UDP signatures 4000 series
The 4000 alternation is specific to UDP. Just to brace your memory, UDP is an capricious protocol. They are a "send and pray" blazon of packet. You never apperceive if they fabricated it to their destination or not. Abounding of these signatures can account astronomic amounts of logs. Cisco has disabled best of these by default. Make abiding you assay your cartage afore enabling them.
4001-UDP Anchorage Sweep: This signature fires aback a alternation of UDP admission to a cardinal of altered destination ports on a specific host accept been initiated. This is an indicator of a assay ambit of your network. Be alert of potentially added austere attacks.
4002-UDP Flood
4003-Nmap UDP Anchorage Sweep: This signature fires aback a alternation of UDP admission to several altered advantaged ports (port cardinal <>
4050-UDP Bomb: This signature fires aback the UDP breadth defined is beneath than the IP breadth specified. This abnormal packet blazon is associated with a abnegation of account attempt. Remember there is not any accepted use for abnormal packets.
4051-Snork: This signature fires aback a UDP packet with a antecedent anchorage of either 135, 7, or 19 and a destination anchorage of 135 is detected. If you accept Windows applications that are application anchorage 135, they should be afar from battlefront this signature.
4052-Chargen DoS: This signature fires aback a UDP packet is detected with a antecedent anchorage of 7 and a destination anchorage of 19.
4053-Back Orifice: This signature fires aback the IDS ascertain cartage advancing from the Aback Orifice server that is active on the network.
Note Aback Orifice is a "backdoor" affairs that can be installed on a Microsoft Windows 95 or Windows 98 arrangement acceptance alien ascendancy of the system.
4054-RIP Trace: This signature fireswhen TRACEON or TRACEOFF commands are enabled for the packet.
4055-BackOrifice BO2K UDP: BO2K UDP approach is a basal agreement of BackOrifice. Seeing this cartage indicates a non-stealth use of the BO2K toolkit.
4056-NTPd readvar overflow: This signature will blaze is a readvar command is apparent with ntp abstracts that is too ample for the ntp apparition to capture.
4058-UPnP LOCATION Overflow: This signature alarms aloft audition a ample area appeal beatific to a UPnP device.
4060-Back Orifice Ping: Alarms aback a BO Ping detector is acclimated to browse a network.
4061-Chargen Answer DoS: This signature detects packets destined for the anchorage 7UDP wich is the answer anchorage with the chargen account anchorage 19 as the source. This after-effects in the capacity of the packet actuality "echoed" aback to the antecedent IP address, which may be spoofed.
4100-Tftp Passwd File: Fires on an advance to admission the passwd book application TFTP. This signature is a acceptable indicator that an advance to accretion crooked admission to arrangement assets is occurring.
4101-Cisco TFTPD Directory Traversal: Alarms aback a TFTP appeal is fabricated by appending ../ to the pathname.
4150-Ascend Abnegation of Service: This signature fires aback an advance has been fabricated to accelerate a maliciously abnormal command to an arise router in an advance to blast the router.
4500-Cisco IOS Anchored SNMP Association Names: Assertive versions of Cisco IOS accommodate anchored association names that could possibly acquiesce a alien antagonist to view, modify, or both, SNMP MIB variables. This could advance to a denial-of-service advance or absolute arrangement compromise. There are two altered Cisco artefact advisories apropos the association names. Make abiding you analysis those for added information.
Note The aboriginal anchored association name "ILMI" is a read-write association name that allows admission to the MIB-II Arrangement MIB and assorted ATM accompanying MIBS. Alien users can adapt SNMP variables such as the arrangement name, contact, and location, and abounding of the ATM interface variables.
The additional anchored association name "cable-docsis" is a read-write association cord that was alien as allotment of the abutment for the DOCSIS cable-industry standard. It allows a alien user to adapt or appearance any SNMP capricious on the afflicted system, including actuality able to retrieve the arrangement configuration.
4501-Cisco CVCO/4K Alien Username/Password return: This signature detects attempts to admission the account of arrangement usernames and passwords on a Cisco Virtual Central accessory application SNMP. The passwords are encrypted with a triusesl encoding scheme. This signature fires aback an SNMP OID fragment 1.3.6.1.886.1.1.1.1 is detected.
4502-SNMP Password Brute Force Attempt: This signature detects attempts to brute-force assumption association names. A beginning (default of 5) is set and fires aback added than this beginning of different association names amid a antecedent and destination in a defined time breach is detected.
4503-SNMP NT Info Retrieve: This signature fires aback an advance to accretion admission to acute advice about a assertive Windows NT arrangement is made. There are two SubSigIds associated with signature 4503. SubSigId 0 fires aback an advance is fabricated to enumerate the account of usernames with SNMP OID .1.3.6.1.4.1.77.1.2.25. SubSigId 1 fires aback an advance is fabricated to enumerate the account of arrangement shares with SNMP OID .1.3.6.1.4.1.77.1.2.27.
4504-SNMP IOS Agreement Retrieval: This signatures fires aback an advance to retrieve the agreement from a Cisco IOS device. This signature fires aback the SNMP OID contains the arrangement .1.3.6.1.4.1.9.2.1.55 as a prefix.
4505-SNMP VACM MIB Access: This signature fires aback SNMP OID fragment .1.3.6.1.6.3.16.1.2.1.3 is akin in an advance to admission the SNMP v2 View-based Admission Ascendancy MIB (VACM) table. The SNMP v2 View-based Admission Ascendancy MIB (VACM) table contains all of the SNMP association names in clear-text.
4506-D-Link Wireless SNMP Plain Text Password: This signature fireswhen MIB OID 1.3.6.1.4.1.937.2.1.2.2.0 is accessed with association cord "public".
4507-SNMP Agreement Violation: This signature fires aback an absurdity in adaptation the SNMP agreement is detected.
4508-Non SNMP Traffic: This signature fires aback non-SNMP cartage is detected destined for anchorage 161UDP.
Note This signature is alone accessible in Cisco IDS versions 4.0 and newer.
4509-HP Openview SNMP Hidden Association Name: This signature fires aback the SNMP association name 'snmpd' is detected in a SNMP request.
4510-Solaris SNMP Hidden Association Name: This signature fires aback the SNMP association name 'all private' is detected in a SNMP request.
4511-Avaya SNMP Hidden Association Name: This signature fires aback the SNMP association name 'all private' is detected in a SNMP request.
4600-IOS UDP Bomb: This signature fires aback break formed SYSLOG transmissions apprenticed for anchorage 514UDP are detected.
4601: 0-CheckPoint Firewall RDP Bypass: This signature fires aback traffic, destined for anchorage 259UDP with the afterward patterns is detected:
SubSig 0: 0x80 0x00 0x00 0x96
SubSig 1: 0x80 0x00 0x00 0x80
SubSig 2: 0x80 0x00 0x00 0x64
SubSig 3: 0x80 0x00 0x00 0x65.
4601:1-CheckPoint Firewall RDP Bypass: Alarms aback afterward command is beatific to anchorage 259UDP "\\x80\\x00\\x00\\x64".
4601:2-CheckPoint Firewall RDP Bypass: Alarms aback the afterward command is beatific to anchorage 259UDP "\\x80\\x00\\x00\\x96".
4601:3-CheckPoint Firewall RDP Bypass: Alarms aback the afterward command is beatific to anchorage 259UDP "\\x80\\x00\\x00\\x80".
4603-DHCP Discover: This signature fires aback DHCP analysis attempts from audience are made. This is an indicator of crooked attempts to affix to the network. Accepted DHCP analysis attempts can account this signature to blaze an alarm.
4604-DHCP Request: This signature fires aback DHCP applicant requests are detected. This is an indicator of crooked attempts to affix to the network. Accepted DHCP analysis attempts can account this signature to blaze an alarm.
4605-DHCP Offer: This fires aback DHCP charter offers from a DHCP server are fabricated This is an indicator of crooked attempts to affix to the network. Accepted DHCP offers can account this signature to blaze an alarm.
4606-Cisco TFTP Continued Filename Absorber Overflow: This signature fires aback a TFTP appeal for a book with an abnormally continued name is detected. This is an indicator of a absorber overflow.
4607-Deep Throat Response: This signature fires aback the cord "My Mouth is Open" is detected in a UDP packet beatific on acclaimed Deep Throat UDP ports.
4608-Trinoo (UDP): This signature fires aback the cord "trinoo" is detected on any UDP anchorage accepted to accept Trinoo traffic.
4609-Orinoco SNMP Info Leak: This signature fires aback a distinctively crafted packet is detected with a destination of UDP anchorage 192. This is a acceptable indicator that attempts are actuality fabricated to retrieve the SNMP association names from the target.
4610-Kerberos 4 User Recon: This signature fires a absent appearance beatific to UDP anchorage 750 is detected. This is a acceptable indicator that a Kerberos user recon advance may be occurring.
4611-D-Link DWL-900AP+ TFTP Config Retrieve: This signature fires aback a TFTP appeal for the book 'config.img' is detected. This in an indicator of an attempted assay probe. If you are active this D-Link apparatus accustomed authoritative assignment can account this alarm.
4612-Cisco IP Phone TFTP Config Retrieve: This signature fires aback a TFTP appeal for a Cisco IP Phone agreement book is detected. This may announce an attempted assay attack.
4613-TFTP Filename Absorber Overflow: This signature fires aback a TFTP apprehend or address appeal with a filename absolute a non-printable appearance is detected. This may be an adumbration of a absorber overflow attack.
4614-DHCP appeal overflow: This signature fires aloft audition a ample dhcp appeal to anchorage 67. The archetypal dhcp appeal is absolutely baby in admeasurement and shouldn't blaze this signature. If this signature fires, the cartage needs to be investigated.
4701-MS-SQL Ascendancy Overflow: This signature fires aback a absorber overflow advance to the MS-SQL ascendancy anchorage (UDP 1434) is made. This is and indicator the "Slammer" bastard is present.