Understanding Cisco IDS Signatures
It is important to accept what a signature is, and what absolutely a signature does. A signature is a accepted blazon of activity. It has already been detected in the agrarian and addition has captured the personality or cartage arrangement of the advance or advancing action and accurate it. In abounding ways, the signature is article affiliated to a fingerprint. The fingerprint is altered to a actuality aloof like the signature is altered to a assertive advance or blazon of activity. A Cisco IDS sensor afresh compares cartage adjoin the signatures it has configured and will bout up this action aback it appears on your network. The ambit you set for the signature will acquaint the sensor how to acknowledge to the threat. The sensor can accelerate an anxiety to your IDS administration device, log the event, accelerate e-mail alerts, or alike block the doubtable cartage at the router, switch, or firewall.
When you bulk signature updates up to the IDS sensor, the signatures are loaded assimilate the sensor with their recommended settings already preconfigured. To appearance those signature settings with CSPM, annal bottomward the arrangement cartography in the larboard area and baddest Accoutrement and Casework | Sensor Signatures. The name of the signature files is listed there. By default, CSPM creates a Absence signature book aback the sensor is added, as we see in Figure 7.1. You can accept a altered signature book for anniversary sensor on your arrangement or use one for all of them. To get to the signatures from central Cisco's Intrusion Apprehension Manager (IDM), accept Agreement | Analysis Agent | Signature Agreement | Signature Groups, apparent in Figure 7.2. The best analytical signatures are usually configured and set to accomplish high- or, at the least, medium-level alarms. Aback the sensor detects cartage that meets the enabled signatures, it fires off an alarm. The sensor food all alarms in the sensor logs that are advisory and above. If you accept a Cisco IDS Administration device, and it is configured as a destination for alarms, the alarms are additionally beatific to that accessory for viewing.
Figure 7.1: The CSPM Signature Book
Figure 7.2: IDM Signatures
Signature Implementation
The complication of signatures can be explained adequately easily. There are several apparatus that accomplish up the signatures and as continued as you accept the role anniversary basal plays, you will not accept a botheration with compassionate them. It is not a atramentous art or magic, aloof a bit of accepted sense. As we mentioned earlier, the signature is created from an already accepted activity. Already advancing or awful action is apparent in the wild, a signature is created that looks for that specific behavior and annihilation else. The sensor has a database of all the signatures and their specific configurations, and compares the cartage adjoin that database. Signatures are implemented as either content-based or context-based.
Note Content-based signatures are triggered by advice independent in the burden of the packet such as a URL cord that could possibly accommodation a web server application.
Context-based signatures are triggered by the abstracts in the packet headers. This is an accessory to Packet Signature Detection, which does not accede any context. The best accepted implementations of Context-Based Signature Apprehension are advised to attending for advance signatures in accurate fields or use a accurate account aural a packet beck (based on the protocol).
You charge to accumulate this beeline in your arch aback demography the Cisco IDS exam.
Signature Classes
The chic of the signatures is important to understand. The advance and the intentions of the advance will drive the allocation of the signatures. Reconnaissance, Informational, Access, and Denial of Account are the four capital categories.
Reconnaissance is what the attackers do that accredit them to map out a arrangement such as DNS queries, ports scans, and alike pings. This blazon of action will activate the assay chic signatures. Already the alive IP addresses and accessible ports accept been identified, advice is aggregate about the hosts by attempting to affix or acquaint with the host. The antagonist may try to affix to the host on a specific port. If the affiliation is successful, the antagonist can deduce what blazon of arrangement it is by what ports are open. The action is not necessarily awful but can be intrusive. Advisory chic signatures are configured to ascertain this blazon of activity. Admission signatures blaze alarms aback accepted crooked admission or attempts to admission are detected. Denial-of-Service or DoS chic signatures activate aback the akin of action on the arrangement is detected as accepting the adeptness to agitate services.
Signature Structure
The anatomy of the signature depends on the cardinal or packets that accept to be inspected. They can be either diminutive or composite. Diminutive signatures can be detected by analytical a distinct packet. No accompaniment advice is required. Some examples of an diminutive signature are
1004-IP options-Loose Antecedent Route
3050-Half-open SYN Attack
3455-Java Web Server Cmd Exec
3652-SSH Gobbles
A blended signature is detected by analytical assorted packets. If the sensor detects the aboriginal packet that is a abeyant attack, it food that advice and the advice of the afterward packets. Accompaniment advice is appropriate in adjustment to accomplish this function. Examples of a blended signature are:
3225-WWW websendmail Book Access
3250-TCP Hijack
3314-Windows Locator Account Overflow
3990-BackOrifice BO2K TCP Non Stealth
For example, in the SYN Attack, a distinct packet with the SYN bit set is beatific afterwards the blow of the accustomed TCP three-way handshake. All the IDS sensor needs to see is the distinct SYN IP packet out of order. With the Windows Locator attack, it requires added afresh a distinct packet of advice and the IDS sensor will bout on the aboriginal one in the sequence, tag it as absorbing and attending for added matches of the accepted advance sequence. Already the IDS sensor sees added of the attack, it will activate whatever alarms or accomplishments it was programmed to backpack out.
Signature Types
Cisco additionally categorizes the signatures into altered cartage types. The altered types are
General Affiliation
String
Access Ascendancy Account (ACL)
General signatures awning the 1000, 2000, 5000, and 6000 signature series. Depending on the blazon of attack, the Accepted signatures attending for abnormalities in a accepted blazon of cartage such as authoritative abiding a assertive agreement is behaving accurately or the burden in packets is or looks correct. An archetype of a accepted signature is 3037-TCP FRAG SYN FIN Host Sweep. This signature triggers aback a alternation of packets (TCP) with both the SYN and FIN flags set accept been beatific to assorted hosts with the above destination port. Accepting the SYN and FIN flags set is abnormal, as is fragmentation.
Connection signatures are covered in the 3000 and 4000 signature series. They beam cartage to UDP ports and TCP connections. An archetype of affiliation signature is 3001-TCP Anchorage Sweep. TCP Anchorage ambit is the absolute archetype of a affiliation signature. It fires aback a alternation of TCP admission are accomplished on a host to assorted ports. The anchorage ambit is beneath than 1024. Be alter acquainted of these types of detects. It can be a commencement to a aloft attack.
String signatures are awful flexible. They adviser strings (text) aural packets that you account important. An archetype of a cord signature is 8000:2303-Telnet-+ +. Aback a Telnet affair is accomplished and the command "++" is entered, this signature will fire. All cord detects will accomplish an 8000 alternation alarm. It is the subID, 2303, that differentiates the cord signatures.
Access-Control-List signatures administer to cartage or action that is attempting to avoid admission ascendancy lists on the routers. These are signatures in the 10000 series. Like the cord signatures, the subID is what differentiates the altered signatures. An archetype of an Access-Control-List signature is 10000:1001-IP-Spoof Interface 2. This accurate signature triggers aback there is notification from a NetSentry accessory that an IP datagram has been accustomed from a antecedent in avant-garde of the router with an IP abode that belongs abaft the router.
Cisco IDS Signature Micro-Engines
The Cisco Secure IDS software divides signature processing into altered categories or engines. We can see the types of engines in Table 7.1.
Table 7.1: Cisco IDS Signature Micro-Engine Overview Agent Type
Description
Atomic
This is acclimated for distinct packets.
Flood
This is acclimated to ascertain attempted DoS attacks.
Service
This is acclimated aback casework at layers 5,6, and 7 crave agreement analysis.
State
This is acclimated aback stateful assay is required. At this time, alone http is supported.
String
This is acclimated for cord arrangement matching.
Sweep
This is acclimated to ascertain arrangement assay sweeps or probes.
Each agent contains a parser and ambassador and assorted signatures are accurate aural specific categories. Aback the IDS is sniffing the network, it reads from a signature book that contains all of the signature definitions. Anniversary of the definitions contains configurable ambit that can be tweaked to ascertain action on your arrangement that you would accede advancing and possibly malicious. Signature ambit accept three attributes to them. They can be Protected, Required, or Hidden. The Adequate aspect affects the axiological behavior of the constant and applies alone to the Cisco set of absence signatures. The Appropriate aspect is a constant bulk that charge be declared. The Hidden aspect is that the constant is not arresting because modifications to the constant are not allowed. The ambit are themselves burst bottomward into two categories:
Master or Global agent parameters
Engine-specific parameters
The Adept agent ambit administer to anniversary of the signatures in the subengines. Adept agent ambit are the base for parsing the ascribe (traffic) and bearing achievement (alarms). Table 7.2 lists the Adept agent parameters. It is up to the subengines to accommodate the specific agreement bare for the sensor to break and audit the traffic.
Table 7.2: Adept or Global Agent Ambit Parameter
Description
AlarmDelayTimer
This is the cardinal of abnormal (1–3600) to adjournment added signature assay afterwards an alarm.
AlarmInterval
Appropriate administration for time contest (2–1000). Uses AlarmInterval Y with MinHits X for X alarms in a Y-second interval.
AlarmSeverity
The severity of the alive (high, medium, low, or informational) arise in the alarm.
AlarmThrottle
Limits the cardinal of alarms beatific to the IDS administration device. The afterward options can be selected:
FireAll: Accelerate all alarms aback the signature altitude are met.
FireOnce: Accelerate the aboriginal anxiety aback signature altitude are met. Then, do not accelerate any added alarms from the above antecedent and destination abode combination.
Summarize: Accelerate alone one anxiety per ThrottleInterval per abode combination. Usually, the aboriginal anxiety that starts a approximate is sent. The ThrottleInterval is a configurable cardinal in abnormal that the sensor counts until that cardinal (ThrottleInterval) is reached. It afresh fires addition anxiety and starts the calculation all over again.
GlobalSummarize: Agnate to the Summarize constant but expands to all abode combinations instead of one. For example, already an anxiety is beatific the sensor counts the consecutive alarms per the ThrottleInterval for all abode combinations actuality monitored. This reduces the cardinal of alarms triggered during flood attacks.
ChokeThreshold
Switches amid Summarize and Global Summarize. During the ThrottleInterval, the sensor autoswitches the AlarmThrottle approach to Summarize if the abundance of alarms from a distinct signature is greater than the ChokeThreshold. The sensor will autoswitch the AlarmThrottle approach to GlobalSummarize if the abundance of alarms from distinct signature is bifold or alert the ChokeThreshold.
The ChokeThreshold may not be set to ANY to autoswitch the AlarmThrottle.
FlipAddr
Swaps the addresses and ports if they are detected as actuality antipodal in the anxiety message.
MaxInspectLength
The Best breadth in bytes to inspect.
MinHits
Throttle for battlefront the anxiety aback the minimum cardinal of signature hits has been detected by the sensor.
ResetAfterIdle
Aback a signature stops battlefront alarms, this is the cardinal of abnormal the sensor waits afore it resets the counters (ThrottleInterval, MinHits, etc…).
SigComment
Comment area to ascribe your own addendum about the signature.
SIGID
Altered cardinal identifier for anniversary signature.
Cisco designates 1000–19,999 as the ambit for absence signatures and 20,000–50,000 as the ambit for user signatures.
SigName
Official signature name.
SigStringInfo
Any added advice included in the anxiety message.
SubSig
ID of Subsignatures, if any. Usually a aberration of the aboriginal signature.
ThrottleInterval
A adverse in abnormal defining the breach that alarms are triggered. Acclimated in affiliation with the AlarmThrottle constant aback configuring Summarize or Global Summarize settings.
WantFrag
Has the sensor audit burst packets adjoin the signature.
Can be set to TRUE if you appetite to audit reassem-bled burst packets or fragments, FALSE if you do not appetite to audit reassembled burst packets or fragments, or ANY to avoid all reassembled packets and/or fragments.
Figure 7.3 shows all of the micro-engines accessible on the 4200 alternation sensors.
Signatures Display Card : CSIDS Signature Wizard
----------------------------------------------------------------------------
Agent Sigs: Absence Custom
1 - ATOMIC.ICMP 14 0
2 - ATOMIC.IPOPTIONS 6 0
3 - ATOMIC.L3.IP 5 0
4 - ATOMIC.TCP 21 0
5 - ATOMIC.UDP 7 0
6 - FLOOD.HOST.ICMP 2 0
7 - FLOOD.HOST.UDP 1 0
8 - FLOOD.NET 5 0
9 - FLOOD.TCPSYN 4 0
10 - SERVICE.DNS.TCP 18 0
11 - SERVICE.DNS.UDP 16 0
12 - SERVICE.PORTMAP 7 0
13 - SERVICE.RPC 11 0
14 - STATE.HTTP 287 0
15 - STRING.HTTP 7 0
16 - STRING.ICMP 0 0
17 - STRING.TCP 81 0
18 - STRING.UDP 8 0
19 - SWEEP.HOST.ICMP 3 0
20 - SWEEP.HOST.TCP 8 0
21 - SWEEP.PORT.TCP 12 0
22 - SWEEP.PORT.UDP 1 0
23 - SWEEP.RPC 9 0
ENTER - Aback to Main
Selection>
Figure 7.3: SigWizMenu Showing the Micro-Engines
The ATOMIC Micro-Engines
The ATOMIC agent is acclimated to actualize or tune absolute signatures for simple, distinct packet altitude that account alarms to be triggered. Every packet's altitude accept specialized ambit that accord with anniversary of the protocol-specific inspections aural the ambit of the engine. Table 7.3 shows the altered ATOMIC micro-engines. These engines do not abundance any assiduous abstracts whatsoever. The ATOMIC micro-engines accept ambit that are set for their specific protocol.
Table 7.3: ATOMIC Micro-Engines Engine
Description
ATOMIC.ARP
ARP simple and cross-packet signatures.
ATOMIC.ICMP
Simple ICMP alarms based on the afterward parameters: Type, Code, Sequence, and ID. See Figure 7.1.
ATOMIC.IPOPTIONS
Simple alarms based on the adaptation of layer-3 options. See Figure 7.2.
ATOMIC.L3.IP
Simple layer-3 IP alarms. See Figure 7.3.
ATOMIC.TCP
Simple TCP packet alarms based on the afterward parameters: Port, Destination, Flags, and single-packet Regex. Use SummaryKey to ascertain the abode appearance for MinHits and Summarize counting. For best performance, use a StorageKey. See Figure 7.4.
ATOMIC.UDP
Simple UDP packet alarms based on the afterward parameters: Port, Direction, and DataLength. See Figure 7.5.
OTHER
This agent is acclimated to accumulation all-encompassing signatures so accepted ambit can be changed. It defines an interface into accepted signature parameters.
SigWizMenu advantage 1 ATOMIC.ICMP (as apparent in Figure 7.3) and SigWizMenu advantage 5 ATOMIC.UDP (shown in Figure 7.4) assignment accurately on band 4. None of the ambit are appropriate alike admitting there are several ambit that can be manually configured. You can use all the distinct ambit calm in a signature or configure specific ones.
Selection> 1
2000 (SubSig 0) ICMP Echo Rply :
2001 (SubSig 0) ICMP Unreachable :
2002 (SubSig 0) ICMP Src Quench :
2003 (SubSig 0) ICMP Redirect :
2004 (SubSig 0) ICMP Echo Req :
2005 (SubSig 0) ICMP Time Beat :
2006 (SubSig 0) ICMP Param Prob :
2007 (SubSig 0) ICMP Time Req :
2008 (SubSig 0) ICMP Time Rply :
2009 (SubSig 0) ICMP Info Req :
2010 (SubSig 0) ICMP Info Rply :
2011 (SubSig 0) ICMP Addr Msk Req :
2012 (SubSig 0) ICMP Addr Msk Rply :
2150 (SubSig 0) Burst ICMP :
(Sig Cardinal to EDIT) or (ENTER to CONTINUE) >
Figure 7.4: SigWizMenu Advantage 1 ATOMIC.ICMP
The SigWizMenu advantage 2 ATOMIC.IPOPTIONS decodes layer-3 options as apparent in Figure 7.5.
Selection> 2
1001 (SubSig 0) Record Packet Rte :
1002 (SubSig 0) Timestamp :
1003 (SubSig 0) Accommodate s,c,h,tcc :
1004 (SubSig 0) Loose Src Rte :
1005 (SubSig 0) SATNET ID :
1006 (SubSig 0) Strict Src Rte :
(Sig Cardinal to EDIT) or (ENTER to CONTINUE) >
Figure 7.5: SigWizMenu Advantage 2 ATOMIC.IPOPTIONS
The SigWizMenu advantage 3 ATOMIC.L3.IP inspects the cartage at band 3 (as we can see in Figure 7.6). It handles fragment, fractional ICMP packets, DataLength, and Agreement Cardinal comparisons. Again, these ambit are optional.
Selection> 3
1101 (SubSig 0) Unknown IP Proto :
1107 (SubSig 0) RFC 1918 Addresses Apparent : RFC 1918 Address
2151 (SubSig 0) Ample ICMP :
2154 (SubSig 0) Ping Of Death :
2154 (SubSig 1) Ping Of Death :
(Sig Cardinal to EDIT) or (ENTER to CONTINUE) >
Figure 7.6: SigWizMenu Advantage 3 ATOMIC.L3.IP
ATOMIC.TCP looks at layer-4 TCP packets. This card advantage does comparisons on TcpFlags/Mask in affiliation with anchorage filters and the SinglePacketRegex. TcpFlags/Mask compares packets adjoin the configured ambit to actuate packets of interest. The SinglePacketRegex provides a simple Regex bout adequacy to amalgamate ports, flags, and Regex matches in distinct signatures. Accredit to Figure 7.7. Figure 7.8 shows the SigWizMenu advantage 5 ATOMIC.UDP.
Selection> 4
3038 (SubSig 0) TCP FRAG NULL Packet :
3039 (SubSig 0) TCP FRAG FIN Packet :
3040 (SubSig 0) TCP NULL Packet :
3041 (SubSig 0) TCP SYN/FIN Packet :
3042 (SubSig 0) TCP FIN Packet :
3043 (SubSig 0) TCP FRAG SYN/FIN Packet :
9000 (SubSig 0) Aback Aperture SYN-port 12345 : aback aperture SYN-port 12345
9001 (SubSig 0) Aback Aperture SYN-port 31337 : aback aperture SYN-port 31337
9002 (SubSig 0) Aback Aperture SYN-port 1524 : aback aperture SYN-port 1524
9003 (SubSig 0) Aback Aperture SYN-port 2773 : aback aperture SYN-port 2773
9004 (SubSig 0) Aback Aperture SYN-port 2774 : aback aperture SYN-port 2774
9005 (SubSig 0) Aback Aperture SYN-port 20034 : aback aperture SYN-port 20034
9006 (SubSig 0) Aback Aperture SYN-port 27374 : aback aperture SYN-port 27374
9007 (SubSig 0) Aback Aperture SYN-port 1234 : aback aperture SYN-port 1234
9008 (SubSig 0) Aback Aperture SYN-port 1999 : aback aperture SYN-port 1999
9009 (SubSig 0) Aback Aperture SYN-port 6711 : aback aperture SYN-port 6711
9010 (SubSig 0) Aback Aperture SYN-port 6712 : aback aperture SYN-port 6712
9011 (SubSig 0) Aback Aperture SYN-port 6713 : aback aperture SYN-port 6713
9012 (SubSig 0) Aback Aperture SYN-port 6776 : aback aperture SYN-port 6776
9013 (SubSig 0) Aback Aperture SYN-port 16959 : aback aperture SYN-port 16959
9014 (SubSig 0) Aback Aperture SYN-port 27573 : aback aperture SYN-port 27573
(Sig Cardinal to EDIT) or (ENTER to CONTINUE) >
Figure 7.7: SigWizMenu Advantage 4 ATOMIC.TCP
Selection> 5
4050 (SubSig 0) UDP Bomb :
4051 (SubSig 1) Snork :
4051 (SubSig 2) Snork :
4051 (SubSig 3) Snork :
4052 (SubSig 1) Chargen DoS :
4052 (SubSig 2) Chargen DoS :
4600 (SubSig 0) IOS Udp Bomb :
(Sig Cardinal to EDIT) or (ENTER to CONTINUE) >
Figure 7.8: SigWizMenu Advantage 5 ATOMIC.UDP
Note Figure 7.7 alone shows a allocation of the signatures aural the ATOMIC.TCP micro-engine. There are about 60 absolute signatures in this engine.
ATOMIC.ARP is for basal layer-2 ARP signatures and additionally for added avant-garde apprehension of the ARP bluff accoutrement dsniff and ettercap. Accredit to Table 7.4 for the ATOMIC.ARP parameters.
Note ettercap supports alive and acquiescent anatomization of several protocols. It appearance arrangement and host assay tools. In essence, it acts as a sniffer, interceptor, and logger for switched LANs. dsniff is a accumulating of accoutrement acclimated for assimilation testing and auditing networks.
Table 7.4: ATOMIC.ARP Ambit Name
Abstracts Type
Protected
Required
Description
ArpOperation
Cardinal 0–255
No
No
The ARP operation cipher the signature is absorbed in.
MacFlip
Cardinal 0–65535
No
No
If the MAC abode changes this abounding times for the above IP address, an anxiety will fire
RequestInBalance
Cardinal 0–65535
No
No
If there is this abounding added requests than there are replies on a accurate IP address, an anxiety will fire.
WantDstBroadcast
Boolean True/False
No
No
If the sensor detects an ARP destination abode of 255.255.255.255, an anxiety will fire.
WantBroadcast
Boolean True/False
No
No
If the sensor detects an ARP antecedent abode of 255.255.255.255, an anxiety will fire.
The SERVICE Micro-Engine
Of all the altered account micro-engines (see Table 7.5), SERVICE.DNS and SERVICE.RPC are two of the added important engines. SERVICE works at band 5 and aloft to assay cartage amid two hosts. Account agent signatures are one-to-one signatures that adapt the payloads agnate to the way the alive casework would adapt them. The aftereffect of the estimation is the decoded fields of the agreement acclimated in allegory adjoin the signatures. These engines alone break abundant of the abstracts to accomplish comparisons. Already a allegory can be made, the anxiety is triggered and keeps ability appliance to a minimum.
Table 7.5: Account Micro-Engines SERVICE.DNS
Analyzes the DNS service.
SERVICE.FTP
FTP account appropriate break alarms.
SERVICE.GENERIC
Custom service/payload decode. For able use only.
SERVICE.HTTP
HTTP agreement decode-based cord engine.
Includes anti-evasive URL deobfuscation.
SERVICE.IDENT
IDENT account (client and server) alarms.
SERVICE.MSSQL
Microsoft SQL account assay engine.
SERVICE.NTP
Arrangement Time Protocol–based signature engine.
SERVICE.RPC
Analyzes the RPC service.
SERVICE.SMB
SMB SuperInspector signatures.
SERVICE.SMTP
Inspects SMTP protocol.
SERVICE.SNMP
Inspects SNMP traffic.
SERVICE.SSH
SSH advance break signatures.
SERVICE.SYSLOG
Processes SYSLOGS.
The SERVICE.DNS micro-engines specialize in cartage on both TCP (see Figure 7.9) and UDP (see Figure 7.10) anchorage 53. Anchorage 53 is the accepted anchorage for DNS traffic. The SERVICE.DNS does not accept any appropriate parameters, but for abounding advantage on DNS, you charge specify TCP or UDP. Added than that necessity, the agent is accessible for abounding customization of the signatures.
Selection> 10
6050 (SubSig 1) DNS HINFO-TCP :
6051 (SubSig 1) DNS Zone Xfer-TCP :
6052 (SubSig 1) DNS Aerial Zone Xfer-TCP :
6053 (SubSig 1) DNS Appeal All-TCP :
6054 (SubSig 1) DNS Version Request-TCP :
6055 (SubSig 1) DNS IQUERY Overflow-TCP :
6055 (SubSig 2) DNS IQUERY Overflow-TCP :
6056 (SubSig 1) DNS NXT OVerflow-TCP :
6056 (SubSig 2) DNS NXT OVerflow-TCP :
6057 (SubSig 1) DNS SIG Overflow-TCP :
6057 (SubSig 2) DNS SIG Overflow-TCP :
6058 (SubSig 1) DNS SRV DoS-TCP :
6059 (SubSig 2) DNS TSIG Overflow-TCP :
6060 (SubSig 2) DNS Complain Overflow-TCP :
6060 (SubSig 3) DNS Complain Overflow-TCP :
6061 (SubSig 1) DNS Infoleak-TCP :
6062 (SubSig 1) DNS Authors Request-TCP :
6063 (SubSig 1) DNS Incremental Zone Transfer-TCP :
(Sig Cardinal to EDIT) or (ENTER to CONTINUE) >
Figure 7.9: SigWizMenu Advantage 10 SERVICE.DNS.TCP
Selection> 11
6050 (SubSig 0) DNS HINFO-UDP :
6051 (SubSig 0) DNS Zone Xfer-UDP :
6052 (SubSig 0) DNS Aerial Zone Xfer-UDP :
6053 (SubSig 0) DNS Appeal All-UDP :
6054 (SubSig 0) DNS IQUERY Overflow-UDP :
6055 (SubSig 0) DNS NXT Overflow-UDP :
6056 (SubSig 0) DNS SIG Overflow-UDP :
6057 (SubSig 0) DNS SRV DoS-UDP :
6058 (SubSig 0) DNS TSIG Overflow-UDP :
6059 (SubSig 1) DNS TSIG Overflow-UDP :
6060 (SubSig 0) DNS Complain Overflow-UDP :
6060 (SubSig 1) DNS Complain Overflow-UDP :
6061 (SubSig 0) DNS Infoleak-UDP :
6062 (SubSig 0) DNS Authors Request-UDP :
6063 (SubSig 0) DNS Incremental Zone Transfer-UDP :
6064 (SubSig 0) BIND Ample OPT Record DoS : Ample OPT
(Sig Cardinal to EDIT) or (ENTER to CONTINUE) >
Figure 7.10: SigWizMenu Advantage 11 SERVICE.DNS.UDP
Note You charge to add UDP and TCP signatures to accept abounding coverage.
The SERVICE.RPC agent decoder has abounding break as an anti-evasive strategy. It handles burst letters or accumulation messages. The RPC anchorage mapper operates on anchorage 111. Approved RPC letters are on any anchorage greater than 550. RPC sweeps are absolute agnate to TCP anchorage sweeps with one exception: they alone calculation altered ports aback accurate RPC letters are sent. One added altered appropriate of the SERVICE.RPC agent is they choose on anniversary RPC affairs blazon for ambit altered counting. In added words, counting occurs on an alone affairs basis. Figure 7.11 shows the signatures that abatement into this category.
Selection> 13
6180 (SubSig 0) rexd Advance :
6190 (SubSig 0) statd Buffer Overflow :
6191 (SubSig 0) ttdbserverd Buffer Overflow :
6192 (SubSig 0) mountd Buffer Overflow :
6193 (SubSig 0) cmsd Buffer Overflow :
6194 (SubSig 0) sadmind Buffer Overflow :
6195 (SubSig 0) amd Buffer Overflow :
6196 (SubSig 0) snmpXdmid Buffer Overflow :
6197 (SubSig 0) rpc yppaswdd overflow : yppaswdd overflow
6198 (SubSig 0) Continued rwalld Bulletin : rwalld Cord Format
6199 (SubSig 0) cachefsd overflow : cachfsd overflow
6275 (SubSig 0) SGI fam Advance : Fam Attempt
6276 (SubSig 0) TooltalkDB overflow : TooltalkDB overflow
6277 (SubSig 0) Appearance Mount Recon : Appearance Mount Recon
6277 (SubSig 0) Appearance Mount Recon : Appearance Mount All Recon
(Sig Cardinal to EDIT) or (ENTER to CONTINUE) >
Figure 7.11: SigWizMenu Advantage 13 SERVICE.RPC
The FLOOD Micro-Engine
Simply stated, FLOOD engines assay flood blazon traffic, that is cartage from abounding sources to a distinct host (n to 1), defined in FLOOD.HOST or floods to the network, cartage from abounding sources to abounding destinations (n to n), defined in FLOOD.NET. Host floods use a adverse that counts the packets-per-second (PPS) to the destination. Net floods, however, do not use the abode for counting, but instead advance the calculation bulk on a basic sensor basis. Assay is done on a per-second base for both host and net floods.
FLOOD engines accept one agreement restriction. You accept to specify the Bulk constant in both the host and net flood agent groups. FLOOD engines additionally avoid the WantFrag, MaxInspectLength, and ResetAfterIdle ambit from the Adept agent parameters.
Note The abstraction of a basic sensor is that if the concrete sensor is ecology added than one interface, all the interfaces are configured into interface groups. There can be added than one interface group. But basic sensors are absorbed to alone one interface group.
There are three FLOOD micro-engines. We will attending at anniversary in detail in the afterward sections.
FLOOD.HOST.ICMP
FLOOD.HOST.ICMP analyzes ICMP floods directed at a distinct host. Figure 7.12 shows the two signatures 2152 – ICMP Flood, and 2153 – ICMP Smurf advance that are host flood signatures based on ICMP traffic.
Selection> 6
2152 (SubSig 0) ICMP Flood :
2153 (SubSig 0) ICMP Smurf advance :
(Sig Cardinal to EDIT) or (ENTER to CONTINUE) >
Figure 7.12: SigWizMenu Advantage 6 FLOOD.HOST.ICMP
Table 7.6 shows the configurable ambit for FLOOD.HOST.ICMP signatures.
Table 7.6: FLOOD.HOST.ICMP Ambit Name
Abstracts Type
Protected
Required
Description
IcmpType
Cardinal 0–256
No
No
ICMP advance TYPE
Rate
Some number
No
Yes
The best accustomed packets-per-second (PPS)
FLOOD.HOST.UDP
FLOOD.HOST.UDP analyzes UDP floods directed at a distinct host. Figure 7.13 shows the distinct signature, 4002 – UDP Flood, that is a host flood signature based on UDP traffic.
Selection> 7
4002 (SubSig 0) UDP Flood :
(Sig Cardinal to EDIT) or (ENTER to CONTINUE) >
Figure 7.13: SigWizMenu Advantage 7 FLOOD.HOST.UDP
Table 7.7 shows the configurable ambit for FLOOD.HOST.UDP signatures.
Table 7.7: FLOOD.HOST.UDP Ambit Name
Abstracts Type
Protected
Required
Description
ExcludeDst1
Cardinal 0–65536
No
No
Destination anchorage to exclude from flood counting.
ExcludeDst2
Cardinal 0–65536
No
No
Destination anchorage to exclude from flood counting.
ExcludeDst3
Cardinal 0–65536
No
No
Destination anchorage to exclude from flood counting.
Exclude1
Cardinal 0–65536
No
No
Antecedent anchorage to exclude from flood counting.
Exclude2
Cardinal 0–65536
No
No
Antecedent anchorage to exclude from flood counting.
Exclude3
Cardinal 0–65536
No
No
Antecedent anchorage to exclude from flood counting.
Rate
Some number
No
Yes
Beginning cardinal of PPS. Aback the PPS is greater than the defined Rate, an anxiety fires.
FLOOD.NET
FLOOD.NET analyzes arrangement floods directed at a distinct arrangement segment. Figure 7.13 displays the accepted signatures in the FLOOD.NET micro-engine. Of appropriate absorption in the FLOOD.NET micro-engine is FLOOD.Net Learning Mode. This agreement advantage is acknowledgment mode. Acknowledgment approach replaces the accustomed assay of packets with a analytic alarm. Simply stated, the anxiety with accept the best calculation of PPS in the alertDetails ethics apparent during the interval. This is acceptable for baselining arrangement cartage in adjustment to tune the signatures. The agreement is set to acknowledgment approach aback the Bulk constant is set to 0. Figure 7.14 shows the bristles signatures that are allotment of the FLOOD.NET micro-engine.
Selection> 8
6901 (SubSig 0) NET FLOOD Icmp Reply :
6902 (SubSig 0) NET FLOOD Icmp Appeal :
6903 (SubSig 0) NET FLOOD Icmp Any :
6910 (SubSig 0) NET FLOOD UDP :
6920 (SubSig 0) NET FLOOD TCP :
(Sig Cardinal to EDIT) or (ENTER to CONTINUE) >
Figure 7.14: SigWizMenu Advantage 8 FLOOD.NET
Table 7.8 shows the configurable ambit for FLOOD.NET signatures.
Table 7.8: FLOOD.NET Ambit Name
Abstracts Type
Protected
Required
Description
Gap
Number
No
No
The cardinal of abnormal accustomed aural the ThrottleInterval area PPS <>
Alarms will not be triggered if you get greater than Gap abnormal that are not suspects and counting is reset.
IcmpType
Cardinal 0–256
No
No
This is the ICMP blazon bulk begin in the header.
Only accurate aback Agreement is set to ICMP.
Peaks
Number
No
No
The beginning of doubtable seconds.
Anxiety is triggered aback the Peaks doubtable abnormal is accomplished in a ThrottleInterval.
Rate
Number
No
No
The beginning for PPS.
Doubtable additional occurs aback PPS > Rate.
Remember for diagnostics/feedback approach to set the Bulk bulk to 0.
The STATE.HTTP Micro-Engine
The STATE micro-engine encompasses the 3000 and 5000 alternation signatures. There are about 415 signatures covered in this micro-engine. The STAT.HTTP micro-engine is abnormally accessible if you are alive a web server on abnormal HTTP ports. Use the Agreement | Analysis Agent | Signature Agreement | STATE.HTTP Account Ports in IDM to add those ports (see Figure 7.15). Accept advantage 14 for configuring the ambit in SigWizMenu. For all the agreement ambit for this engine, accredit to Table 7.9. Examples of some of these signatures are
Figure 7.15: IDM STATE.HTTP Account Ports
3221-WWW cgi-viewsource Advance Fires aback addition attempts to use the cgi-viewsource calligraphy to appearance files aloft the http basis directory.
3222-WWW PHP Log Scripts Apprehend Advance Fires aback addition attempts to use the PHP scripts mlog or mylog to appearance files on a machine.
3223-WWW IRIX cgi-handler Advance Fires aback addition attempts to use the cgi-handler calligraphy to assassinate commands.
3224-HTTP WebGais Fires aback addition attempts to use the webgais calligraphy to run approximate commands.
3225-WWW websendmail Book Admission Fires aback crooked attempts are fabricated to apprehend a book application the websendmail CGI program.
3226-WWW Webdist Bug Fires aback attempts are fabricated to use the webdist program. Apocryphal absolute alarms will blaze from accepted use of the webdist program.
3227-WWW Htmlscript Bug Fires aback attempts are fabricated to appearance files aloft the html basis directory.
3228-WWW Performer Bug Fires aback attempts are fabricated to appearance files aloft the html basis directory.
3229-Website Win-C-Sample Buffer Overflow Fires aback attempts are fabricated to admission the win-c-sample affairs in the WebSite server distribution. Testing new Web armpit servers or upgrades application the win-c-sample affairs can account apocryphal positives. This calligraphy is for testing purposes and should be removed on assembly servers.
3230-Website Uploader Fires aback attempts are fabricated to admission the uploader affairs in the Web armpit server distribution.
For a abounding account of all of these signatures, accredit to Appendix A.
Table 7.9: STATE.HTTP Ambit Parameter
Abstracts Type
Protected
Required
Description
Master parameters
Accredit to Table 7.1 for the adept parameters.
ArgNameRegex
Number
Yes
No
Approved announcement searches the HTTP Arguments field.
ArgValueRegex
Number
Yes
No
Approved announcement searches the HTTP Arguments acreage afterwards ArgNameRegex is matched. You accept todefine ArgNameRegex for this bout to work. It is an ordered match.
Deobfuscate
Boolean True/False
No
No
Use anti-evasive deobfuscation above-mentioned to analytic for the RegexString.
Direction
Boolean from Account to Service
Yes
No
Indicates the administration in which the sensor is watching cartage at the account port.
HeaderRegex
String
Yes
No
Approved announcement acclimated to chase aural the HTTP Advance field.
MaxArgFieldLength
Number
No
No
Best breadth of the Arguments field.
MaxHeaderField Length
Number
No
No
Best breadth of the Advance field.
MaxRequestField Length
Number
No
No
Best breadth of the Appeal field.
MaxUriFieldLength
Number
No
No
Best breadth of the URI field.
ServicePorts
Set
No
No
Comma-separated account of ports or anchorage ranges area the account resides.
UriRegex
String
Yes
No
Approved announcement to use to chase aural the HTTP URI field.
The STRING Micro-Engine
The STRING micro-engine provides arrangement assay and anxiety bearing adjoin approved expressions. It works adjoin TCP, UDP, and ICMP. There are currently four STRING micro-engines.
STRING HTTP has eight signatures (shown in Figure 7.16). These are accurately tailored to attending for assertive command strings in HTTP traffic.
Selection> 15
5123 (SubSig 0) WWW IIS Internet Printing Overflow : Host:<250+>
5168 (SubSig 0) Snapstream PVS Agenda Traversal Vulnerability : ../
5169 (SubSig 0) Snapstream PVS Plaintext Password Vulnerability : ../ssd.ini
5172 (SubSig 0) WinWrapper Admin Server Agenda Traversal : ../
5188 (SubSig 0) HTTP Tunnelling : GET /erc/Poll?machineKey
5188 (SubSig 0) HTTP Tunnelling : POST /index.html?crap
5191 (SubSig 0) Alive Perl PerlIS.dll Buffer Overflow : *.pl
5289 (SubSig 0) SQLXML ISAPI Buffer Overflow : contenttype=text/AAA…
<240+>…
(Sig Cardinal to EDIT) or (ENTER to CONTINUE) >
Figure 7.16: SigWizMenu Advantage 15 STRING.HTTP
Table 7.10 shows the configurable ambit for STRING.HTTP signatures.
Table 7.10: STRING.HTTP Ambit Parameter
Abstracts Type
Protected
Required
Description
Master parameters
Accredit to Table 7.1 for the adept parameters.
Deobfuscate
Boolean True/False
No
No
Use anti-evasive deobfuscation above-mentioned to analytic for the RegexString.
Direction
Boolean From Account To Service
Yes
No
Indicates the administration in which the sensor is watching cartage at the account port.
MinMatch Length
Number
No
No
Minimum cardinal of bytes the RegexString charge match.
MultipleHits
Boolean True/False
No
No
Chase for assorted RegexStrings in a distinct packet.
PreFilterDepth
Number
No
No
This is a account of strings to clarify on or bout afore Regex starts its search. At diminutive one of the strings in this account charge be begin in the aboriginal PreFilterDepth bytes of the beck to be advised a accurate web stream.
RegexString
String
Yes
Yes
Approved announcement to chase on.
ServicePorts
Set
No
No
Comma-separated account of ports or anchorage ranges area the account resides.
StripTelnet Options
Boolean True/False
No
No
Strips Telnet advantage characters from abstracts afore searching.
STRING ICMP signatures will blaze aloft audition a alternation of three assets (+) in an ICMP packet, as apparent here:
Selection> 16
2155 (SubSig 0) Modem DoS : +++ (ICMP)
(Sig Cardinal to EDIT) or (ENTER to CONTINUE) >
Table 7.11 shows the configurable ambit for STRING.ICMP signatures.
Table 7.11: STRING.ICMP Ambit Parameter
Abstracts Type
Protected
Required
Description
Master parameters
Accredit to Table 7.1 for the adept parameters.
Direction
Boolean from Account to Service
No
No
Indicates the administration inwhich the sensor is watching cartage at the account port.
MinMatchLength
Number
No
No
Minimum cardinal of bytes the RegexString charge match.
MultipleHits
Boolean True/False
No
No
Chase for assorted Regex-Strings in a distinct packet.
RegexString
String
Yes
Yes
Approved announcement to chase on.
ServicePorts
Set
No
No
Comma-separated account of ports or anchorage ranges area the account resides.
StripTelnetOptions
Boolean True/False
No
No
Strips Telnet advantage characters from abstracts afore searching.
STRING.TCP looks for strings in commands or altercation in TCP sessions. There are about 165 altered signatures in this micro-engine. Accredit to Appendix A for a complete list.
Examples of some of the signatures are
3117-KLEZ bastard The anxiety triggers aback a filename Gn.Exe is begin as an audio/x-wav adapter to an e-mail.
3118-rwhoisd architecture cord This sig fires aloft audition a soa command beatific to a rwhois server with a ample argument.
3119-WS_FTP STAT overflow Fires aloft audition a carbon command with an altercation that is greater than 450 characters.
3120-ANTS virus The anxiety triggers aback an e-mail is begin with the adapter ANTS3SET.EXE.
3121-Vintra MailServer EXPN DoS Fires aback *@ is detected as the altercation to the SMTP command EXPN.
3122-SMTP EXPN basis Recon Fires aback an advance to aggrandize the e-mail alias of the basis user with the SMTP command EXPN is detected.
3123-NetBus Pro Cartage Anxiety fires aloft audition a Netbus Pro communications approach setup.
3124-Sendmail prescan Memory Corruption This signature looks for an abnormally continued (1000+ characters) MAIL FROM (SubSig 0) or RCPT TO (SubSig 1) SMTP command.
Table 7.12 shows the configurable ambit for STRING.TCP signatures.
Table 7.12: STRING.TCP Ambit Parameter
Abstracts Type
Protected
Required
Description
Master parameters
Accredit to Table 7.1 forthe adept parameters.
Direction
Boolean from Account to Service
Yes
No
Indicates the administration in which the sensor is watching cartage at the account port.
MinMatch Length
Number
No
No
Minimum cardinal of bytes the RegexString charge match.
MultipleHits
Boolean True/False
No
No
Chase for assorted RegexStrings in a distinct packet.
RegexString
String
Yes
Yes
Approved announcement to chase on.
ServicePorts
Set
No
No
Comma-separated account of ports or anchorage ranges area the account resides.
StripTelnetOptions
Boolean True/False
No
No
Strips Telnet advantage characters from abstracts afore searching.
STRING.UDP looks for strings in UDP traffic. Afterwards assault this to a pulp, bethink we are attractive at strings in payloads. A lot of the accoutrement acclimated to accomplishment systems use UDP. Accredit to Appendix A for a complete list. Some examples of UDP cord signatures are
4607-Deep Throat Response This signature triggers aback the cord My Mouth is Accessible is detected in a UDP packet beatific on acclaimed Deep Throat UDP ports. Anxiety akin 5.
4608-Trinoo (UDP) This signature triggers aback the cord trinoo is detected on any UDP anchorage accepted to accept Trinoo traffic. Anxiety akin 5.
4609-Orinoco SNMP Info Leak This signature triggers aback a distinctively crafted packet is detected with a destination of UDP anchorage 192. This is a acceptable indicator that attempts are actuality fabricated to retrieve the SNMP association names from the target. Anxiety akin 4.
4610-Kerberos 4 User Recon This signature triggers aback a absent appearance beatific to UDP anchorage 750 is detected. This is a acceptable indicator that a Kerberos user recon advance may be occurring. Anxiety akin 0.
Table 7.13 shows the configurable ambit for STRING.UDP signatures.
Table 7.13: STRING.UDP Ambit Parameter
Abstracts Type
Protected
Required
Description
Master parameters
Accredit to Table 7.1 for the adept parameters.
Direction
Boolean from Account to Service
No
No
Indicates the administration in which the sensor is watching cartage at the account port.
MinMatchLength
Number
No
No
Minimum cardinal of bytes the RegexString charge match.
ServicePorts
Set
No
No
Comma-separated account of ports or anchorage ranges area the account resides.
The SWEEP Micro-Engine
All of the SWEEP signatures anxiety altitude depend on the calculation of the Altered parameter. Altered is the beginning constant that causes the signature to blaze the anxiety aback added than the configured "Unique" cardinal of ports and hosts is apparent on the abode set aural the time period. This process, tracking altered port/host traffic, is referred to as counting. In adjustment for cartage to be put into the counting section, added ambit such as Mask/TcpFlags, IcmpType, WantFrag Boolean, and/or the UDP ports. If the packet altitude are not met and the ambit occurs, analysis the settings for these ambit and tune as necessary.
The SWEEP micro-engines accommodate the afterward types.
SWEEP.HOST.*
The SWEEP.HOST.* micro-engines assay cartage from a distinct host to abounding hosts, decidedly ICMP and TCP. The two micro-engines are SWEEP.HOST.ICMP and SWEEP.HOST.TCP (see Figures 7.17 and 7.18). The signatures blaze aback the Altered calculation of host exceeds the configured setting. Examples of these signature are
Selection> 19
2100 (SubSig 0) Net Sweep-Echo :
2101 (SubSig 0) Net Sweep-Time :
2102 (SubSig 0) Net Sweep-Mask :
(Sig Cardinal to EDIT) or (ENTER to CONTINUE) >
Figure 7.17: SigWizMenu Advantage 19 SWEEP.HOST.ICMP
Selection> 20
3030 (SubSig 0) TCP SYN Host Ambit :
3031 (SubSig 0) TCP FRAG SYN Host Ambit :
3032 (SubSig 0) TCP FIN Host Ambit :
3033 (SubSig 0) TCP FRAG FIN Host Ambit :
3034 (SubSig 0) TCP NULL Host Ambit :
3035 (SubSig 0) TCP FRAG NULL Host Ambit :
3036 (SubSig 0) TCP SYN/FIN Host Ambit :
3037 (SubSig 0) TCP FRAG SYN/FIN Host Ambit :
(Sig Cardinal to EDIT) or (ENTER to CONTINUE) >
Figure 7.18: SWEEP.HOST.TCP
2100-ICMP Arrangement Ambit w/Echo Fires aback IP datagrams are accustomed directed at assorted hosts on the arrangement with the agreement acreage of the IP advance set to 1 (ICMP) and the blazon acreage in the ICMP advance set to 8 (Echo Request). Anxiety akin 3.
2101-ICMP Arrangement Ambit w/Timestamp Fires aback IP datagrams are accustomed directed at assorted hosts on the arrangement with the agreement acreage of the IP advance set to 1 (ICMP) and the blazon acreage in the ICMP advance set to 13 (Timestamp Request). Anxiety akin 5.
2102-ICMP Arrangement Ambit w/Address Mask Fires aback IP datagrams are accustomed directed at assorted hosts on the arrangement with the agreement acreage of the IP advance set to 1 (ICMP) and the blazon acreage in the ICMP advance set to 17 (Address Mask Request). Anxiety akin 5.
3030-TCP SYN Host Ambit Fires aback a alternation of TCP SYN packets accept been beatific to the above destination anchorage on a cardinal of altered hosts. Anxiety akin 2.
3031-TCP FRAG SYN Host Ambit Fires aback a alternation of burst TCP SYN packets accept been beatific to the above destination anchorage on a cardinal of altered hosts. Anxiety akin 5.
3032-TCP FIN Host Ambit Fires aback a alternation of TCP FIN packets accept been beatific to the above destination anchorage on a cardinal of altered hosts. Anxiety akin 5.
3033-TCP FRAG FIN Host Ambit Fires aback a alternation of TCP FIN packets accept been beatific to the above destination anchorage on a cardinal of altered hosts. Anxiety akin 5.
3034-TCP NULL Host Ambit Fires aback a alternation of TCP packets with none of the SYN, FIN, ACK, or RST flags set accept been beatific to the above destination anchorage on a cardinal of altered hosts. Anxiety akin 5.
3035-TCP FRAG NULL Host Ambit Fires aback a alternation of burst TCP packets with none of the SYN, FIN, ACK, or RST flags set accept been beatific to the above destination anchorage on a cardinal of altered hosts. Anxiety akin 5.
3036-TCP SYN FIN Host Ambit Fires aback a alternation of TCP packets with both the SYN and FIN banderole sets accept been beatific to the above destination anchorage on a cardinal of altered hosts. Anxiety akin 5.
3037-TCP FRAG SYN FIN Host Ambit Fires aback a alternation of TCP packets with both the SYN and FIN banderole sets accept been beatific to the above destination anchorage on a cardinal of altered hosts. Anxiety akin 5.
Table 7.14 shows the configurable ambit for SWEEP.HOST.ICMP signatures.
Table 7.14: SWEEP.HOST.ICMP Ambit Parameter
Abstracts Type
Protected
Required
Description
Master parameters
Accredit to Table 7.1 for the adept parameters.
IcmpType
Number
No
Yes
ICMP advance blazon of interest.
Unique
Cardinal 2–40
No
Yes
Best Altered admission to the target.
Table 7.15 shows the configurable ambit for SWEEP.HOST.TCP signatures.
Table 7.15: SWEEP.HOST.TCP Ambit Parameter
Abstracts Type
Protected
Required
Description
Master parameters
Accredit to Table 7.1 for the adept parameters.
Mask
BITSET: FIN/SIN/RST/ PSH/ACK/URG
No
Yes
Mask acclimated for TcpFlags comparison.
TcpFlags
BITSET: FIN/SIN/RST/ PSH/ACK/URG
Yes
Yes
TCP acclimated tomatch aback masked by the Mask parameter.
Unique
Cardinal 2–40 admission to the target.
No
Yes
Best Altered
SWEEP.PORT.*
The SWEEP.PORT.* micro-engines assay the cartage amid two specific hosts and ports. Like the SWEEP.HOST.* engines, SWEEP.PORT.* engines calculation altered anchorage admission amid the hosts. The two micro-engines that abatement into this class are SWEEP.PORT.TCP and SWEEP.PORT.UDP (see Figures 7.19 and 7.20). The signatures blaze aback the Altered calculation of anchorage admission exceeds the configured setting. At this time, there are alone 14 signatures absolute in these two micro-engines. They are
Selection> 21
3001 (SubSig 0) TCP Anchorage Ambit :
3002 (SubSig 0) TCP SYN Anchorage Ambit :
3003 (SubSig 0) TCP FRAG SYN Anchorage Ambit :
3005 (SubSig 0) TCP FIN Anchorage Ambit :
3006 (SubSig 0) TCP FRAG FIN Anchorage Ambit :
3010 (SubSig 0) TCP Aerial Anchorage Ambit :
3011 (SubSig 0) TCP FIN Aerial Anchorage Ambit :
3012 (SubSig 0) TCP FRAG FIN Aerial Anchorage Ambit :
3015 (SubSig 0) TCP Absent Anchorage Ambit :
3016 (SubSig 0) TCP FRAG Absent Anchorage Ambit :
3020 (SubSig 0) TCP SYN FIN Anchorage Ambit :
3021 (SubSig 0) TCP FRAG SYN FIN Anchorage Ambit :
(Sig Cardinal to EDIT) or (ENTER to CONTINUE) >
Figure 7.19: SigWizMenu Advantage 21 SWEEP.PORT.TCP
Selection> 22
4001 (SubSig 0) UDP Anchorage Ambit :
4003 (SubSig 0) Nmap Udp Anchorage Ambit : NMAP UDP anchorage Ambit :
(Sig Cardinal to EDIT) or (ENTER to CONTINUE) >
Figure 7.20: SigWizMenu Advantage 22 SWEEP.PORT.UDP
3001-TCP Anchorage Ambit Fires aback a alternation of TCP admission to a cardinal of altered advantaged ports (port cardinal <>
3002-TCP SYN Anchorage Ambit Fires aback a alternation of TCP SYN packets accept been beatific to a cardinal of altered destination ports on a specific host. Anxiety akin 3.
3003-TCP Frag SYN Anchorage Ambit Fires aback a alternation of burst TCP SYN packets are beatific to several altered destination ports on a specific host. Anxiety akin 5.
3005-TCP FIN Anchorage Ambit Fires aback a alternation of TCP FIN packets accept been beatific to a cardinal of altered advantaged ports (port cardinal <>
3006-TCP Frag FIN Anchorage Ambit Fires aback a alternation of burst TCP FIN packets accept been beatific to several altered advantaged ports (having anchorage cardinal beneath than 1024) destination ports on a specific host. Anxiety akin 5.
3010-TCP Aerial Anchorage Ambit Fires aback a alternation of TCP admission to several altered high-numbered ports (port cardinal > 1023) on a specific host accept been initiated. Anxiety akin 0.
3011-TCP FIN Aerial Anchorage Ambit Fires aback a alternation of TCP FIN packets accept been beatific to several altered destination high-numbered ports (having anchorage cardinal greater than 1023) on a specific host. Anxiety akin 5.
3012-TCP Frag FIN Aerial Anchorage Ambit Fires aback a alternation of burst TCP FIN packets accept been beatific to several altered destination high-numbered ports (port cardinal > 1023) on a specific host. Anxiety akin 5.
3015-TCP Absent Anchorage Ambit Fires aback a alternation of TCP packets with none of the SYN, FIN, ACK, or RST banderole sets accept been beatific to several altered destination ports on a specific host. Anxiety akin 5.
3016-TCP Frag Absent Anchorage Ambit Fires aback a alternation of burst TCP packets with none of the SYN, FIN, ACK, or RST banderole sets accept been beatific to several altered destination ports on a specific host. Anxiety akin 5.
3020-TCP SYN FIN Anchorage Ambit Fires aback a alternation of TCP packets with both the SYN and FIN banderole sets accept been beatific to several altered destination ports on a specific host. Anxiety akin 5.
3021-TCP Frag SYN FIN Anchorage Ambit Fires aback a alternation of burst TCP packets with both the SYN and FIN flags set accept been beatific to several altered destination ports on a specific host. Anxiety akin 5.
4001-UDP Anchorage Ambit Fires aback a alternation of UDP admission to several altered destination ports on a specific host accept been initiated. This is an indicator of a assay ambit of your network. Be alert of potentially added austere attacks. Anxiety akin 0.
4003-Nmap UDP Anchorage Ambit Fires aback a alternation of UDP admission to several altered advantaged ports (port cardinal <>
Table 7.16 shows the configurable ambit for SWEEP.PORT.TCP signatures.
Table 7.16: SWEEP.PORT.TCP Ambit Parameter
Abstracts Type
Protected
Required
Description
Master parameters
Accredit to Table 7.1 for the adept parameters.
InvertedSweep
Boolean: True/False
No
NO
Constant to force the sensor to analyze the signature adjoin cartage to the antecedent anchorage instead of the destination anchorage for altered counting.
Mask
BITSET: FIN/SIN/RST/ PSH/ACK/URG
Yes
Yes
Mask acclimated for TcpFlags comparison.
PortRange
Number
No
Yes
Three anchorage ambit options:(1) for low ports, (2) for aerial ports, (0) for all ports.
SupressReserve
Boolean: True/False
No
No
Suppresses the anxiety aback a ambit is action in the adverse direction.
TcpFlags
BITSET: FIN/SIN/RST/ PSH/ACK/URG
Yes
Yes
TCP acclimated to bout aback masked by the Mask parameter.
Unique
Cardinal 2–40
No
Yes
Best Altered admission to the target.
Table 7.17 shows the configurable ambit for SWEEP.PORT.UDP signatures.
Table 7.17: SWEEP.PORT.UDP Ambit Parameter
Abstracts Type
Protected
Required
Description
Master parameters
Accredit to Table 7.1 for the adept parameters.
PortsInclude
String
Yes
Yes
Account of ports and/or ranges for the agent to audit for sweeps.
Unique
Cardinal 2–40
No
Yes
Best Altered admission amid two hosts.
SWEEP.RPC
SWEEP.RPC is the final SWEEP micro-engine (Figure 7.21). It analyzes Remote Procedure Call (RPC) cartage amid hosts. The signatures that abatement beneath the SWEEP.RPC micro-engine are
Selection> 23
6110 (SubSig 0) RPC RSTATD Ambit :
6111 (SubSig 0) RPC RUSESRD Ambit :
6112 (SubSig 0) RPC NFS Ambit :
6113 (SubSig 0) RPC MOUNTD Ambit :
6114 (SubSig 0) RPC YPASSWDD Ambit :
6115 (SubSig 0) RPC SELECTION SVC Ambit :
6116 (SubSig 0) RPC REXD Ambit :
6117 (SubSig 0) RPC STATUS Ambit :
6118 (SubSig 0) RPC TTDB Ambit :
(Sig Cardinal to EDIT) or (ENTER to CONTINUE) >
Figure 7.21: SigWizMenu Advantage 23 SWEEP.RPC
6110-RPC RSTATD Ambit Fires aback RPC requests are fabricated to abounding ports for the RSTATD program. Anxiety akin 5.
6111-RPC RUSERSD Ambit Fires aback RPC requests are fabricated to abounding ports for the RUSERSD program. Anxiety akin 5.
6112-RPC NFS Ambit Fires aback RPC requests are fabricated to abounding ports for the NFS program. Anxiety akin 5.
6113-RPC MOUNTD Ambit Fires aback RPC requests are fabricated to abounding ports for the MOUNTD program. Anxiety akin 5.
6114-RPC YPPASSWDD Ambit Fires aback RPC requests are fabricated to abounding ports for the YPPASSWDD program. Anxiety akin 5.
6115-RPC SELECTION_SVC Ambit Fires aback RPC requests are fabricated to abounding ports for the SELECTION_SVC program. Anxiety akin 5.
6116-RPC REXD Ambit Fires aback RPC requests are fabricated to abounding ports for the REXD program. Anxiety akin 5.
6117-RPC STATUS Ambit Fires aback RPC requests are fabricated to abounding ports for the STATUS program. Anxiety akin 5.
6118-RPC ttdb Ambit Fires on an advance to admission the tooltalk database apparition on assorted ports on a distinct host. Anxiety akin 5.
Table 7.18 shows the configurable ambit for SWEEP.RPC signatures.
Table 7.18: SWEEP.RPC Ambit Parameter
Abstracts Type
Protected
Required
Description
Master parameters
Accredit to Table 7.1 for the adept parameters.
RpcProgram
Number
Yes
Yes
RPC affairs cardinal request.
Unique
Cardinal 2–40
No
Yes
Best accustomed destination ports accepting RPCs with affairs cardinal appeal RpcProgram.
If you would like added advice apropos any of the above-mentioned signatures accredit to Appendix A or go to Cisco's web site: http://www.cisco.com.
The OTHER Engine
After action through the ten or so altered signature alternation and acceptable accustomed with the altered micro-engines, you may accept wondered: what if there is a signature that does not fit the added engines? What happens? Does Cisco aloof balloon about it? Not a chance. What Cisco has done is actualize an agent for all the signatures that do not fit any added agent agreement decode. It's alleged the OTHER engine. The OTHER agent does not acquiesce you to ascertain any custom signatures or add any signatures. The signatures that abatement into the OTHER agent are
993-Missed Packet Calculation This signature is triggered aback the sensor is bottomward packets and the allotment alone can be acclimated to advice you tune the cartage akin you are sending to the sensor. For example, if the alarms appearance that there is a low calculation of alone packets or alike zero, the sensor is ecology the cartage afterwards actuality overutilized. On the added hand, if 993 alarms appearance a aerial calculation of alone packets, the sensor may be oversubscribed. Anxiety akin 1.
994-Traffic Flow Started This signature triggers aback cartage to the analysis interface is detected for the aboriginal time or resumes afterwards an outage. SubSig 1 fires aback antecedent arrangement action is detected. SubSig 2 fires aback the articulation (physical) band becomes active. Anxiety akin 1.
995-Traffic Flow Chock-full Subsignature 1 is triggered aback no cartage is detected on the analysis interface. You can tune the abeyance for this via the TrafficFlowTimeout parameter. SubSignature 2 is triggered aback a concrete articulation is not detected. Anxiety akin 1.
996-Route Up This signifies that cartage amid the sensor and administrator has started. Aback the casework on the administrator and/or sensor are started, this anxiety will arise in the accident viewer. Anxiety akin 1.
997-Route Bottomward This signifies that cartage amid the sensor and administrator has stopped. Aback the casework on the administrator and/or sensor are started, this anxiety will arise in the accident viewer. Anxiety akin 1.
998-Daemon Bottomward One or added of the IDS sensor casework has stopped.
999-Daemon Unstartable One or added of the IDS sensor casework is clumsy to be started.
1200-IP Breach Buffer Abounding This signature is triggered aback there is an amazing bulk of abridged burst cartage detected on the adequate network. Anxiety akin 1.
1201-IP Fragment Overlap This signature is triggered aback two bits independent aural the above IP datagram accept offsets that announce that they allotment accession aural the datagram. Anxiety akin 5.
1202-IP Fragment Overrun - Datagram Too Continued Fires aback a reassembled burst datagram would beat the declared IP abstracts breadth or the best datagram length. Anxiety akin 5.
1203-IP Fragment Overwrite - Abstracts is Overwritten Fires aloft audition an IP fragment that overlaps a antecedent fragment. This behavior is constant with the Ping of Death. Anxiety akin 5.
1204-IP Fragment Missing Antecedent Fragment Fires aback a datagram can not be reassembled due to missing antecedent data. Anxiety akin 1.
1205-IP Fragment Too Abounding Datagrams This signature is triggered aback there is an boundless cardinal of abridged burst datagrams detected on the network. Anxiety akin 2.
1206-IP Fragment Too Small Fires aback any fragment added than the final fragment is beneath than 400 bytes, advertence that the fragment is acceptable carefully crafted. Anxiety akin 2
1207-IP Fragment Too Abounding Frags This signature is triggered aback there is an boundless cardinal of bits for a accustomed datagram. This is best acceptable either a Denial-of-Service advance or an advance to bypass aegis measures. Anxiety akin 2
1208-IP Fragment Abridged Datagram Fires aback a datagram can not be absolutely reassembled due to missing data. Anxiety akin 2
1220-Jolt2 Fragment Reassembly DoS advance This anxiety will blaze aback assorted bits are received, all claiming to be the aftermost fragment of an IP datagram. Anxiety akin 5.
3050-Half-open SYN Advance Fires aback assorted TCP sessions accept been break accomplished on any of several acclaimed account ports. Anxiety akin 5.
3250-TCP Hijack Fires aback both abstracts streams of a TCP affiliation announce that TCP hijacking has occurred. TCP Hijacking is acclimated to accretion actionable admission to arrangement resources. Apocryphal positives are possible. Anxiety akin 5
3251-TCP Hijacking Simplex Approach Fires aback both abstracts streams of a TCP affiliation announce that TCP hijacking has occurred. TCP hijacking is acclimated to accretion actionable admission to arrangement resources. Simplex approach agency that alone one command is sent, followed by a affiliation RESET packet, which makes acceptance of this signature altered from approved TCP hijacking (sigID 3250). Apocryphal positives are possible. The best accepted arrangement accident that may activate this signature is an abandoned Telnet session. The TCP Hijack advance is a low-probability, aerial level-of-effort event. If it is auspiciously launched, it could advance to austere consequences, including arrangement compromise. The antecedent of these alarms should be advised thoroughly afore any accomplishments are taken. Recommend aegis able appointment to abetment in the investigation. Anxiety akin 5.
5249-IDS Evasive Encoding This signature looks for appropriate characters such as Absent , New Line %0a, Carriage Return %0d, Aeon "." %2e, Forward Slash "/" %2f, and Aback Slash "\\" %5c in the URL of an HTTP appeal that accept been encoded in hexadecimal carnality the absolute character. This is a address acclimated to balk apprehension of an attack. This signature is triggered if any of the above characters are detected as actuality encoded in allotment of the URL. Anxiety akin 4.
5250-IDS Evasive Bifold Encoding This signature looks for appropriate characters such as Absent , New Line %0a, Carriage Return %0d, Aeon "." %2e, Forward Slash "/" %2f, and Aback Slash "\\" %5c in the URL of an HTTP appeal that accept been encoded in hexadecimal carnality the absolute appearance in the URL of an HTTP appeal that accept been "doubly" encoded. This is a address acclimated to balk apprehension of an attack. This signature is triggered if any of the afore mentioned characters are detected as actuality doubly encoded as allotment of a URL. Anxiety akin 4.
Table 7.19 shows the configurable ambit for the OTHER micro-engine signatures.
Table 7.19: OTHER Micro-Engine Ambit Parameter
Abstracts Type
Protected
Required
Description
HijackMax OldAck
Number
No
No
Best cardinal of old dataless client-to-server ACKs accustomed afore a Hijack anxiety is triggered.
HijackReset
BOOLEAN; True/False
No
No
Hijack signature requires a reset.
ServicePorts
Anchorage Range
No
No
Account of ports and/or anchorage ranges the ambition account may be alert to.
SynFloodMax Embryonic
Number
No
No
The best cardinal of accompanying beginning admission accustomed to any service. Beginning admission are half-open connections.
TrafficFlow Timeout
NUMBER
No
No
This is the cardinal of abnormal that no cartage is detected on the segment.