windows Startup Folder Remote Access: This signature fires when SMB access to the Windows startup folder is accessed. Many Internet worms copy themselves into the startup folder as a way to propogate themselves. A good indicator that a machine is infected with an Internet worm is if the particular machine is generating a lot of alarms.

  • 3327-Windows RPC DCOM Overflow: This signature fires when a potential buffer overflow attempt against a Windows DCOM RPC service is detected. This could be an indicator there has been a system compromise. SubSig 0: \00\<400>\ port 135tcp SubSig 1: \00\<400>\ port 135udp SubSig 2: RPC over SMB, overflow packet port 139 SubSig 3: RPC over SMB, overflow packet port 445

  • 3328-Windows SMB/RPC NoOp Sled: This signature fires when 10 or more consecutive hexidecimal "90" characters (Intel NoOp assembly instructions) are seen in TCP-based Windows SMB / RPC traffic. This activity is an indicator of a buffer overflow attack.

  • 3400-Sunkill: This signature fires when an attempt is made to cause the telnetd server to lock up. This will catch the program known as sunkill.

  • 3401-Telnet-IFS Match: Fires on when an attempt to change the IFS to / is done during a telnet session. This is an indicator an attempt is made to gain unauthorized access to system resources.

  • 3402-BSD Telnet Daemon Buffer Overflow: This signature fires when an abnormally long 'New Environment Variable' telnet option is detected. Telnet daemons derived from the BSD source contain a buffer overflow in the handling of telnet options.

  • 3403-Telnet Excessive Environment Options: This signature fires when an excessive number of environment variables are exchanged during a telnet session.

  • 3404-SysV /bin/login Overflow: This signature fires when an excessive number of environment variables are sent to the 'login' program during a telnet session.

  • 3405- Avirt Gateway Proxy Buffer Overflow: This signature fires when a string over 400 bytes is detected containing LoadLibraryRef call in a Telnet session.

  • 3406-Solaris TTYPROMPT /bin/login Overflow: This signature fires when the environmental variable TTYPROMPT is detected during the negotiation of telnet options. This variable should not be seen on the network and should be considered an indicator of a buffer overflow attack.

  • 3450-Finger Bomb: This signature fires when it detects a finger bomb attack. This particular attack attempts to crash a finger server by issuing a finger request that contains multiple "@" characters. If the finger server allows forwarding, then the multiple @s will cause the finger server to recursively call itself and use up system resources.

  • 3451-BearShare Directory Traversal: This signature fires if a directory traversal (......) is sent on the TCP port of 6346.

  • 3452-gopherd halidate Overflow: This signature fires when a request "halidate <600+characters>" is sent to a gopher server.

  • 3453-MS NetMeeting RDS DoS: This signature fires when a large number of NULL bytes are detected being sent to the Microsoft NetMeeting Remote Desktop Sharing server port (TCP 1720). Legitimate traffic could cause false positives.


    Note

    HTTP traffic is the normal cause for this signature to misfire, but other protocols can also cause it to fire. This issue will be corrected in version 4.0 of the sensor.

  • 3454-Check Point Firewall Information Leak: This signature fires when a TCP request to port 256 or 264 is detected with topologyrequest. Authenticated requests can also cause the signature to fire.

  • 3455-Java Web Server Cmd Exec: This signature fires if /servlet/com.sun.server.http.pagecompile.jsp92.jspservlet is accessed. Administrators can cause false positives by accessing this file.

  • 3456- Solaris in.fingerd Information Leak: This signature fires when an attempt to retrieve excessive information using the finger protocol is detected. SubSig 0: 'a b c d e f g h'@sunhost SubSig 1: 0@sunhost

  • 3457-Finger Root Shell: This alarm will fire upon detecting the string cmd_rootsh in finger traffic. cmd_rootsh is a backdoor known to run on the finger port.

  • 3458-AIM Game Invite Overflow: This signature alarms upon detecting an unusually long online game invite using AOL instant messenger.

  • 3459-ValiCert Forms.exe Overflow: This signature fires upon detecting a large argument value sent to the file forms.exe on port 13333.

  • 3460-AVTronics InetServer Buffer Overflow: Alarms when a TCP String containing "Authentication Basic" is followed more than 125 characters

  • 3461-Finger Probe: This signature alarms upon detecting a zero '0' sent to a finger port. This type of activity is indicative of finger probing. Since finger is a useful recon tool for attackers a finger probe is commonly sent to detect active finger daemons.

  • 3462-Finger Redirect: This signature alarms upon detecting an at '@' sign in a finger request. An in a finger request means a finger redirect is occuring. A finger redirect shouldn't be seen on today's modern networks as finger is a dangerous recon tool for attackers.

  • 3463-Finger Root: This signature fires when root is fingered. This type of activity is a good indicator that an attacker is trying to gather recon information for use in future attacks.

  • 3464-File Access in Finger: This signature firesupon detecting the string /etc/ on the finger port. There is no reason /etc/ would be seen in normal finger usage. This indicates backdoor activity on the finger port.

  • 3465-Finger Activity: This signature fires upon detecting network traffic using the finger service.

  • 3500-Rlogin -froot Attack: This signature fires when an attempt to rlogin with the arguments -froot has been made. A flaw in some rlogin processes allow unauthorized root access and a system compromise could be the result.

  • 3501-Rlogin Long TERM Variable: This signature fires when an excessively long TERM environment variable is detected during the negotiation of an rlogin session.

  • 3502-rlogin Activity: This signature fires upon detecting network activity destined to the rlogin port (513).

  • 3525-IMAP Authenticate Buffer Overflow: This signature fires on receipt of packets bound for port 143 that are indicative of an attempt to overflow a buffer in the IMAP daemon. This is an indicator of an attempt to gain unauthorized access to system resources.

  • 3526-Imap Login Buffer Overflow: This signature fires on receipt of packets bound for port 143 that are indicative of an attempt to overflow the imapd login buffer. This is an indicator of an attempt to gain unauthorized access to system resources.

  • 3530-Cisco Secure ACS Oversized TACACS+ Attack: This signature fires when an oversized TACACS+ packet is sent to certain Cisco Secure ACS for NT versions and causes the server to crash. False positives can occur when hosts using the pluggable authentication module (PAM) pam_tacacs for authentication is used.

  • 3540-Cisco Secure ACS CSAdmin Attack: This signature fires when a large request is made to the CSAdmin service which listens on TCP port 2002.

  • 3550-POP Buffer Overflow: This signature fires on receipt of packets bound for port 110. This in an indicator an attempt to overflow the POP daemon user buffer is occurring This is an indicator of an attempt to gain unauthorized access to system resources.

  • 3551-POP User Root: This signature will fire when 'ROOT' is used as the user name to authenticate with POP3 mail server.

  • 3575-INN Buffer Overflow: This signature fires when an attempt is made to overflow a buffer in the Internet News Server.

  • 3576-INN Control Message Exploit: This signature fires when an attempt is made to execute arbitrary commands using the control message.

  • 3600-IOS Telnet Buffer Overflow: This signature fires on receipt of packets bound for port 23 of a Cisco router that are indicative of attempt to crash the router by overflowing an internal command buffer. This is an indicator of an attempt to gain unauthorized access to system resources.

  • 3601-IOS Command History Exploit: This signature fires on an attempt to force a Cisco router to reveal prior users command history.

  • 3602-Cisco IOS Identity: This signature fires if someone attempts to connect to port 1999 on a Cisco router. This port is not enabled for access.

  • 3603-IOS Enable Bypass: This signature fires when a successful attempt to gain privileged access to a Cisco Catalyst switch has been detected. Verify the configuration on the switch in question and ensure that the latest IOS release is installed.

  • 3604-Cisco Catalyst CR DoS: This signature fires upon detecting a carriage return as the first character sent to TCP port 7161.

  • 3650-SSH RSAREF2 Buffer Overflow: A buffer overflow is present in versions of SSH1, up to and including 1.2.27 that are compiled using —with-rsaref option. During key exchange, the RSAREF2 library does not bounds check the key length. A buffer overflow can occur on either client or server.

  • 3651-SSH CRC32 Overflow: This signature firesupon detecting a crc overflow attempt.

  • 3652-SSH Gobbles: This signature fires when a Gobbles implementation of the openSSH vulnerability is detected.

  • 3700-CDE dtspcd overflow: This signature will fire if a buffer overflow attack to the CDE sub-process control daemon (dtspcd) on TCP port 6112 is detected.

  • 3701-Oracle 9iAS Web Cache Buffer Overflow: This signature fires when an excessively long HTTP GET request is detected bound for the default Oracle Web Cache port. Legitimate traffic can cause false positives.


    Note

    HTTP traffic is the normal cause for this signature to misfire, but other protocols can also cause it to fire. This issue will be corrected in version 4.0 of the sensor.

  • 3702-Default sa account access: This signature fires upon when an attempt to login to a MSSQL server with the default sa account is detected.

  • 3703-Squid FTP URL Buffer Overflow: This signature fires when attempt malicious username and password arguments are detected being supplied as part of a proxied FTP request.

  • 3704-IIS FTP STAT Denial of Service: This signature will fire if a FTP 'STAT' command with an unusually long argument is detected.

  • 3705-Tivoli Storage Manager Client Acceptor Overflow: This signature fires when an excessively long URL request destined for TCP port 1581 is detected. Legitimate traffic can cause false positives.


    Note

    HTTP traffic is the normal cause for this signature to misfire, but other protocols can also cause it to fire. This issue will be corrected in version 4.0 of the sensor.

  • 3706-MIT PGP Public Key Server Overflow: This signature fires when an excessively long search parameter is detected being sent to a PGP key server on TCP port 11371. It can cause false positives from a web session using port 11371 as its ephemeral port.

  • 3707-Perl fingerd Command Exec: This signature fires when shell meta-characters are detected in a finger request.

  • 3708-AnalogX Proxy Socks4a DNS Overflow: This signature fires upon detecting a SOCKS4 proxy request with an overflow in the DNS field.

  • 3709-AnalogX Proxy Web Proxy Overflow: This signature fires upon detecting a web proxy request with an overflow in the URI field sent to port 6588.

  • 3710-Cisco Secure ACS Directory Traversal: This signature fire upon detecting two or more slashes (//) in an HTTP request sent to port 9090.

  • 3711-Informer FW1 auth replay DoS: This signature fires on 32 ASCII zeros, followed by the string 'rand', an 0x01 byte, and the string 'sign'.

  • 3714-Oracle TNS 'Service_Name' Overflow: This signature fires upon detecting an abnormally long value sent to the parameter Service_Name on the Oracle TNS Listener port (1521t).

  • 3728-Long pop username: This signature fires upon detecting a long USER argument (80+ chars) sent to a pop server

  • 3729-Long pop password: This signature fires upon detecting a long USER argument sent to a pop server.

  • 3730-Trinoo (TCP): This signature fires upon detecting the string "trinoo" or "betaalmostdone" on any well-known Trinoo TCP ports. SubSig 0: Traffic to trinoo service SubSig 1: Traffic from trinoo service SubSig 2: Traffic to trinoo service SubSig 3: Traffic from trinoo service.


    Note

    SubSigs 2 and 3 are IDS 3.1 version sensor signatures and only detect the string "betaalmostdone".

  • 3731-IMail HTTP Get Buffer Overflow: This signature fires when an HTTP get request is made to port 8383 with a URI longer than 96 bytes.

  • 3732-MSSQL xp_cmdshell Usage: This signature fires when an attempt to use the MSSQL 'xp_cmdshell' stored procedure is detected. This is an indicator that an attempt has been made to execute unauthorized commands on a MSSQL server. Administrators using the 'xp_cmdshell' stored procedure can cause false positives.

  • 3990-BackOrifice BO2K TCP Non Stealth: This signature fires when non-stealth traffic of the BO2K toolkit is detected.

  • 3991-BackOrifice BO2K TCP Stealth 1: Stealth type 1 indicates XOR encryption is being used and the signature fires when stealth mode, covert or sneaky activity, on the part of an attacker is detected. Administrators can generate this alarm but the activity should always be considered suspect.

  • 3992-BackOrifice BO2K TCP Stealth 2: Stealth type 2 indicates an encryption other than XOR is being used and causes the signature to fire when stealth mode, covert or sneaky activity, on the part of an attacker is detected. Administrators can generate this alarm but the activity should always be considered suspect.