© 2001, Cisco Systems, Inc. CSIDS Chapter 7 Cisco Secure Intrusion Detection System Signatures

© 2001, Cisco Systems, Inc. CSIDS Objectives Upon completion of this chapter, you will be able to perform the following tasks: Describe what is a signature. Name and identify signature implementations, structures, and classes. Describe what are signature severities. Name the attack probability and immediate threat level for the default severities. Name and identify all CSIDS signature series and their major categories.

© 2001, Cisco Systems, Inc. CSIDS Understanding Signatures

© 2001, Cisco Systems, Inc. CSIDS Signature Definition A set of rules pertaining to typical intrusion activity that, when matched, generates a unique response.

© 2001, Cisco Systems, Inc. CSIDS Signature Implementations and Structures Signature implementation –ContextTrigger data contained in packet header –ContentTrigger data contained in packet payload Signature structure –AtomicTrigger contained in a single packet –CompositeTrigger contained in a series of multiple packets

© 2001, Cisco Systems, Inc. CSIDS Signature Classes ReconnaissanceTriggers on an activity known to be, or that could lead to, unauthorized discovery of systems, services, or vulnerabilities. AccessTriggers on an activity known to be, or that could lead to, unauthorized data retrieval, system access, or privileged escalation.

© 2001, Cisco Systems, Inc. CSIDS Signature Classes (cont.) DoSTriggers on activity known to be, or that could lead to, the disablement of a network, system, or service. InformationTriggers on normal network activity that in itself is not considered to be malicious, but can be used to determine the validity of an attack or for forensic purposes.

© 2001, Cisco Systems, Inc. CSIDS Signature Types GeneralSignatures that detect IP, ICMP, TCP, and UDP intrusion attempts. ConnectionSignatures that detect TCP connection requests and traffic to UDP ports. StringSignatures that detect matches to defined string patterns. ACLSignatures that violate defined ACL policies.

© 2001, Cisco Systems, Inc. CSIDS Signature Series and Categories 1000 SeriesIP 2000 SeriesICMP 3000 SeriesTCP (including Legacy Web) 4000 SeriesUDP 5000 SeriesHTTP (Web) 6000 SeriesCross Protocol 8000 SeriesString SeriesACL policy violation

© 2001, Cisco Systems, Inc. CSIDS Description Attack Probability Immediate Threat Severity 1 Low Severity 1 Low Signatures that detect network activity considered to be benign but are detected for informational purposes. No Very Low Severity 3 Medium Severity 3 Medium Low Medium Severity 5 High Severity 5 High Signatures that detect attacks often used to gain access or cause a DoS. High Very High Signatures that detect abnormal network activity, which could be perceived as malicious. Signature Severities

© 2001, Cisco Systems, Inc. CSIDS SeriesIP Signatures

© 2001, Cisco Systems, Inc. CSIDS Application TCP IP Data Link Physical UDP IP 1000 SeriesIP Signatures IP Options IP Fragmentation Bad IP packets

© 2001, Cisco Systems, Inc. CSIDS Data... Options... Destination IP Source IP TTLProtoChecksum IdentificationFlgFrag Offset VerLenServLength HEADERHEADER Options... PAYPAY IP Options IP Header –20 bytes IP Options –Adds up to 40 additional bytes –Only 8 valid options

© 2001, Cisco Systems, Inc. CSIDS Copy: 0Do not include options in packet fragments 1Include options in packet fragments Class: 0Network Control 2Debugging Option: one of eight valid options Length: number of bytes in option (if used by option) Parameters:parameters passed by the option Last option is always option 0 Copy: 0Do not include options in packet fragments 1Include options in packet fragments Class: 0Network Control 2Debugging Option: one of eight valid options Length: number of bytes in option (if used by option) Parameters:parameters passed by the option Last option is always option 0 IP Options (cont.) CPClassOption # Length (if used)Parameters...x

© 2001, Cisco Systems, Inc. CSIDS IP Option Signatures 1000Bad option list Invalid option 1001Record packet route Option=7 1002Timestamp Option=4 1003Provide s, c, h, tcc Option=2 Option #Option Name 0End of Options 1No Operation 2Security 3Loose Source Rte 4Timestamp 7Record Route 8Stream ID 9Strict Source Rte

© 2001, Cisco Systems, Inc. CSIDS IP Option Signatures (cont.) 1004Loose source route Option=3 1005SATNET id Option=8 1006Strict source route Option=9 Option #Option Name 0End of Options 1No Operation 2Security 3Loose Source Rte 4Timestamp 7Record Route 8Stream ID 9Strict Source Rte

© 2001, Cisco Systems, Inc. CSIDS IP Fragmentation Signatures 1100IP Fragment Attack Offset value too small Indicates unusually small packet May bypass some packet filter devices 1103IP Fragments Overlap Offset value indicates overlap Teardrop attack Data... Options... Destination IP Source IP TTLProtoChecksum IdentificationFlgFrag Offset VerLenServLength Frag Offset

© 2001, Cisco Systems, Inc. CSIDS Bad IP Packet Signatures 1101Unknown IP Protocol Proto=invalid or undefined 1102=Impossible IP Packet Same source and destination Land attack Data Options Destination IP Source IP TTLProtoChecksum IdentificationFlgFrag Offset VerLenServLength Proto Source IP Destination IP

© 2001, Cisco Systems, Inc. CSIDS SeriesICMP Signatures

© 2001, Cisco Systems, Inc. CSIDS Application TCP IP Data Link Physical UDP IP 2000 SeriesICMP Signatures ICMP Traffic Records Ping Sweeps ICMP Attacks

© 2001, Cisco Systems, Inc. CSIDS Type: 0Echo Reply15Information Request 8Echo Request16Information Reply 13Timestamp Request17Address Mask Request 14Timestamp Reply18Address Mask Reply Code: codes associated with each ICMP type Checksum: checksum value of header fields (exc. checksum) Type: 0Echo Reply15Information Request 8Echo Request16Information Reply 13Timestamp Request17Address Mask Request 14Timestamp Reply18Address Mask Reply Code: codes associated with each ICMP type Checksum: checksum value of header fields (exc. checksum) Identifier TypeCodeChecksum ICMP Query Message Data... Sequence # HEADERHEADER

© 2001, Cisco Systems, Inc. CSIDS ICMP Query Message Signatures 2000Echo Reply Type=0 2004Echo Request Type=8 2007Timestamp Request Type= Timestamp Reply Type=14 Destination IP Source IP TTLProtoChecksum IdentificationFlgFrag Offset VerLenServLength ICMP Type CodeChecksum IPHEADERIPHEADER ICMPICMP

© 2001, Cisco Systems, Inc. CSIDS ICMP Query Message Signatures (cont.) 2009Information Request Type= Information Reply Type= Address Mask Request Type= Address Mask Reply Type=18 Destination IP Source IP TTLProtoChecksum IdentificationFlgFrag Offset VerLenServLength ICMP Type CodeChecksum IPHEADERIPHEADER ICMPICMP

© 2001, Cisco Systems, Inc. CSIDS Type: 3Destination Unreachable11Time Exceeded 4Source Quench12Parameter Problem 5Redirect Code: codes associated with each ICMP type Checksum: checksum value of header fields (exc. checksum) Type: 3Destination Unreachable11Time Exceeded 4Source Quench12Parameter Problem 5Redirect Code: codes associated with each ICMP type Checksum: checksum value of header fields (exc. checksum) Unused TypeCodeChecksum ICMP Error Message HEADERHEADER IP Header + 8 bytes of Original Datagram Data

© 2001, Cisco Systems, Inc. CSIDS ICMP Error Message Signatures 2001Unreachable Type=3 2002Source Quench Type=4 2003Redirect Type=5 2005Time Exceeded Type= Parameter Problem Type=12 Destination IP Source IP TTLProtoChecksum IdentificationFlgFrag Offset VerLenServLength ICMP Type CodeChecksum IPHEADERIPHEADER ICMPICMP

© 2001, Cisco Systems, Inc. CSIDS Ping Sweep Signatures 2100ICMP network sweep with Echo Type=8 One host to multiple hosts 2101ICMP network sweep with Timestamp Type=13 One host to multiple hosts 2102ICMP network sweep with Address Mask Type=17 One host to multiple hosts Destination IP Source IP TTLProtoChecksum IdentificationFlgFrag Offset VerLenServLength ICMP Type CodeChecksum IPHEADERIPHEADER ICMPICMP

© 2001, Cisco Systems, Inc. CSIDS ICMP Attack Signatures 2150Fragmented ICMP packet Flag=more fragments or Offset /= Large ICMP packet Length > ICMP Flood Many ICMP packets To single host Destination IP Source IP TTLProtoChecksum Identification FlgFrag Offset VerLenServLength ICMP TypeCodeChecksum IPHEADERIPHEADER ICMPICMP Length

© 2001, Cisco Systems, Inc. CSIDS ICMP Attack Signatures (cont.) 2153ICMP Smurf attack Type=0 (echo reply) Many packets To single host 2154ICMP Ping Of Death Flag=last fragment Offset*8 + Length > Destination IP Source IP TTLProtoChecksum IdentificationFlgFrag Offset VerLenServLength Proto Type CodeChecksum IPHEADERIPHEADER ICMPICMP FlgFrag Offset

© 2001, Cisco Systems, Inc. CSIDS SeriesTCP Signatures

© 2001, Cisco Systems, Inc. CSIDS SeriesTCP Signatures TCP Traffic Records TCP Port Scans TCP Host Sweeps Mail Attacks FTP Attacks Legacy Web Attacks NetBIOS Attacks SYN Flood & TCP Hijack Attacks TCP Applications Application TCP IP Data Link Physical UDPTCP Application

© 2001, Cisco Systems, Inc. CSIDS TCP Traffic Records 3000TCP Traffic Records –Triggers on all TCP connections –Sub-signature ID is port number –51 subsignatures50 predefined TCP ports + port 0 (catchall) –User-defined ports may be added –Mostly used for tracking or forensics –Subsignatures 512-exec, 513-rlogin, and 514-rsh are severity 3 –All other sub-signatures are severity 1

© 2001, Cisco Systems, Inc. CSIDS TCP Port Scans A TCP Port Scan occurs when one host searches for multiple TCP services on a single host. Common scans –use normal TCP-SYN Stealth scans –use FIN, SYN-FIN, null, or PUSH –and/or fragmented packets Destination IP Source IP TTL TCP Checksum IdentificationFlgFrag Offset VerLenServLength IPIP TCPTCP Source Port Source Sequence Number Acknowledge Sequence Num LenResWindow Flags ChecksumUrgent Pointer Dest Port

© 2001, Cisco Systems, Inc. CSIDS TCP Port Scan Signatures 3001Port Sweep SYNs to ports < 1024 Triggers when type of sweep cant be determine 3002SYN Port Sweep SYNs to any ports 3003Frag SYN Port Sweep Fragmented SYNs to many ports 3005FIN port sweep FINs to ports < Frag FIN port sweep Fragmented FINs to ports < High port sweep SYNs to ports > 1023 Triggers when type of sweep cant be determined 3011FIN High port sweep FINs to ports > 1023

© 2001, Cisco Systems, Inc. CSIDS TCP Port Scan Signatures (cont.) 3012 Frag High FIN port sweep Fragmented FINs to ports > Null port sweep TCPs without SYN, FIN, ACK, or RST to any ports 3016 Frag Null port sweep Fragmented TCPs without SYN, FIN, ACK, or RST to any ports 3020 SYN FIN port sweep SYN-FINs to any port 3021 Frag SYN/FIN port sweep Fragmented SYN/FINs to any ports 3045 Queso sweep FIN, SYN/FIN, and a PUSH

© 2001, Cisco Systems, Inc. CSIDS TCP Host Sweeps A TCP Host Sweep occurs when one host searches for a single TCP service on multiple hosts. Common scans –use normal TCP-SYN Stealth scans –use FIN, SYN-FIN, and null –and/or fragmented packets Destination IP Source IP TTL TCP Checksum IdentificationFlgFrag Offset VerLenServLength IPIP TCPTCP Source Port Source Sequence Number Acknowledge Sequence Num LenResWindow Flags ChecksumUrgent Pointer Dest Port

© 2001, Cisco Systems, Inc. CSIDS TCP Host Sweep Signatures 3030SYN host sweep SYNs to same port 3031Frag SYN host sweep Fragmented SYNs to same port 3032FIN host sweep FINs to same port 3033Frag FIN host sweep Fragmented FINs to same port 3034NULL host sweep TCPs without SYN, FIN, ACK, or RST to same port 3035Frag NULL host sweep Fragmented packets without SYN, FIN, ACK, or RST to same port 3036SYN/FIN host sweep SYN-FINs to same port 3037Frag SYN/FIN host sweep SYN-FINs to same port

© 2001, Cisco Systems, Inc. CSIDS Mail TCP port 25 Attacks include Reconnaissance Access DOS Destination IP Source IP TTL TCP Checksum IdentificationFlgFrag Offset VerLenServLength IPIP TCPTCP Source Port Source Sequence Number Acknowledge Sequence Num LenResWindowFlags ChecksumUrgent Pointer Dest Port=25 Data...

© 2001, Cisco Systems, Inc. CSIDS Mail Attack Signatures 3100smail attack 3101sendmail invalid recipient 3102sendmail invalid sender 3103sendmail reconnaissance 3104Archaic sendmail attacks 3105sendmail decode alias 3106sendmail SPAM 3107Majordomo exec bug 3108MIME overflow bug 3109Qmail Length Crash

© 2001, Cisco Systems, Inc. CSIDS File Transfer Protocol (FTP) TCP port 21 Attacks include Reconnaissance Access Destination IP Source IP TTL TCP Checksum IdentificationFlgFrag Offset VerLenServLength IPIP TCPTCP Source Port Source Sequence Number Acknowledge Sequence Num LenResWindowFlags ChecksumUrgent Pointer Dest Port=21 Data...

© 2001, Cisco Systems, Inc. CSIDS FTP Attack Signatures 3150 FTP SITE command attempted 3151 FTP SYST command attempted 3152 FTP CWD ~root 3153 FTP Improper address specified 3154 FTP Improper port specified

© 2001, Cisco Systems, Inc. CSIDS Web TCP port 80 Attacks include Access Informational DoS Destination IP Source IP TTL TCP Checksum IdentificationFlgFrag Offset VerLenServLength IPIP TCPTCP Source Port Source Sequence Number Acknowledge Sequence Num LenResWindowFlags ChecksumUrgent Pointer Dest Port=80 Data...

© 2001, Cisco Systems, Inc. CSIDS Legacy Web Attack Signatures 3200 phf attack 3201 General cgi-bin attack url file requested lnk file requested bat file requested 3205 HTML file has.url link 3206 HTML file has.lnk link 3207 HTML file has.bat link 3208 campas attack 3209 glimpse server attack 3210 IIS View Source Bug 3211 IIS Hex View Source Bug 3212 NPH-TEST-CGI Bug 3213 TEST-CGI Bug 3214 IIS DOT DOT VIEW Bug 3215 IIS DOT DOT EXECUTE Bug 3216 IIS DOT DOT DENIAL Bug

© 2001, Cisco Systems, Inc. CSIDS Legacy Web Attack Signatures (cont.) 3217 php view file Bug 3218 SGI wrap bug 3219 php buffer overflow 3220 IIS Long URL Crash 3221 View Source GGI Bug 3222 MLOG/MYLOG CGI Bug 3223 Handler CGI Bug 3224 Webgais Bug 3225 WebSendmail Bug 3226 Webdist Bug 3227 Htmlscript Bug 3228 Performer Bug 3229 WebSite win-c-sample buffer overflow 3230 WebSite uploader 3231 Novell convert bug 3232 finger attempt 3233 Count Overflow

© 2001, Cisco Systems, Inc. CSIDS NetBIOS TCP Port 139 Attacks include Reconnaissance Access DOS Destination IP Source IP TTL TCP Checksum IdentificationFlgFrag Offset VerLenServLength IPIP TCPTCP Source Port Source Sequence Number Acknowledge Sequence Num LenResWindowFlags ChecksumUrgent Pointer Dest Port=139 Data...

© 2001, Cisco Systems, Inc. CSIDS NetBIOS Attack Signatures 3300NETBIOS OOB data 3301NETBIOS Stat 3302NETBIOS Session Setup Failure 3303Windows Guest login 3304Windows Null Account Name 3305Windows Password File Access 3306Windows Registry Access 3307Windows RedButton

© 2001, Cisco Systems, Inc. CSIDS SYN Flood and TCP Hijack Signatures 3050 Half-Open SYN attack DOS-SYN flood attack Ports 21, 23, 25, and TCP Hijacking Access-attempt to take over a TCP session 3251 TCP Hijacking Simplex Mode One command followed by RST

© 2001, Cisco Systems, Inc. CSIDS Application Exploit Signatures 3400Sun Kill Telnet DOS port Finger Bomb port rlogin -froot port Imap Authenticate Overflow port Imap Login Overflow port Pop Overflow port 110

© 2001, Cisco Systems, Inc. CSIDS Application Exploit Signatures (cont.) 3575Inn Overflow port Inn Control Message port IOS Telnet buffer overflow port IOS Command History Exploit port Cisco IOS Identity port 1999

© 2001, Cisco Systems, Inc. CSIDS SeriesUDP Signatures

© 2001, Cisco Systems, Inc. CSIDS SeriesUDP Signatures UDP Traffic Records UDP Port Scan UDP Attacks UDP Applications Application TCP IP Data Link Physical UDP Application

© 2001, Cisco Systems, Inc. CSIDS UDP Traffic Records 4000UDP Traffic Records –Triggers on all UDP service accesses –Subsignature ID is port number –25 subsignatures24 predefined UDP ports + port 0 (catchall) –User-defined ports may be added –Mostly used for tracking or forensics –Subsignature 69tftp is Severity 3 –All other subsignatures are Severity 1

© 2001, Cisco Systems, Inc. CSIDS UDP Port Scan Signature 4001 UDP port scan One host searches for multiple UDP services on a single host. Destination IP Source IP TTL UDP Checksum IdentificationFlgFrag Offset VerLenServLength IPIP UDPUDP Source Port LengthChecksum Dest Port Data...

© 2001, Cisco Systems, Inc. CSIDS UDP Attack Signatures 4002UDP flood Many UDPs to same host 4050UDP Bomb UDP length < IP length 4051Snork Src=135, 7, or 19; Dest= Chargen DoS Src=7 & Dest=19 Destination IP Source IP TTL UDP Checksum IdentificationFlgFrag Offset VerLenServ Length IPIP UDPUDP Source Port Length Checksum Dest Port Data...

© 2001, Cisco Systems, Inc. CSIDS UDP Application Signatures 4053 Back Orifice port Tftp passwd file attempt port Ascend Kill Ascend router exploit 4600 IOS UDP bomb port 514 Destination IP Source IP TTL UDP Checksum IdentificationFlgFrag Offset VerLenServLength IPIP UDPUDP Source Port LengthChecksum Dest Port Data...

© 2001, Cisco Systems, Inc. CSIDS SeriesWeb Signatures

© 2001, Cisco Systems, Inc. CSIDS SeriesHTTP Signatures TCP port 80 Attacks include Access Informational DoS Destination IP Source IP TTL TCP Checksum IdentificationFlgFrag Offset VerLenServLength IPIP TCPTCP Source Port Source Sequence Number Acknowledge Sequence Num LenResWindowFlags ChecksumUrgent Pointer Dest Port=80 Data...

© 2001, Cisco Systems, Inc. CSIDS HTTP Signatures 5034 WWW IIS newdsn Attack 5036 WWW Windows Password File Access Attempt 5038 WWW wwwsql file read bug 5042 WWW CGI Valid Shell Access 5043 WWW Cold Fusion Attack 5047 WWW Server Side Include POST Attack 5049 WWW IIS showcode.asp Access 5050 WWW IIS.htr Overflow Attack 5051 WWW Double Byte Code Page 5052 FrontPage Extensions PWD Open Attempt 5053 FrontPage _vti_bin Directory List Attempt 5055 HTTP Basic Authentication OverFlow 5070 WWW msadcs.dll Access 5071 WWW msadcs.dll Attack 5075 WWW IIS Virtualized UNC Bug 5078 WWW Piranha passwd Attack

© 2001, Cisco Systems, Inc. CSIDS HTTP Signatures (cont.) 5081 WWW WinNT cmd.exe 5085 WWW IIS Source Fragment Access 5087 WWW Sun Java Server Access 5090 WWW FrontPage htimage.exe Access 5091 WWW Cart32 Remote Admin Access 5097 WWW FrontPage MS-DOS Device Attack 5103 WWW Suse Apache CGI Source Attack 5107 WWW Mandrake Linux/perl Access 5108 WWW Netegrity SiteMinder Access 5111 WWW Solaris Answerbook 2 Access 5112 WWW Solaris Answerbook 2 Attack 5114 WWW IIS Unicode Attack

© 2001, Cisco Systems, Inc. CSIDS SeriesCross- Protocol Signatures

© 2001, Cisco Systems, Inc. CSIDS Application TCP IP Data Link Physical UDP 6000 SeriesCross-Protocol Signatures SATAN Attacks DNS Attacks RPC Attacks Ident Attacks Authorization Failures Loki Attack DoS

© 2001, Cisco Systems, Inc. CSIDS SATAN Attack Signatures The Network Vulnerability Scanner is used for scanning services and vulnerabilities. 6001Normal SATAN probe Port sweep pattern produced by SATAN running in normal mode 6002Heavy SATAN probe Port sweep pattern produced by SATAN running in heavy mode 6001 also triggers

© 2001, Cisco Systems, Inc. CSIDS DNS Attack Signatures UDP Port 53 attacks include Reconnaissance 6050 DNS HINFO Request Potential reconnaissance 6051 DNS Zone Transfer Request Potential reconnaissance 6052 DNS Zone Transfer from other port Different port than DNS request for all records All records requested, not just one zone

© 2001, Cisco Systems, Inc. CSIDS RPC Services Applications do not use well-known ports. Use portmapper –Registers applications –TCP/UDP port 111 Attacks include Reconnaissance Access DoS 2488 GET PORT # USE PORT # NFS REQUEST 2049 CLIENT SERVER

© 2001, Cisco Systems, Inc. CSIDS RPC Attack Signatures 6100RPC port registration Remotely registering a service that is not running 6101RPC port unregistration Remotely unregistering a running service 6102RPC dump rpcinfo -p 6103Proxied RPC request Bypassess RPC authentication

© 2001, Cisco Systems, Inc. CSIDS RPC Attack Signatures (cont.) RPC Port Sweeps Request service on many ports on same host Stealth reconnaissance 6110RSTATD 6111RUSERSD 6112NFS 6113MOUNTD 6114YPPASSWD 6115SELECTION SVC 6116REXD 6117STATUS 6118TTDB

© 2001, Cisco Systems, Inc. CSIDS RPC Attack Signatures (cont.) Portmapper Requests Requests for services known to be exploited In most cases should not be used If needed, filter signatures 6150ypserv 6151ypbind 6152yppasswd 6153ypupdated 6154ypxfrd 6155mountd 6175rexd

© 2001, Cisco Systems, Inc. CSIDS RPC Attack Signatures (cont.) 6180-rexd attempt Accessing rexd Allows remotely running commands Should not be allowed Unknown by some administrators RPC Services with Buffer Overflow Vulnerabilities: 6190 statd 6191 ttdb 6192 mountd 6193 cmsd 6194 sadmind 6195 amd

© 2001, Cisco Systems, Inc. CSIDS Ident Attack Signatures Ident is a protocol to prevent hostname, address, and username spoofing TCP port Ident buffer overflow IDENT reply too large 6201Ident newline IDENT reply with newline plus more data 6202Ident improper request IDENT request too long or non-existent ports

© 2001, Cisco Systems, Inc. CSIDS Authorization Failure Signatures Three failed attempts to log in 6250FTP 6251Telnet 6252Rlogin 6253POP3 6255SMB

© 2001, Cisco Systems, Inc. CSIDS Loki Attack Signatures Loki is a tool used to hide hacker traffic inside an ICMP tunnel. It requires root access Loki ICMP tunnel Original Loki Phrack Issue Modified Loki ICMP tunneling Modified Loki version

© 2001, Cisco Systems, Inc. CSIDS DDoS Signatures 6501 TFN client request 6502 TFN Server reply 6503 Stacheldraht client request 6504 Stacheldraht Server reply 6505 Trinoo client request 6506 Trinoo server reply 6507 TFN2K DDoS Control traffic 6508 mstream DDoS Control traffic

© 2001, Cisco Systems, Inc. CSIDS SeriesString Match Signatures

© 2001, Cisco Systems, Inc. CSIDS SeriesString Match Signatures Custom string matches TCP applications Application TCP IP Data Link Physical UDP Application TCP Application

© 2001, Cisco Systems, Inc. CSIDS SeriesString Matches User-defined string matches for TCP ports are used for Custom attack signatures Security policy enforcement Definable options Port Direction Number of occurrences String

© 2001, Cisco Systems, Inc. CSIDS Custom String Match Signatures SubSignature ID identifies each specific match and is assigned automatically The string defined using regular expressions Example string settings: –StringIDPortDirectionOccur [/]etc[/]shadow230223To1

© 2001, Cisco Systems, Inc. CSIDS Capture password file 2101 FTP RETR passwd loadmodule Attack 2301 Telnet IFS=/ Rlogin IFS=/" Planting.rhosts 2303 Telnet Rlogin + + Accessing shadow passwd 2302 Telnet /etc/shadow Rlogin /etc/shadow TCP Application Signatures TCP application signatures are attacks against various TCP applications. They are implemented here as an example of regular expression formats.

© 2001, Cisco Systems, Inc. CSIDS SeriesACL Policy Violation Signatures

© 2001, Cisco Systems, Inc. CSIDS Syslog SeriesPolicy Violation Signatures ACL violation records You can generate alarms from Cisco router ACL violations Repackages syslog messages from routers

© 2001, Cisco Systems, Inc. CSIDS Summary

© 2001, Cisco Systems, Inc. CSIDS Summary Each signature can generate a unique alarm and response. Context signatures are triggered by information in the packet header. Content signatures are triggered by information in the packet payload. Atomic signatures are triggered by information in a single packet.

© 2001, Cisco Systems, Inc. CSIDS Summary (cont.) Composite signatures are triggered by information in multiple packets. Reconnaissance signatures are triggered bu attempts to discover systems, services, or vulnerabilities. Access signatures are triggered by unauthorized attempts to retrieve data, access systems, or escalate privileges. DoS signatures are triggered by attempts to disable networks, systems, or services.

© 2001, Cisco Systems, Inc. CSIDS Summary (cont.) Informational signatures collect information to help determine the validity of an attack, or for forensics. Signature series generally group protocol related signatures under a single category. The default signature severities are: –Low (1) indicates informational activity –Medium (3) indicates marginal attack activity –High (5) indicates severe attack activity