Supported Signatures

Supported Signatures

Unfortunately, Cisco’s own affidavit is not absolutely bright about signatures

supported in anniversary specific version.The best way to analysis what your PIX can do

in the breadth of advance apprehension is to browse a account of syslog letters produced

by the specific adaptation (for example, see the Cisco PIX Firewall System Log

Messages guide). For adaptation 6.2, syslog letters numbered from 400 000 to 400

050 are aloof for IDS messages.Their architecture is apparent here:

%PIX-4-4000: : from to on

interface

www.syngress.com

176 Chapter 4 • Advanced PIX Configurations

This syslog bulletin agency that PIX has detected an advance with number

sig_num and name sig_msg.The two IP addresses appearance the agent and the destination

of this attack. Finally, the interface on which the advance was detected is mentioned.

For example:

%PIX-4-400013 IDS:2003 ICMP alter from 1.2.3.4 to 10.2.3.1 on

interface dmz

Table 4.2 lists all signatures detected by PIX, with abbreviate descriptions.

Table 4.2 PIX IDS Signatures

Message Signature Signature Title Signature Type

Number ID

400000 1000 IP options-Bad Option Account Informational

400001 1001 IP options-Record Packet Route Informational

400002 1002 IP options-Timestamp Informational

400003 1003 IP options-Security Informational

400004 1004 IP options-Loose Source Route Informational

400005 1005 IP options-SATNET ID Informational

400006 1006 IP options-Strict Source Route Informational

400007 1100 IP Fragment Advance Attack

400008 1102 IP Impossible Packet Attack

400009 1103 IP Fragments Overlap Attack

400010 2000 ICMP Echo Reply Informational

400011 2001 ICMP Host Unreachable Informational

400012 2002 ICMP Source Quench Informational

400013 2003 ICMP Alter Informational

400014 2004 ICMP Echo Request Informational

400015 2005 ICMP Time Exceeded for a Informational

Datagram

400016 2006 ICMP Parameter Problem on Informational

Datagram

400017 2007 ICMP Timestamp Request Informational

400018 2008 ICMP Timestamp Reply Informational

400019 2009 ICMP Advice Request Informational

400020 2010 ICMP Advice Reply Informational

www.syngress.com

Continued

Advanced PIX Configurations • Chapter 4 177

Message Signature Signature Title Signature Type

Number ID

400021 2011 ICMP Address Mask Request Informational

400022 2012 ICMP Address Mask Reply Informational

400023 2150 Fragmented ICMP Cartage Attack

400024 2151 Large ICMP Cartage Attack

400025 2154 Ping of Death Advance Attack

400026 3040 TCP NULL flags Attack

400027 3041 TCP SYN+FIN flags Attack

400028 3042 TCP FIN alone flags Attack

400029 3153 FTP Improper Address Specified Informational

400030 3154 FTP Improper Port Specified Informational

400031 4050 UDP Bomb advance Attack

400032 4051 UDP Snork advance Attack

400033 4052 UDP Chargen DoS advance Attack

400034 6050 DNS HINFO Request Attack

400035 6051 DNS Zone Alteration Attack

400036 6052 DNS Zone Alteration from High Port Attack

400037 6053 DNS Request for All Records Attack

400038 6100 RPC Port Registration Informational

400039 6101 RPC Port Unregistration Informational

400040 6102 RPC Dump Informational

400041 6103 Proxied RPC Request Attack

400042 6150 ypserv (YP server daemon) Informational

Portmap Request

400043 6151 ypbind (YP bind daemon) Informational

Portmap Request

400044 6152 yppasswdd (YP countersign Informational

daemon) Portmap Request

400045 6153 ypupdated (YP amend daemon) Informational

Portmap Request

400046 6154 ypxfrd (YP alteration daemon) Informational

Portmap Request

www.syngress.com

Table 4.2 Continued

Continued

178 Chapter 4 • Advanced PIX Configurations

Message Signature Signature Title Signature Type

Number ID

400047 6155 mountd (mount daemon) Informational

Portmap Request

400048 6175 rexd (remote beheading Informational

daemon) Portmap Request

400049 6180 rexd (remote beheading daemon) Informational

Attempt

400050 6190 statd Buffer Overflow Attack

The signature IDs listed in the table accord to signature numbers on the

Cisco Secure IDS appliance. See www.cisco.com/univercd/cc/td/doc/product/

iaabu/csids/csids1/csidsug/sigs.htm (Cisco Secure Advance Apprehension System Version

2.2.1 User Guide) for a complete reference. All signatures are disconnected into two

classes: advisory and attack.The analysis is rather advised and cannot be

changed, but it makes faculty best of the time. For example, all DoS attacks are

listed as attacks, and all advice requests alone accept advisory status.You

might feel that if somebody tries to access advice on RPC casework on one

of your hosts, this constitutes an attack, but it is still listed as advisory by

Cisco. Generalizing a little, it is accessible to advance the afterward acumen on

attack allocation (from top to basal in the table):

 Packets with IP options will not do any abuse because they are always

dropped by the PIX, so if these packets are detected, accelerate alone an informational

message.

 Fragmented packets can canyon through the firewall and are about difficult

to inspect, so they aggregate an advance attempt.

 Legitimate ICMP traffic, although exceptionable and maybe absolute some

information about your arrangement (for example, ICMP Information

Request), is not classified as an attack.

 Fragmented ICMP, Ping of Death, and so on are advised attacks.

 Impossible TCP banderole combinations are advised attacks because they

are sometimes acclimated for stealth scanning of networks.

 All floods/DoS attempts (including the UDP Snork attack) are classified

as attacks.

www.syngress.com

Table 4.2 Continued

Advanced PIX Configurations • Chapter 4 179

 DNS transfers are classified as attacks; they acknowledge too abundant about the

network.

 General RPC requests and all advice requests for assorted RPC services

are not advised that adverse and are classified as informational.

 Some specific one-packet attacks on RPC casework are recognized

separately.