All Cisco-Network Study Notes: Understanding Cisco IDS Signatures

Understanding Cisco IDS Signatures

It is important to accept what a signature is, and what absolutely a signature does. A signature is a accepted blazon of activity. It has already been detected in the agrarian and addition has captured the personality or cartage arrangement of the advance or advancing action and accurate it. In abounding ways, the signature is article affiliated to a fingerprint. The fingerprint is altered to a actuality aloof like the signature is altered to a assertive advance or blazon of activity. A Cisco IDS sensor afresh compares cartage adjoin the signatures it has configured and will bout up this action aback it appears on your network. The ambit you set for the signature will acquaint the sensor how to acknowledge to the threat. The sensor can accelerate an anxiety to your IDS administration device, log the event, accelerate e-mail alerts, or alike block the doubtable cartage at the router, switch, or firewall.

When you bulk signature updates up to the IDS sensor, the signatures are loaded assimilate the sensor with their recommended settings already preconfigured. To appearance those signature settings with CSPM, annal bottomward the arrangement cartography in the larboard area and baddest Accoutrement and Casework | Sensor Signatures. The name of the signature files is listed there. By default, CSPM creates a Absence signature book aback the sensor is added, as we see in Figure 7.1. You can accept a altered signature book for anniversary sensor on your arrangement or use one for all of them. To get to the signatures from central Cisco's Intrusion Apprehension Manager (IDM), accept Agreement | Analysis Agent | Signature Agreement | Signature Groups, apparent in Figure 7.2. The best analytical signatures are usually configured and set to accomplish high- or, at the least, medium-level alarms. Aback the sensor detects cartage that meets the enabled signatures, it fires off an alarm. The sensor food all alarms in the sensor logs that are advisory and above. If you accept a Cisco IDS Administration device, and it is configured as a destination for alarms, the alarms are additionally beatific to that accessory for viewing.

Figure 7.1: The CSPM Signature Book

Figure 7.2: IDM Signatures

Signature Implementation

The complication of signatures can be explained adequately easily. There are several apparatus that accomplish up the signatures and as continued as you accept the role anniversary basal plays, you will not accept a botheration with compassionate them. It is not a atramentous art or magic, aloof a bit of accepted sense. As we mentioned earlier, the signature is created from an already accepted activity. Already advancing or awful action is apparent in the wild, a signature is created that looks for that specific behavior and annihilation else. The sensor has a database of all the signatures and their specific configurations, and compares the cartage adjoin that database. Signatures are implemented as either content-based or context-based.

Note Content-based signatures are triggered by advice independent in the burden of the packet such as a URL cord that could possibly accommodation a web server application.

Context-based signatures are triggered by the abstracts in the packet headers. This is an accessory to Packet Signature Detection, which does not accede any context. The best accepted implementations of Context-Based Signature Apprehension are advised to attending for advance signatures in accurate fields or use a accurate account aural a packet beck (based on the protocol).

You charge to accumulate this beeline in your arch aback demography the Cisco IDS exam.

Signature Classes

The chic of the signatures is important to understand. The advance and the intentions of the advance will drive the allocation of the signatures. Reconnaissance, Informational, Access, and Denial of Account are the four capital categories.

Reconnaissance is what the attackers do that accredit them to map out a arrangement such as DNS queries, ports scans, and alike pings. This blazon of action will activate the assay chic signatures. Already the alive IP addresses and accessible ports accept been identified, advice is aggregate about the hosts by attempting to affix or acquaint with the host. The antagonist may try to affix to the host on a specific port. If the affiliation is successful, the antagonist can deduce what blazon of arrangement it is by what ports are open. The action is not necessarily awful but can be intrusive. Advisory chic signatures are configured to ascertain this blazon of activity. Admission signatures blaze alarms aback accepted crooked admission or attempts to admission are detected. Denial-of-Service or DoS chic signatures activate aback the akin of action on the arrangement is detected as accepting the adeptness to agitate services.

Signature Structure

The anatomy of the signature depends on the cardinal or packets that accept to be inspected. They can be either diminutive or composite. Diminutive signatures can be detected by analytical a distinct packet. No accompaniment advice is required. Some examples of an diminutive signature are

1004-IP options-Loose Antecedent Route

3050-Half-open SYN Attack

3455-Java Web Server Cmd Exec

3652-SSH Gobbles

A blended signature is detected by analytical assorted packets. If the sensor detects the aboriginal packet that is a abeyant attack, it food that advice and the advice of the afterward packets. Accompaniment advice is appropriate in adjustment to accomplish this function. Examples of a blended signature are:

3225-WWW websendmail Book Access

3250-TCP Hijack

3314-Windows Locator Account Overflow

3990-BackOrifice BO2K TCP Non Stealth

For example, in the SYN Attack, a distinct packet with the SYN bit set is beatific afterwards the blow of the accustomed TCP three-way handshake. All the IDS sensor needs to see is the distinct SYN IP packet out of order. With the Windows Locator attack, it requires added afresh a distinct packet of advice and the IDS sensor will bout on the aboriginal one in the sequence, tag it as absorbing and attending for added matches of the accepted advance sequence. Already the IDS sensor sees added of the attack, it will activate whatever alarms or accomplishments it was programmed to backpack out.

Signature Types

Cisco additionally categorizes the signatures into altered cartage types. The altered types are

General Affiliation

String

Access Ascendancy Account (ACL)

General signatures awning the 1000, 2000, 5000, and 6000 signature series. Depending on the blazon of attack, the Accepted signatures attending for abnormalities in a accepted blazon of cartage such as authoritative abiding a assertive agreement is behaving accurately or the burden in packets is or looks correct. An archetype of a accepted signature is 3037-TCP FRAG SYN FIN Host Sweep. This signature triggers aback a alternation of packets (TCP) with both the SYN and FIN flags set accept been beatific to assorted hosts with the above destination port. Accepting the SYN and FIN flags set is abnormal, as is fragmentation.

Connection signatures are covered in the 3000 and 4000 signature series. They beam cartage to UDP ports and TCP connections. An archetype of affiliation signature is 3001-TCP Anchorage Sweep. TCP Anchorage ambit is the absolute archetype of a affiliation signature. It fires aback a alternation of TCP admission are accomplished on a host to assorted ports. The anchorage ambit is beneath than 1024. Be alter acquainted of these types of detects. It can be a commencement to a aloft attack.

String signatures are awful flexible. They adviser strings (text) aural packets that you account important. An archetype of a cord signature is 8000:2303-Telnet-+ +. Aback a Telnet affair is accomplished and the command "++" is entered, this signature will fire. All cord detects will accomplish an 8000 alternation alarm. It is the subID, 2303, that differentiates the cord signatures.

Access-Control-List signatures administer to cartage or action that is attempting to avoid admission ascendancy lists on the routers. These are signatures in the 10000 series. Like the cord signatures, the subID is what differentiates the altered signatures. An archetype of an Access-Control-List signature is 10000:1001-IP-Spoof Interface 2. This accurate signature triggers aback there is notification from a NetSentry accessory that an IP datagram has been accustomed from a antecedent in avant-garde of the router with an IP abode that belongs abaft the router.

Cisco IDS Signature Micro-Engines

The Cisco Secure IDS software divides signature processing into altered categories or engines. We can see the types of engines in Table 7.1.

Table 7.1: Cisco IDS Signature Micro-Engine Overview Agent Type

Description

Atomic

This is acclimated for distinct packets.

Flood

This is acclimated to ascertain attempted DoS attacks.

Service

This is acclimated aback casework at layers 5,6, and 7 crave agreement analysis.

State

This is acclimated aback stateful assay is required. At this time, alone http is supported.

String

This is acclimated for cord arrangement matching.

Sweep

This is acclimated to ascertain arrangement assay sweeps or probes.

Each agent contains a parser and ambassador and assorted signatures are accurate aural specific categories. Aback the IDS is sniffing the network, it reads from a signature book that contains all of the signature definitions. Anniversary of the definitions contains configurable ambit that can be tweaked to ascertain action on your arrangement that you would accede advancing and possibly malicious. Signature ambit accept three attributes to them. They can be Protected, Required, or Hidden. The Adequate aspect affects the axiological behavior of the constant and applies alone to the Cisco set of absence signatures. The Appropriate aspect is a constant bulk that charge be declared. The Hidden aspect is that the constant is not arresting because modifications to the constant are not allowed. The ambit are themselves burst bottomward into two categories:

Master or Global agent parameters

Engine-specific parameters

The Adept agent ambit administer to anniversary of the signatures in the subengines. Adept agent ambit are the base for parsing the ascribe (traffic) and bearing achievement (alarms). Table 7.2 lists the Adept agent parameters. It is up to the subengines to accommodate the specific agreement bare for the sensor to break and audit the traffic.

Table 7.2: Adept or Global Agent Ambit Parameter

Description

AlarmDelayTimer

This is the cardinal of abnormal (1–3600) to adjournment added signature assay afterwards an alarm.

AlarmInterval

Appropriate administration for time contest (2–1000). Uses AlarmInterval Y with MinHits X for X alarms in a Y-second interval.

AlarmSeverity

The severity of the alive (high, medium, low, or informational) arise in the alarm.

AlarmThrottle

Limits the cardinal of alarms beatific to the IDS administration device. The afterward options can be selected:

FireAll: Accelerate all alarms aback the signature altitude are met.

FireOnce: Accelerate the aboriginal anxiety aback signature altitude are met. Then, do not accelerate any added alarms from the above antecedent and destination abode combination.

Summarize: Accelerate alone one anxiety per ThrottleInterval per abode combination. Usually, the aboriginal anxiety that starts a approximate is sent. The ThrottleInterval is a configurable cardinal in abnormal that the sensor counts until that cardinal (ThrottleInterval) is reached. It afresh fires addition anxiety and starts the calculation all over again.

GlobalSummarize: Agnate to the Summarize constant but expands to all abode combinations instead of one. For example, already an anxiety is beatific the sensor counts the consecutive alarms per the ThrottleInterval for all abode combinations actuality monitored. This reduces the cardinal of alarms triggered during flood attacks.

ChokeThreshold

Switches amid Summarize and Global Summarize. During the ThrottleInterval, the sensor autoswitches the AlarmThrottle approach to Summarize if the abundance of alarms from a distinct signature is greater than the ChokeThreshold. The sensor will autoswitch the AlarmThrottle approach to GlobalSummarize if the abundance of alarms from distinct signature is bifold or alert the ChokeThreshold.

The ChokeThreshold may not be set to ANY to autoswitch the AlarmThrottle.

FlipAddr

Swaps the addresses and ports if they are detected as actuality antipodal in the anxiety message.

MaxInspectLength

The Best breadth in bytes to inspect.

MinHits

Throttle for battlefront the anxiety aback the minimum cardinal of signature hits has been detected by the sensor.

ResetAfterIdle

Aback a signature stops battlefront alarms, this is the cardinal of abnormal the sensor waits afore it resets the counters (ThrottleInterval, MinHits, etc…).

SigComment

Comment area to ascribe your own addendum about the signature.

SIGID

Altered cardinal identifier for anniversary signature.

Cisco designates 1000–19,999 as the ambit for absence signatures and 20,000–50,000 as the ambit for user signatures.

SigName

Official signature name.

SigStringInfo

Any added advice included in the anxiety message.

SubSig

ID of Subsignatures, if any. Usually a aberration of the aboriginal signature.

ThrottleInterval

A adverse in abnormal defining the breach that alarms are triggered. Acclimated in affiliation with the AlarmThrottle constant aback configuring Summarize or Global Summarize settings.

WantFrag

Has the sensor audit burst packets adjoin the signature.

Can be set to TRUE if you appetite to audit reassem-bled burst packets or fragments, FALSE if you do not appetite to audit reassembled burst packets or fragments, or ANY to avoid all reassembled packets and/or fragments.

Figure 7.3 shows all of the micro-engines accessible on the 4200 alternation sensors.

Signatures Display Card : CSIDS Signature Wizard

----------------------------------------------------------------------------

Agent Sigs: Absence Custom

1 - ATOMIC.ICMP 14 0

2 - ATOMIC.IPOPTIONS 6 0

3 - ATOMIC.L3.IP 5 0

4 - ATOMIC.TCP 21 0

5 - ATOMIC.UDP 7 0

6 - FLOOD.HOST.ICMP 2 0

7 - FLOOD.HOST.UDP 1 0

8 - FLOOD.NET 5 0

9 - FLOOD.TCPSYN 4 0

10 - SERVICE.DNS.TCP 18 0

11 - SERVICE.DNS.UDP 16 0

12 - SERVICE.PORTMAP 7 0

13 - SERVICE.RPC 11 0

14 - STATE.HTTP 287 0

15 - STRING.HTTP 7 0

16 - STRING.ICMP 0 0

17 - STRING.TCP 81 0

18 - STRING.UDP 8 0

19 - SWEEP.HOST.ICMP 3 0

20 - SWEEP.HOST.TCP 8 0

21 - SWEEP.PORT.TCP 12 0

22 - SWEEP.PORT.UDP 1 0

23 - SWEEP.RPC 9 0

ENTER - Aback to Main

Selection>

Figure 7.3: SigWizMenu Showing the Micro-Engines

The ATOMIC Micro-Engines

The ATOMIC agent is acclimated to actualize or tune absolute signatures for simple, distinct packet altitude that account alarms to be triggered. Every packet's altitude accept specialized ambit that accord with anniversary of the protocol-specific inspections aural the ambit of the engine. Table 7.3 shows the altered ATOMIC micro-engines. These engines do not abundance any assiduous abstracts whatsoever. The ATOMIC micro-engines accept ambit that are set for their specific protocol.

Table 7.3: ATOMIC Micro-Engines Engine

Description

ATOMIC.ARP

ARP simple and cross-packet signatures.

ATOMIC.ICMP

Simple ICMP alarms based on the afterward parameters: Type, Code, Sequence, and ID. See Figure 7.1.

ATOMIC.IPOPTIONS

Simple alarms based on the adaptation of layer-3 options. See Figure 7.2.

ATOMIC.L3.IP

Simple layer-3 IP alarms. See Figure 7.3.

ATOMIC.TCP

Simple TCP packet alarms based on the afterward parameters: Port, Destination, Flags, and single-packet Regex. Use SummaryKey to ascertain the abode appearance for MinHits and Summarize counting. For best performance, use a StorageKey. See Figure 7.4.

ATOMIC.UDP

Simple UDP packet alarms based on the afterward parameters: Port, Direction, and DataLength. See Figure 7.5.

OTHER

This agent is acclimated to accumulation all-encompassing signatures so accepted ambit can be changed. It defines an interface into accepted signature parameters.

SigWizMenu advantage 1 ATOMIC.ICMP (as apparent in Figure 7.3) and SigWizMenu advantage 5 ATOMIC.UDP (shown in Figure 7.4) assignment accurately on band 4. None of the ambit are appropriate alike admitting there are several ambit that can be manually configured. You can use all the distinct ambit calm in a signature or configure specific ones.

Selection> 1

2000 (SubSig 0) ICMP Echo Rply :

2001 (SubSig 0) ICMP Unreachable :

2002 (SubSig 0) ICMP Src Quench :

2003 (SubSig 0) ICMP Redirect :

2004 (SubSig 0) ICMP Echo Req :

2005 (SubSig 0) ICMP Time Beat :

2006 (SubSig 0) ICMP Param Prob :

2007 (SubSig 0) ICMP Time Req :

2008 (SubSig 0) ICMP Time Rply :

2009 (SubSig 0) ICMP Info Req :

2010 (SubSig 0) ICMP Info Rply :

2011 (SubSig 0) ICMP Addr Msk Req :

2012 (SubSig 0) ICMP Addr Msk Rply :

2150 (SubSig 0) Burst ICMP :

(Sig Cardinal to EDIT) or (ENTER to CONTINUE) >

Figure 7.4: SigWizMenu Advantage 1 ATOMIC.ICMP

The SigWizMenu advantage 2 ATOMIC.IPOPTIONS decodes layer-3 options as apparent in Figure 7.5.

Selection> 2

1001 (SubSig 0) Record Packet Rte :

1002 (SubSig 0) Timestamp :

1003 (SubSig 0) Accommodate s,c,h,tcc :

1004 (SubSig 0) Loose Src Rte :

1005 (SubSig 0) SATNET ID :

1006 (SubSig 0) Strict Src Rte :

(Sig Cardinal to EDIT) or (ENTER to CONTINUE) >

Figure 7.5: SigWizMenu Advantage 2 ATOMIC.IPOPTIONS

The SigWizMenu advantage 3 ATOMIC.L3.IP inspects the cartage at band 3 (as we can see in Figure 7.6). It handles fragment, fractional ICMP packets, DataLength, and Agreement Cardinal comparisons. Again, these ambit are optional.

Selection> 3

1101 (SubSig 0) Unknown IP Proto :

1107 (SubSig 0) RFC 1918 Addresses Apparent : RFC 1918 Address

2151 (SubSig 0) Ample ICMP :

2154 (SubSig 0) Ping Of Death :

2154 (SubSig 1) Ping Of Death :

(Sig Cardinal to EDIT) or (ENTER to CONTINUE) >

Figure 7.6: SigWizMenu Advantage 3 ATOMIC.L3.IP

ATOMIC.TCP looks at layer-4 TCP packets. This card advantage does comparisons on TcpFlags/Mask in affiliation with anchorage filters and the SinglePacketRegex. TcpFlags/Mask compares packets adjoin the configured ambit to actuate packets of interest. The SinglePacketRegex provides a simple Regex bout adequacy to amalgamate ports, flags, and Regex matches in distinct signatures. Accredit to Figure 7.7. Figure 7.8 shows the SigWizMenu advantage 5 ATOMIC.UDP.

Selection> 4

3038 (SubSig 0) TCP FRAG NULL Packet :

3039 (SubSig 0) TCP FRAG FIN Packet :

3040 (SubSig 0) TCP NULL Packet :

3041 (SubSig 0) TCP SYN/FIN Packet :

3042 (SubSig 0) TCP FIN Packet :

3043 (SubSig 0) TCP FRAG SYN/FIN Packet :

9000 (SubSig 0) Aback Aperture SYN-port 12345 : aback aperture SYN-port 12345

9001 (SubSig 0) Aback Aperture SYN-port 31337 : aback aperture SYN-port 31337

9002 (SubSig 0) Aback Aperture SYN-port 1524 : aback aperture SYN-port 1524

9003 (SubSig 0) Aback Aperture SYN-port 2773 : aback aperture SYN-port 2773

9004 (SubSig 0) Aback Aperture SYN-port 2774 : aback aperture SYN-port 2774

9005 (SubSig 0) Aback Aperture SYN-port 20034 : aback aperture SYN-port 20034

9006 (SubSig 0) Aback Aperture SYN-port 27374 : aback aperture SYN-port 27374

9007 (SubSig 0) Aback Aperture SYN-port 1234 : aback aperture SYN-port 1234

9008 (SubSig 0) Aback Aperture SYN-port 1999 : aback aperture SYN-port 1999

9009 (SubSig 0) Aback Aperture SYN-port 6711 : aback aperture SYN-port 6711

9010 (SubSig 0) Aback Aperture SYN-port 6712 : aback aperture SYN-port 6712

9011 (SubSig 0) Aback Aperture SYN-port 6713 : aback aperture SYN-port 6713

9012 (SubSig 0) Aback Aperture SYN-port 6776 : aback aperture SYN-port 6776

9013 (SubSig 0) Aback Aperture SYN-port 16959 : aback aperture SYN-port 16959

9014 (SubSig 0) Aback Aperture SYN-port 27573 : aback aperture SYN-port 27573

(Sig Cardinal to EDIT) or (ENTER to CONTINUE) >

Figure 7.7: SigWizMenu Advantage 4 ATOMIC.TCP

Selection> 5

4050 (SubSig 0) UDP Bomb :

4051 (SubSig 1) Snork :

4051 (SubSig 2) Snork :

4051 (SubSig 3) Snork :

4052 (SubSig 1) Chargen DoS :

4052 (SubSig 2) Chargen DoS :

4600 (SubSig 0) IOS Udp Bomb :

(Sig Cardinal to EDIT) or (ENTER to CONTINUE) >

Figure 7.8: SigWizMenu Advantage 5 ATOMIC.UDP

Note Figure 7.7 alone shows a allocation of the signatures aural the ATOMIC.TCP micro-engine. There are about 60 absolute signatures in this engine.

ATOMIC.ARP is for basal layer-2 ARP signatures and additionally for added avant-garde apprehension of the ARP bluff accoutrement dsniff and ettercap. Accredit to Table 7.4 for the ATOMIC.ARP parameters.

Note ettercap supports alive and acquiescent anatomization of several protocols. It appearance arrangement and host assay tools. In essence, it acts as a sniffer, interceptor, and logger for switched LANs. dsniff is a accumulating of accoutrement acclimated for assimilation testing and auditing networks.

Table 7.4: ATOMIC.ARP Ambit Name

Abstracts Type

Protected

Required

Description

ArpOperation

Cardinal 0–255

The ARP operation cipher the signature is absorbed in.

MacFlip

Cardinal 0–65535

If the MAC abode changes this abounding times for the above IP address, an anxiety will fire

RequestInBalance

Cardinal 0–65535

If there is this abounding added requests than there are replies on a accurate IP address, an anxiety will fire.

WantDstBroadcast

Boolean True/False

If the sensor detects an ARP destination abode of 255.255.255.255, an anxiety will fire.

WantBroadcast

Boolean True/False

If the sensor detects an ARP antecedent abode of 255.255.255.255, an anxiety will fire.

The SERVICE Micro-Engine

Of all the altered account micro-engines (see Table 7.5), SERVICE.DNS and SERVICE.RPC are two of the added important engines. SERVICE works at band 5 and aloft to assay cartage amid two hosts. Account agent signatures are one-to-one signatures that adapt the payloads agnate to the way the alive casework would adapt them. The aftereffect of the estimation is the decoded fields of the agreement acclimated in allegory adjoin the signatures. These engines alone break abundant of the abstracts to accomplish comparisons. Already a allegory can be made, the anxiety is triggered and keeps ability appliance to a minimum.

Table 7.5: Account Micro-Engines SERVICE.DNS

Analyzes the DNS service.

SERVICE.FTP

FTP account appropriate break alarms.

SERVICE.GENERIC

Custom service/payload decode. For able use only.

SERVICE.HTTP

HTTP agreement decode-based cord engine.

Includes anti-evasive URL deobfuscation.

SERVICE.IDENT

IDENT account (client and server) alarms.

SERVICE.MSSQL

Microsoft SQL account assay engine.

SERVICE.NTP

Arrangement Time Protocol–based signature engine.

SERVICE.RPC

Analyzes the RPC service.

SERVICE.SMB

SMB SuperInspector signatures.

SERVICE.SMTP

Inspects SMTP protocol.

SERVICE.SNMP

Inspects SNMP traffic.

SERVICE.SSH

SSH advance break signatures.

SERVICE.SYSLOG

Processes SYSLOGS.

The SERVICE.DNS micro-engines specialize in cartage on both TCP (see Figure 7.9) and UDP (see Figure 7.10) anchorage 53. Anchorage 53 is the accepted anchorage for DNS traffic. The SERVICE.DNS does not accept any appropriate parameters, but for abounding advantage on DNS, you charge specify TCP or UDP. Added than that necessity, the agent is accessible for abounding customization of the signatures.

Selection> 10

6050 (SubSig 1) DNS HINFO-TCP :

6051 (SubSig 1) DNS Zone Xfer-TCP :

6052 (SubSig 1) DNS Aerial Zone Xfer-TCP :

6053 (SubSig 1) DNS Appeal All-TCP :

6054 (SubSig 1) DNS Version Request-TCP :

6055 (SubSig 1) DNS IQUERY Overflow-TCP :

6055 (SubSig 2) DNS IQUERY Overflow-TCP :

6056 (SubSig 1) DNS NXT OVerflow-TCP :

6056 (SubSig 2) DNS NXT OVerflow-TCP :

6057 (SubSig 1) DNS SIG Overflow-TCP :

6057 (SubSig 2) DNS SIG Overflow-TCP :

6058 (SubSig 1) DNS SRV DoS-TCP :

6059 (SubSig 2) DNS TSIG Overflow-TCP :

6060 (SubSig 2) DNS Complain Overflow-TCP :

6060 (SubSig 3) DNS Complain Overflow-TCP :

6061 (SubSig 1) DNS Infoleak-TCP :

6062 (SubSig 1) DNS Authors Request-TCP :

6063 (SubSig 1) DNS Incremental Zone Transfer-TCP :

(Sig Cardinal to EDIT) or (ENTER to CONTINUE) >

Figure 7.9: SigWizMenu Advantage 10 SERVICE.DNS.TCP

Selection> 11

6050 (SubSig 0) DNS HINFO-UDP :

6051 (SubSig 0) DNS Zone Xfer-UDP :

6052 (SubSig 0) DNS Aerial Zone Xfer-UDP :

6053 (SubSig 0) DNS Appeal All-UDP :

6054 (SubSig 0) DNS IQUERY Overflow-UDP :

6055 (SubSig 0) DNS NXT Overflow-UDP :

6056 (SubSig 0) DNS SIG Overflow-UDP :

6057 (SubSig 0) DNS SRV DoS-UDP :

6058 (SubSig 0) DNS TSIG Overflow-UDP :

6059 (SubSig 1) DNS TSIG Overflow-UDP :

6060 (SubSig 0) DNS Complain Overflow-UDP :

6060 (SubSig 1) DNS Complain Overflow-UDP :

6061 (SubSig 0) DNS Infoleak-UDP :

6062 (SubSig 0) DNS Authors Request-UDP :

6063 (SubSig 0) DNS Incremental Zone Transfer-UDP :

6064 (SubSig 0) BIND Ample OPT Record DoS : Ample OPT

(Sig Cardinal to EDIT) or (ENTER to CONTINUE) >

Figure 7.10: SigWizMenu Advantage 11 SERVICE.DNS.UDP

Note You charge to add UDP and TCP signatures to accept abounding coverage.

The SERVICE.RPC agent decoder has abounding break as an anti-evasive strategy. It handles burst letters or accumulation messages. The RPC anchorage mapper operates on anchorage 111. Approved RPC letters are on any anchorage greater than 550. RPC sweeps are absolute agnate to TCP anchorage sweeps with one exception: they alone calculation altered ports aback accurate RPC letters are sent. One added altered appropriate of the SERVICE.RPC agent is they choose on anniversary RPC affairs blazon for ambit altered counting. In added words, counting occurs on an alone affairs basis. Figure 7.11 shows the signatures that abatement into this category.

Selection> 13

6180 (SubSig 0) rexd Advance :

6190 (SubSig 0) statd Buffer Overflow :

6191 (SubSig 0) ttdbserverd Buffer Overflow :

6192 (SubSig 0) mountd Buffer Overflow :

6193 (SubSig 0) cmsd Buffer Overflow :

6194 (SubSig 0) sadmind Buffer Overflow :

6195 (SubSig 0) amd Buffer Overflow :

6196 (SubSig 0) snmpXdmid Buffer Overflow :

6197 (SubSig 0) rpc yppaswdd overflow : yppaswdd overflow

6198 (SubSig 0) Continued rwalld Bulletin : rwalld Cord Format

6199 (SubSig 0) cachefsd overflow : cachfsd overflow

6275 (SubSig 0) SGI fam Advance : Fam Attempt

6276 (SubSig 0) TooltalkDB overflow : TooltalkDB overflow

6277 (SubSig 0) Appearance Mount Recon : Appearance Mount Recon

6277 (SubSig 0) Appearance Mount Recon : Appearance Mount All Recon

(Sig Cardinal to EDIT) or (ENTER to CONTINUE) >

Figure 7.11: SigWizMenu Advantage 13 SERVICE.RPC

The FLOOD Micro-Engine

Simply stated, FLOOD engines assay flood blazon traffic, that is cartage from abounding sources to a distinct host (n to 1), defined in FLOOD.HOST or floods to the network, cartage from abounding sources to abounding destinations (n to n), defined in FLOOD.NET. Host floods use a adverse that counts the packets-per-second (PPS) to the destination. Net floods, however, do not use the abode for counting, but instead advance the calculation bulk on a basic sensor basis. Assay is done on a per-second base for both host and net floods.

FLOOD engines accept one agreement restriction. You accept to specify the Bulk constant in both the host and net flood agent groups. FLOOD engines additionally avoid the WantFrag, MaxInspectLength, and ResetAfterIdle ambit from the Adept agent parameters.

Note The abstraction of a basic sensor is that if the concrete sensor is ecology added than one interface, all the interfaces are configured into interface groups. There can be added than one interface group. But basic sensors are absorbed to alone one interface group.

There are three FLOOD micro-engines. We will attending at anniversary in detail in the afterward sections.

FLOOD.HOST.ICMP

FLOOD.HOST.ICMP analyzes ICMP floods directed at a distinct host. Figure 7.12 shows the two signatures 2152 – ICMP Flood, and 2153 – ICMP Smurf advance that are host flood signatures based on ICMP traffic.

Selection> 6

2152 (SubSig 0) ICMP Flood :

2153 (SubSig 0) ICMP Smurf advance :

(Sig Cardinal to EDIT) or (ENTER to CONTINUE) >

Figure 7.12: SigWizMenu Advantage 6 FLOOD.HOST.ICMP

Table 7.6 shows the configurable ambit for FLOOD.HOST.ICMP signatures.

Table 7.6: FLOOD.HOST.ICMP Ambit Name

Abstracts Type

Protected

Required

Description

IcmpType

Cardinal 0–256

ICMP advance TYPE

Rate

Some number

Yes

The best accustomed packets-per-second (PPS)

FLOOD.HOST.UDP

FLOOD.HOST.UDP analyzes UDP floods directed at a distinct host. Figure 7.13 shows the distinct signature, 4002 – UDP Flood, that is a host flood signature based on UDP traffic.

Selection> 7

4002 (SubSig 0) UDP Flood :

(Sig Cardinal to EDIT) or (ENTER to CONTINUE) >

Figure 7.13: SigWizMenu Advantage 7 FLOOD.HOST.UDP

Table 7.7 shows the configurable ambit for FLOOD.HOST.UDP signatures.

Table 7.7: FLOOD.HOST.UDP Ambit Name

Abstracts Type

Protected

Required

Description

ExcludeDst1

Cardinal 0–65536

Destination anchorage to exclude from flood counting.

ExcludeDst2

Cardinal 0–65536

Destination anchorage to exclude from flood counting.

ExcludeDst3

Cardinal 0–65536

Destination anchorage to exclude from flood counting.

Exclude1

Cardinal 0–65536

Antecedent anchorage to exclude from flood counting.

Exclude2

Cardinal 0–65536

Antecedent anchorage to exclude from flood counting.

Exclude3

Cardinal 0–65536

Antecedent anchorage to exclude from flood counting.

Rate

Some number

Yes

Beginning cardinal of PPS. Aback the PPS is greater than the defined Rate, an anxiety fires.

FLOOD.NET

FLOOD.NET analyzes arrangement floods directed at a distinct arrangement segment. Figure 7.13 displays the accepted signatures in the FLOOD.NET micro-engine. Of appropriate absorption in the FLOOD.NET micro-engine is FLOOD.Net Learning Mode. This agreement advantage is acknowledgment mode. Acknowledgment approach replaces the accustomed assay of packets with a analytic alarm. Simply stated, the anxiety with accept the best calculation of PPS in the alertDetails ethics apparent during the interval. This is acceptable for baselining arrangement cartage in adjustment to tune the signatures. The agreement is set to acknowledgment approach aback the Bulk constant is set to 0. Figure 7.14 shows the bristles signatures that are allotment of the FLOOD.NET micro-engine.

Selection> 8

6901 (SubSig 0) NET FLOOD Icmp Reply :

6902 (SubSig 0) NET FLOOD Icmp Appeal :

6903 (SubSig 0) NET FLOOD Icmp Any :

6910 (SubSig 0) NET FLOOD UDP :

6920 (SubSig 0) NET FLOOD TCP :

(Sig Cardinal to EDIT) or (ENTER to CONTINUE) >

Figure 7.14: SigWizMenu Advantage 8 FLOOD.NET

Table 7.8 shows the configurable ambit for FLOOD.NET signatures.

Table 7.8: FLOOD.NET Ambit Name

Abstracts Type

Protected

Required

Description

Gap

Number

The cardinal of abnormal accustomed aural the ThrottleInterval area PPS <>

Alarms will not be triggered if you get greater than Gap abnormal that are not suspects and counting is reset.

IcmpType

Cardinal 0–256

This is the ICMP blazon bulk begin in the header.

Only accurate aback Agreement is set to ICMP.

Peaks

Number

The beginning of doubtable seconds.

Anxiety is triggered aback the Peaks doubtable abnormal is accomplished in a ThrottleInterval.

Rate

Number

The beginning for PPS.

Doubtable additional occurs aback PPS > Rate.

Remember for diagnostics/feedback approach to set the Bulk bulk to 0.

The STATE.HTTP Micro-Engine

The STATE micro-engine encompasses the 3000 and 5000 alternation signatures. There are about 415 signatures covered in this micro-engine. The STAT.HTTP micro-engine is abnormally accessible if you are alive a web server on abnormal HTTP ports. Use the Agreement | Analysis Agent | Signature Agreement | STATE.HTTP Account Ports in IDM to add those ports (see Figure 7.15). Accept advantage 14 for configuring the ambit in SigWizMenu. For all the agreement ambit for this engine, accredit to Table 7.9. Examples of some of these signatures are

Figure 7.15: IDM STATE.HTTP Account Ports

3221-WWW cgi-viewsource Advance Fires aback addition attempts to use the cgi-viewsource calligraphy to appearance files aloft the http basis directory.

3222-WWW PHP Log Scripts Apprehend Advance Fires aback addition attempts to use the PHP scripts mlog or mylog to appearance files on a machine.

3223-WWW IRIX cgi-handler Advance Fires aback addition attempts to use the cgi-handler calligraphy to assassinate commands.

3224-HTTP WebGais Fires aback addition attempts to use the webgais calligraphy to run approximate commands.

3225-WWW websendmail Book Admission Fires aback crooked attempts are fabricated to apprehend a book application the websendmail CGI program.

3226-WWW Webdist Bug Fires aback attempts are fabricated to use the webdist program. Apocryphal absolute alarms will blaze from accepted use of the webdist program.

3227-WWW Htmlscript Bug Fires aback attempts are fabricated to appearance files aloft the html basis directory.

3228-WWW Performer Bug Fires aback attempts are fabricated to appearance files aloft the html basis directory.

3229-Website Win-C-Sample Buffer Overflow Fires aback attempts are fabricated to admission the win-c-sample affairs in the WebSite server distribution. Testing new Web armpit servers or upgrades application the win-c-sample affairs can account apocryphal positives. This calligraphy is for testing purposes and should be removed on assembly servers.

3230-Website Uploader Fires aback attempts are fabricated to admission the uploader affairs in the Web armpit server distribution.

For a abounding account of all of these signatures, accredit to Appendix A.

Table 7.9: STATE.HTTP Ambit Parameter

Abstracts Type

Protected

Required

Description

Master parameters

Accredit to Table 7.1 for the adept parameters.

ArgNameRegex

Number

Yes

Approved announcement searches the HTTP Arguments field.

ArgValueRegex

Number

Yes

Approved announcement searches the HTTP Arguments acreage afterwards ArgNameRegex is matched. You accept todefine ArgNameRegex for this bout to work. It is an ordered match.

Deobfuscate

Boolean True/False

Use anti-evasive deobfuscation above-mentioned to analytic for the RegexString.

Direction

Boolean from Account to Service

Yes

Indicates the administration in which the sensor is watching cartage at the account port.

HeaderRegex

String

Yes

Approved announcement acclimated to chase aural the HTTP Advance field.

MaxArgFieldLength

Number

Best breadth of the Arguments field.

MaxHeaderField Length

Number

Best breadth of the Advance field.

MaxRequestField Length

Number

Best breadth of the Appeal field.

MaxUriFieldLength

Number

Best breadth of the URI field.

ServicePorts

Set

Comma-separated account of ports or anchorage ranges area the account resides.

UriRegex

String

Yes

Approved announcement to use to chase aural the HTTP URI field.

The STRING Micro-Engine

The STRING micro-engine provides arrangement assay and anxiety bearing adjoin approved expressions. It works adjoin TCP, UDP, and ICMP. There are currently four STRING micro-engines.

STRING HTTP has eight signatures (shown in Figure 7.16). These are accurately tailored to attending for assertive command strings in HTTP traffic.

Selection> 15

5123 (SubSig 0) WWW IIS Internet Printing Overflow : Host:<250+>

5168 (SubSig 0) Snapstream PVS Agenda Traversal Vulnerability : ../

5169 (SubSig 0) Snapstream PVS Plaintext Password Vulnerability : ../ssd.ini

5172 (SubSig 0) WinWrapper Admin Server Agenda Traversal : ../

5188 (SubSig 0) HTTP Tunnelling : GET /erc/Poll?machineKey

5188 (SubSig 0) HTTP Tunnelling : POST /index.html?crap

5191 (SubSig 0) Alive Perl PerlIS.dll Buffer Overflow : *.pl

5289 (SubSig 0) SQLXML ISAPI Buffer Overflow : contenttype=text/AAA…

<240+>…

(Sig Cardinal to EDIT) or (ENTER to CONTINUE) >

Figure 7.16: SigWizMenu Advantage 15 STRING.HTTP

Table 7.10 shows the configurable ambit for STRING.HTTP signatures.

Table 7.10: STRING.HTTP Ambit Parameter

Abstracts Type

Protected

Required

Description

Master parameters

Accredit to Table 7.1 for the adept parameters.

Deobfuscate

Boolean True/False

Use anti-evasive deobfuscation above-mentioned to analytic for the RegexString.

Direction

Boolean From Account To Service

Yes

Indicates the administration in which the sensor is watching cartage at the account port.

MinMatch Length

Number

Minimum cardinal of bytes the RegexString charge match.

MultipleHits

Boolean True/False

Chase for assorted RegexStrings in a distinct packet.

PreFilterDepth

Number

This is a account of strings to clarify on or bout afore Regex starts its search. At diminutive one of the strings in this account charge be begin in the aboriginal PreFilterDepth bytes of the beck to be advised a accurate web stream.

RegexString

String

Yes

Approved announcement to chase on.

ServicePorts

Set

Comma-separated account of ports or anchorage ranges area the account resides.

StripTelnet Options

Boolean True/False

Strips Telnet advantage characters from abstracts afore searching.

STRING ICMP signatures will blaze aloft audition a alternation of three assets (+) in an ICMP packet, as apparent here:

Selection> 16

2155 (SubSig 0) Modem DoS : +++ (ICMP)

(Sig Cardinal to EDIT) or (ENTER to CONTINUE) >

Table 7.11 shows the configurable ambit for STRING.ICMP signatures.

Table 7.11: STRING.ICMP Ambit Parameter

Abstracts Type

Protected

Required

Description

Master parameters

Accredit to Table 7.1 for the adept parameters.

Direction

Boolean from Account to Service

Indicates the administration inwhich the sensor is watching cartage at the account port.

MinMatchLength

Number

Minimum cardinal of bytes the RegexString charge match.

MultipleHits

Boolean True/False

Chase for assorted Regex-Strings in a distinct packet.

RegexString

String

Yes

Approved announcement to chase on.

ServicePorts

Set

Comma-separated account of ports or anchorage ranges area the account resides.

StripTelnetOptions

Boolean True/False

Strips Telnet advantage characters from abstracts afore searching.

STRING.TCP looks for strings in commands or altercation in TCP sessions. There are about 165 altered signatures in this micro-engine. Accredit to Appendix A for a complete list.

Examples of some of the signatures are

3117-KLEZ bastard The anxiety triggers aback a filename Gn.Exe is begin as an audio/x-wav adapter to an e-mail.

3118-rwhoisd architecture cord This sig fires aloft audition a soa command beatific to a rwhois server with a ample argument.

3119-WS_FTP STAT overflow Fires aloft audition a carbon command with an altercation that is greater than 450 characters.

3120-ANTS virus The anxiety triggers aback an e-mail is begin with the adapter ANTS3SET.EXE.

3121-Vintra MailServer EXPN DoS Fires aback *@ is detected as the altercation to the SMTP command EXPN.

3122-SMTP EXPN basis Recon Fires aback an advance to aggrandize the e-mail alias of the basis user with the SMTP command EXPN is detected.

3123-NetBus Pro Cartage Anxiety fires aloft audition a Netbus Pro communications approach setup.

3124-Sendmail prescan Memory Corruption This signature looks for an abnormally continued (1000+ characters) MAIL FROM (SubSig 0) or RCPT TO (SubSig 1) SMTP command.

Table 7.12 shows the configurable ambit for STRING.TCP signatures.

Table 7.12: STRING.TCP Ambit Parameter

Abstracts Type

Protected

Required

Description

Master parameters

Accredit to Table 7.1 forthe adept parameters.

Direction

Boolean from Account to Service

Yes

Indicates the administration in which the sensor is watching cartage at the account port.

MinMatch Length

Number

Minimum cardinal of bytes the RegexString charge match.

MultipleHits

Boolean True/False

Chase for assorted RegexStrings in a distinct packet.

RegexString

String

Yes

Approved announcement to chase on.

ServicePorts

Set

Comma-separated account of ports or anchorage ranges area the account resides.

StripTelnetOptions

Boolean True/False

Strips Telnet advantage characters from abstracts afore searching.

STRING.UDP looks for strings in UDP traffic. Afterwards assault this to a pulp, bethink we are attractive at strings in payloads. A lot of the accoutrement acclimated to accomplishment systems use UDP. Accredit to Appendix A for a complete list. Some examples of UDP cord signatures are

4607-Deep Throat Response This signature triggers aback the cord My Mouth is Accessible is detected in a UDP packet beatific on acclaimed Deep Throat UDP ports. Anxiety akin 5.

4608-Trinoo (UDP) This signature triggers aback the cord trinoo is detected on any UDP anchorage accepted to accept Trinoo traffic. Anxiety akin 5.

4609-Orinoco SNMP Info Leak This signature triggers aback a distinctively crafted packet is detected with a destination of UDP anchorage 192. This is a acceptable indicator that attempts are actuality fabricated to retrieve the SNMP association names from the target. Anxiety akin 4.

4610-Kerberos 4 User Recon This signature triggers aback a absent appearance beatific to UDP anchorage 750 is detected. This is a acceptable indicator that a Kerberos user recon advance may be occurring. Anxiety akin 0.

Table 7.13 shows the configurable ambit for STRING.UDP signatures.

Table 7.13: STRING.UDP Ambit Parameter

Abstracts Type

Protected

Required

Description

Master parameters

Accredit to Table 7.1 for the adept parameters.

Direction

Boolean from Account to Service

Indicates the administration in which the sensor is watching cartage at the account port.

MinMatchLength

Number

Minimum cardinal of bytes the RegexString charge match.

ServicePorts

Set

Comma-separated account of ports or anchorage ranges area the account resides.

The SWEEP Micro-Engine

All of the SWEEP signatures anxiety altitude depend on the calculation of the Altered parameter. Altered is the beginning constant that causes the signature to blaze the anxiety aback added than the configured "Unique" cardinal of ports and hosts is apparent on the abode set aural the time period. This process, tracking altered port/host traffic, is referred to as counting. In adjustment for cartage to be put into the counting section, added ambit such as Mask/TcpFlags, IcmpType, WantFrag Boolean, and/or the UDP ports. If the packet altitude are not met and the ambit occurs, analysis the settings for these ambit and tune as necessary.

The SWEEP micro-engines accommodate the afterward types.

SWEEP.HOST.*

The SWEEP.HOST.* micro-engines assay cartage from a distinct host to abounding hosts, decidedly ICMP and TCP. The two micro-engines are SWEEP.HOST.ICMP and SWEEP.HOST.TCP (see Figures 7.17 and 7.18). The signatures blaze aback the Altered calculation of host exceeds the configured setting. Examples of these signature are

Selection> 19

2100 (SubSig 0) Net Sweep-Echo :

2101 (SubSig 0) Net Sweep-Time :

2102 (SubSig 0) Net Sweep-Mask :

(Sig Cardinal to EDIT) or (ENTER to CONTINUE) >

Figure 7.17: SigWizMenu Advantage 19 SWEEP.HOST.ICMP

Selection> 20

3030 (SubSig 0) TCP SYN Host Ambit :

3031 (SubSig 0) TCP FRAG SYN Host Ambit :

3032 (SubSig 0) TCP FIN Host Ambit :

3033 (SubSig 0) TCP FRAG FIN Host Ambit :

3034 (SubSig 0) TCP NULL Host Ambit :

3035 (SubSig 0) TCP FRAG NULL Host Ambit :

3036 (SubSig 0) TCP SYN/FIN Host Ambit :

3037 (SubSig 0) TCP FRAG SYN/FIN Host Ambit :

(Sig Cardinal to EDIT) or (ENTER to CONTINUE) >

Figure 7.18: SWEEP.HOST.TCP

2100-ICMP Arrangement Ambit w/Echo Fires aback IP datagrams are accustomed directed at assorted hosts on the arrangement with the agreement acreage of the IP advance set to 1 (ICMP) and the blazon acreage in the ICMP advance set to 8 (Echo Request). Anxiety akin 3.

2101-ICMP Arrangement Ambit w/Timestamp Fires aback IP datagrams are accustomed directed at assorted hosts on the arrangement with the agreement acreage of the IP advance set to 1 (ICMP) and the blazon acreage in the ICMP advance set to 13 (Timestamp Request). Anxiety akin 5.

2102-ICMP Arrangement Ambit w/Address Mask Fires aback IP datagrams are accustomed directed at assorted hosts on the arrangement with the agreement acreage of the IP advance set to 1 (ICMP) and the blazon acreage in the ICMP advance set to 17 (Address Mask Request). Anxiety akin 5.

3030-TCP SYN Host Ambit Fires aback a alternation of TCP SYN packets accept been beatific to the above destination anchorage on a cardinal of altered hosts. Anxiety akin 2.

3031-TCP FRAG SYN Host Ambit Fires aback a alternation of burst TCP SYN packets accept been beatific to the above destination anchorage on a cardinal of altered hosts. Anxiety akin 5.

3032-TCP FIN Host Ambit Fires aback a alternation of TCP FIN packets accept been beatific to the above destination anchorage on a cardinal of altered hosts. Anxiety akin 5.

3033-TCP FRAG FIN Host Ambit Fires aback a alternation of TCP FIN packets accept been beatific to the above destination anchorage on a cardinal of altered hosts. Anxiety akin 5.

3034-TCP NULL Host Ambit Fires aback a alternation of TCP packets with none of the SYN, FIN, ACK, or RST flags set accept been beatific to the above destination anchorage on a cardinal of altered hosts. Anxiety akin 5.

3035-TCP FRAG NULL Host Ambit Fires aback a alternation of burst TCP packets with none of the SYN, FIN, ACK, or RST flags set accept been beatific to the above destination anchorage on a cardinal of altered hosts. Anxiety akin 5.

3036-TCP SYN FIN Host Ambit Fires aback a alternation of TCP packets with both the SYN and FIN banderole sets accept been beatific to the above destination anchorage on a cardinal of altered hosts. Anxiety akin 5.

3037-TCP FRAG SYN FIN Host Ambit Fires aback a alternation of TCP packets with both the SYN and FIN banderole sets accept been beatific to the above destination anchorage on a cardinal of altered hosts. Anxiety akin 5.

Table 7.14 shows the configurable ambit for SWEEP.HOST.ICMP signatures.

Table 7.14: SWEEP.HOST.ICMP Ambit Parameter

Abstracts Type

Protected

Required

Description

Master parameters

Accredit to Table 7.1 for the adept parameters.

IcmpType

Number

Yes

ICMP advance blazon of interest.

Unique

Cardinal 2–40

Yes

Best Altered admission to the target.

Table 7.15 shows the configurable ambit for SWEEP.HOST.TCP signatures.

Table 7.15: SWEEP.HOST.TCP Ambit Parameter

Abstracts Type

Protected

Required

Description

Master parameters

Accredit to Table 7.1 for the adept parameters.

Mask

BITSET: FIN/SIN/RST/ PSH/ACK/URG

Yes

Mask acclimated for TcpFlags comparison.

TcpFlags

BITSET: FIN/SIN/RST/ PSH/ACK/URG

Yes

TCP acclimated tomatch aback masked by the Mask parameter.

Unique

Cardinal 2–40 admission to the target.

Yes

Best Altered

SWEEP.PORT.*

The SWEEP.PORT.* micro-engines assay the cartage amid two specific hosts and ports. Like the SWEEP.HOST.* engines, SWEEP.PORT.* engines calculation altered anchorage admission amid the hosts. The two micro-engines that abatement into this class are SWEEP.PORT.TCP and SWEEP.PORT.UDP (see Figures 7.19 and 7.20). The signatures blaze aback the Altered calculation of anchorage admission exceeds the configured setting. At this time, there are alone 14 signatures absolute in these two micro-engines. They are

Selection> 21

3001 (SubSig 0) TCP Anchorage Ambit :

3002 (SubSig 0) TCP SYN Anchorage Ambit :

3003 (SubSig 0) TCP FRAG SYN Anchorage Ambit :

3005 (SubSig 0) TCP FIN Anchorage Ambit :

3006 (SubSig 0) TCP FRAG FIN Anchorage Ambit :

3010 (SubSig 0) TCP Aerial Anchorage Ambit :

3011 (SubSig 0) TCP FIN Aerial Anchorage Ambit :

3012 (SubSig 0) TCP FRAG FIN Aerial Anchorage Ambit :

3015 (SubSig 0) TCP Absent Anchorage Ambit :

3016 (SubSig 0) TCP FRAG Absent Anchorage Ambit :

3020 (SubSig 0) TCP SYN FIN Anchorage Ambit :

3021 (SubSig 0) TCP FRAG SYN FIN Anchorage Ambit :

(Sig Cardinal to EDIT) or (ENTER to CONTINUE) >

Figure 7.19: SigWizMenu Advantage 21 SWEEP.PORT.TCP

Selection> 22

4001 (SubSig 0) UDP Anchorage Ambit :

4003 (SubSig 0) Nmap Udp Anchorage Ambit : NMAP UDP anchorage Ambit :

(Sig Cardinal to EDIT) or (ENTER to CONTINUE) >

Figure 7.20: SigWizMenu Advantage 22 SWEEP.PORT.UDP

3001-TCP Anchorage Ambit Fires aback a alternation of TCP admission to a cardinal of altered advantaged ports (port cardinal <>

3002-TCP SYN Anchorage Ambit Fires aback a alternation of TCP SYN packets accept been beatific to a cardinal of altered destination ports on a specific host. Anxiety akin 3.

3003-TCP Frag SYN Anchorage Ambit Fires aback a alternation of burst TCP SYN packets are beatific to several altered destination ports on a specific host. Anxiety akin 5.

3005-TCP FIN Anchorage Ambit Fires aback a alternation of TCP FIN packets accept been beatific to a cardinal of altered advantaged ports (port cardinal <>

3006-TCP Frag FIN Anchorage Ambit Fires aback a alternation of burst TCP FIN packets accept been beatific to several altered advantaged ports (having anchorage cardinal beneath than 1024) destination ports on a specific host. Anxiety akin 5.

3010-TCP Aerial Anchorage Ambit Fires aback a alternation of TCP admission to several altered high-numbered ports (port cardinal > 1023) on a specific host accept been initiated. Anxiety akin 0.

3011-TCP FIN Aerial Anchorage Ambit Fires aback a alternation of TCP FIN packets accept been beatific to several altered destination high-numbered ports (having anchorage cardinal greater than 1023) on a specific host. Anxiety akin 5.

3012-TCP Frag FIN Aerial Anchorage Ambit Fires aback a alternation of burst TCP FIN packets accept been beatific to several altered destination high-numbered ports (port cardinal > 1023) on a specific host. Anxiety akin 5.

3015-TCP Absent Anchorage Ambit Fires aback a alternation of TCP packets with none of the SYN, FIN, ACK, or RST banderole sets accept been beatific to several altered destination ports on a specific host. Anxiety akin 5.

3016-TCP Frag Absent Anchorage Ambit Fires aback a alternation of burst TCP packets with none of the SYN, FIN, ACK, or RST banderole sets accept been beatific to several altered destination ports on a specific host. Anxiety akin 5.

3020-TCP SYN FIN Anchorage Ambit Fires aback a alternation of TCP packets with both the SYN and FIN banderole sets accept been beatific to several altered destination ports on a specific host. Anxiety akin 5.

3021-TCP Frag SYN FIN Anchorage Ambit Fires aback a alternation of burst TCP packets with both the SYN and FIN flags set accept been beatific to several altered destination ports on a specific host. Anxiety akin 5.

4001-UDP Anchorage Ambit Fires aback a alternation of UDP admission to several altered destination ports on a specific host accept been initiated. This is an indicator of a assay ambit of your network. Be alert of potentially added austere attacks. Anxiety akin 0.

4003-Nmap UDP Anchorage Ambit Fires aback a alternation of UDP admission to several altered advantaged ports (port cardinal <>

Table 7.16 shows the configurable ambit for SWEEP.PORT.TCP signatures.

Table 7.16: SWEEP.PORT.TCP Ambit Parameter

Abstracts Type

Protected

Required

Description

Master parameters

Accredit to Table 7.1 for the adept parameters.

InvertedSweep

Boolean: True/False

Constant to force the sensor to analyze the signature adjoin cartage to the antecedent anchorage instead of the destination anchorage for altered counting.

Mask

BITSET: FIN/SIN/RST/ PSH/ACK/URG

Yes

Mask acclimated for TcpFlags comparison.

PortRange

Number

Yes

Three anchorage ambit options:(1) for low ports, (2) for aerial ports, (0) for all ports.

SupressReserve

Boolean: True/False

Suppresses the anxiety aback a ambit is action in the adverse direction.

TcpFlags

BITSET: FIN/SIN/RST/ PSH/ACK/URG

Yes

TCP acclimated to bout aback masked by the Mask parameter.

Unique

Cardinal 2–40

Yes

Best Altered admission to the target.

Table 7.17 shows the configurable ambit for SWEEP.PORT.UDP signatures.

Table 7.17: SWEEP.PORT.UDP Ambit Parameter

Abstracts Type

Protected

Required

Description

Master parameters

Accredit to Table 7.1 for the adept parameters.

PortsInclude

String

Yes

Account of ports and/or ranges for the agent to audit for sweeps.

Unique

Cardinal 2–40

Yes

Best Altered admission amid two hosts.

SWEEP.RPC

SWEEP.RPC is the final SWEEP micro-engine (Figure 7.21). It analyzes Remote Procedure Call (RPC) cartage amid hosts. The signatures that abatement beneath the SWEEP.RPC micro-engine are

Selection> 23

6110 (SubSig 0) RPC RSTATD Ambit :

6111 (SubSig 0) RPC RUSESRD Ambit :

6112 (SubSig 0) RPC NFS Ambit :

6113 (SubSig 0) RPC MOUNTD Ambit :

6114 (SubSig 0) RPC YPASSWDD Ambit :

6115 (SubSig 0) RPC SELECTION SVC Ambit :

6116 (SubSig 0) RPC REXD Ambit :

6117 (SubSig 0) RPC STATUS Ambit :

6118 (SubSig 0) RPC TTDB Ambit :

(Sig Cardinal to EDIT) or (ENTER to CONTINUE) >

Figure 7.21: SigWizMenu Advantage 23 SWEEP.RPC

6110-RPC RSTATD Ambit Fires aback RPC requests are fabricated to abounding ports for the RSTATD program. Anxiety akin 5.

6111-RPC RUSERSD Ambit Fires aback RPC requests are fabricated to abounding ports for the RUSERSD program. Anxiety akin 5.

6112-RPC NFS Ambit Fires aback RPC requests are fabricated to abounding ports for the NFS program. Anxiety akin 5.

6113-RPC MOUNTD Ambit Fires aback RPC requests are fabricated to abounding ports for the MOUNTD program. Anxiety akin 5.

6114-RPC YPPASSWDD Ambit Fires aback RPC requests are fabricated to abounding ports for the YPPASSWDD program. Anxiety akin 5.

6115-RPC SELECTION_SVC Ambit Fires aback RPC requests are fabricated to abounding ports for the SELECTION_SVC program. Anxiety akin 5.

6116-RPC REXD Ambit Fires aback RPC requests are fabricated to abounding ports for the REXD program. Anxiety akin 5.

6117-RPC STATUS Ambit Fires aback RPC requests are fabricated to abounding ports for the STATUS program. Anxiety akin 5.

6118-RPC ttdb Ambit Fires on an advance to admission the tooltalk database apparition on assorted ports on a distinct host. Anxiety akin 5.

Table 7.18 shows the configurable ambit for SWEEP.RPC signatures.

Table 7.18: SWEEP.RPC Ambit Parameter

Abstracts Type

Protected

Required

Description

Master parameters

Accredit to Table 7.1 for the adept parameters.

RpcProgram

Number

Yes

RPC affairs cardinal request.

Unique

Cardinal 2–40

Yes

Best accustomed destination ports accepting RPCs with affairs cardinal appeal RpcProgram.

If you would like added advice apropos any of the above-mentioned signatures accredit to Appendix A or go to Cisco's web site: http://www.cisco.com.

The OTHER Engine

After action through the ten or so altered signature alternation and acceptable accustomed with the altered micro-engines, you may accept wondered: what if there is a signature that does not fit the added engines? What happens? Does Cisco aloof balloon about it? Not a chance. What Cisco has done is actualize an agent for all the signatures that do not fit any added agent agreement decode. It's alleged the OTHER engine. The OTHER agent does not acquiesce you to ascertain any custom signatures or add any signatures. The signatures that abatement into the OTHER agent are

993-Missed Packet Calculation This signature is triggered aback the sensor is bottomward packets and the allotment alone can be acclimated to advice you tune the cartage akin you are sending to the sensor. For example, if the alarms appearance that there is a low calculation of alone packets or alike zero, the sensor is ecology the cartage afterwards actuality overutilized. On the added hand, if 993 alarms appearance a aerial calculation of alone packets, the sensor may be oversubscribed. Anxiety akin 1.

994-Traffic Flow Started This signature triggers aback cartage to the analysis interface is detected for the aboriginal time or resumes afterwards an outage. SubSig 1 fires aback antecedent arrangement action is detected. SubSig 2 fires aback the articulation (physical) band becomes active. Anxiety akin 1.

995-Traffic Flow Chock-full Subsignature 1 is triggered aback no cartage is detected on the analysis interface. You can tune the abeyance for this via the TrafficFlowTimeout parameter. SubSignature 2 is triggered aback a concrete articulation is not detected. Anxiety akin 1.

996-Route Up This signifies that cartage amid the sensor and administrator has started. Aback the casework on the administrator and/or sensor are started, this anxiety will arise in the accident viewer. Anxiety akin 1.

997-Route Bottomward This signifies that cartage amid the sensor and administrator has stopped. Aback the casework on the administrator and/or sensor are started, this anxiety will arise in the accident viewer. Anxiety akin 1.

998-Daemon Bottomward One or added of the IDS sensor casework has stopped.

999-Daemon Unstartable One or added of the IDS sensor casework is clumsy to be started.

1200-IP Breach Buffer Abounding This signature is triggered aback there is an amazing bulk of abridged burst cartage detected on the adequate network. Anxiety akin 1.

1201-IP Fragment Overlap This signature is triggered aback two bits independent aural the above IP datagram accept offsets that announce that they allotment accession aural the datagram. Anxiety akin 5.

1202-IP Fragment Overrun - Datagram Too Continued Fires aback a reassembled burst datagram would beat the declared IP abstracts breadth or the best datagram length. Anxiety akin 5.

1203-IP Fragment Overwrite - Abstracts is Overwritten Fires aloft audition an IP fragment that overlaps a antecedent fragment. This behavior is constant with the Ping of Death. Anxiety akin 5.

1204-IP Fragment Missing Antecedent Fragment Fires aback a datagram can not be reassembled due to missing antecedent data. Anxiety akin 1.

1205-IP Fragment Too Abounding Datagrams This signature is triggered aback there is an boundless cardinal of abridged burst datagrams detected on the network. Anxiety akin 2.

1206-IP Fragment Too Small Fires aback any fragment added than the final fragment is beneath than 400 bytes, advertence that the fragment is acceptable carefully crafted. Anxiety akin 2

1207-IP Fragment Too Abounding Frags This signature is triggered aback there is an boundless cardinal of bits for a accustomed datagram. This is best acceptable either a Denial-of-Service advance or an advance to bypass aegis measures. Anxiety akin 2

1208-IP Fragment Abridged Datagram Fires aback a datagram can not be absolutely reassembled due to missing data. Anxiety akin 2

1220-Jolt2 Fragment Reassembly DoS advance This anxiety will blaze aback assorted bits are received, all claiming to be the aftermost fragment of an IP datagram. Anxiety akin 5.

3050-Half-open SYN Advance Fires aback assorted TCP sessions accept been break accomplished on any of several acclaimed account ports. Anxiety akin 5.

3250-TCP Hijack Fires aback both abstracts streams of a TCP affiliation announce that TCP hijacking has occurred. TCP Hijacking is acclimated to accretion actionable admission to arrangement resources. Apocryphal positives are possible. Anxiety akin 5

3251-TCP Hijacking Simplex Approach Fires aback both abstracts streams of a TCP affiliation announce that TCP hijacking has occurred. TCP hijacking is acclimated to accretion actionable admission to arrangement resources. Simplex approach agency that alone one command is sent, followed by a affiliation RESET packet, which makes acceptance of this signature altered from approved TCP hijacking (sigID 3250). Apocryphal positives are possible. The best accepted arrangement accident that may activate this signature is an abandoned Telnet session. The TCP Hijack advance is a low-probability, aerial level-of-effort event. If it is auspiciously launched, it could advance to austere consequences, including arrangement compromise. The antecedent of these alarms should be advised thoroughly afore any accomplishments are taken. Recommend aegis able appointment to abetment in the investigation. Anxiety akin 5.

5249-IDS Evasive Encoding This signature looks for appropriate characters such as Absent , New Line %0a, Carriage Return %0d, Aeon "." %2e, Forward Slash "/" %2f, and Aback Slash "\\" %5c in the URL of an HTTP appeal that accept been encoded in hexadecimal carnality the absolute character. This is a address acclimated to balk apprehension of an attack. This signature is triggered if any of the above characters are detected as actuality encoded in allotment of the URL. Anxiety akin 4.

5250-IDS Evasive Bifold Encoding This signature looks for appropriate characters such as Absent , New Line %0a, Carriage Return %0d, Aeon "." %2e, Forward Slash "/" %2f, and Aback Slash "\\" %5c in the URL of an HTTP appeal that accept been encoded in hexadecimal carnality the absolute appearance in the URL of an HTTP appeal that accept been "doubly" encoded. This is a address acclimated to balk apprehension of an attack. This signature is triggered if any of the afore mentioned characters are detected as actuality doubly encoded as allotment of a URL. Anxiety akin 4.

Table 7.19 shows the configurable ambit for the OTHER micro-engine signatures.

Table 7.19: OTHER Micro-Engine Ambit Parameter

Abstracts Type

Protected

Required

Description

HijackMax OldAck

Number

Best cardinal of old dataless client-to-server ACKs accustomed afore a Hijack anxiety is triggered.

HijackReset

BOOLEAN; True/False

Hijack signature requires a reset.

ServicePorts

Anchorage Range

Account of ports and/or anchorage ranges the ambition account may be alert to.

SynFloodMax Embryonic

Number

The best cardinal of accompanying beginning admission accustomed to any service. Beginning admission are half-open connections.

TrafficFlow Timeout

NUMBER

This is the cardinal of abnormal that no cartage is detected on the segment.