Header
Home | Set as homepage | Add to favorites
  Search the Site     » Advanced Search
Sections
Syndication


Blogroll:

||||| ALL Cisco-Network ARTICLES |||||  
CCIE Journey,
The CCIE Journey,

Home : CCSP-Cisco Certified Security Professional : Cisco IDS Attack Signatures

Cisco IDS Attack Signatures

Sep 11,2009 by alperen

small font medium font large font
image

The most recent Cisco IOS Firewall IDS uses 59 attack signatures, representing a broad cross section of intrusion-detection signatures, which identify severe breaches of security and the most common network attacks and information-gathering scans. Unlike virus protection software, IDS signatures aren’t updated periodically by the system. Currently, the number of signatures only changes if a version upgrade contains any additions or deletions. The Cisco IOS Firewall IDS signatures are categorized into four types:

  • Info Atomic

  • Info Compound

  • Attack Atomic

  • Attack Compound

To understand these categories better, the signature keywords are as follows:

Info

Information-gathering activity, such as a port sweep.

Attack

Attacks attempted into the protected network, such as denial of service (DoS) attempts or the execution of illegal commands during an FTP session.

Atomic

Simple patterns, such as an attempt to access a specific port on a specific host.

Compound

Complex patterns, such as a sequence of operations distributed across multiple hosts over an arbitrary period of time.

The intrusion detection signatures included in the Cisco IOS Firewall were chosen from a broad cross section of intrusion detection signatures as representative of the most common network attacks and information-gathering scans. A small sample of the signatures is included in the following table.

Sig ID

Signature Name

Sig Type

Description

1100

IP Fragment Attack

Attack, Atomic

Triggers when any IP datagram is received with the more fragments flag set to 1 or if an offset is indicated in the offset field.

2003

ICMP Redirect

Info, Atomic

Triggers when an IP datagram is received with the protocol field in the IP header set to 1 (ICMP) and the type field in the ICMP header set to 5 (Redirect).

2154

Ping of Death Attack

Attack, Atomic

Triggers when an IP datagram is received with the protocol field in the IP header set to 1 (ICMP), the Last Fragment bit is set, and (IP offset 5 8) + (IP data length) > 65535. In other words, the IP offset plus the rest of the packet is greater than the maximum size for an IP packet.

3050

Half-open SYN Attack/SYN Flood

Attack, Compound

Triggers when multiple TCP sessions were improperly initiated on any of several well-known service ports. Detection of this signature is currently limited to FTP, Telnet, HTTP, and e-mail servers (TCP ports 21, 23, 80, and 25, respectively).

For a complete listing and more information on IDS signatures, go to http://www.ciscoarticles.com and do a search for Cisco IOS Firewall IDS Signature List, and then look through the resulting choices for the same phrase in bold.

False Positives

The signatures integrated into the IOS software monitor for severe breaches of security. They are used to watch for those data flows you wouldn’t normally expect to see in an operating network. A false positive is an erroneous report from an IDS, indicating it detected a potentially malicious pattern. The pattern appears to matches a signature but, in fact, is a valid and acceptable transmission. Any intrusion detection technology can and does report false positives. This can be looked at as erring on the side of security or caution, but it can also block necessary traffic.

The IOS-based intrusion-detection features were developed with flexibility in mind, so individual signatures could be disabled in case of false positives.


3615 times read

Related news
» IOS Firewall—Intrusion Detection System Review
by alperen posted on Sep 16,2009
» Configuring Signatures and Alarms
by admin posted on Nov 26,2008
» Creating an Audit Rule
by alperen posted on Sep 15,2009
» Signature and Alarm Management Review
by alperen posted on Mar 20,2010
» IDS MC and Signatures
by admin posted on Nov 26,2008
Did you enjoy this article?
1 2 3 4 5
Rating: 5.00Rating: 5.00Rating: 5.00Rating: 5.00Rating: 5.00 (total 3 votes)

comment Comments (0 posted) 

More Top News
CCSP-Cisco Certified Security Professional
arrow Cisco SAFE Implementation
arrow Preparation Documents
arrow Exam Topics
arrow Skills Required for the Exam
arrow Cisco SAFE Implementation Questions and Answers
arrow Access Control Lists Cisco
arrow Access List Basics
arrow Standard Access Lists
arrow Verifying ACLs
arrow Extended Access Lists
arrow TCP Access Lists
arrow UDP Access Lists
arrow ICMP Access Lists
arrow Named Access Lists
arrow Signature and Alarm Management Review
arrow Signature and Alarm Management Review Questions and Answers
arrow Event Viewer
arrow Managing Alarms
arrow Event Viewer Customization
arrow Preference Settings
arrow Sensor Installation
arrow Connecting to Your Network Sensor Appliance
arrow Sensor Bootstrap
arrow Sensor Installation and Configuration Review
arrow Sensor Installation and Configuration Questions and Answers
arrow Signature and Alarm Management
arrow CIDS Signatures
arrow Signature Series
arrow Signature Implementations
arrow Signature Classes
arrow Signature Types
arrow Signature Severity
Most Popular
Most Commented
Featured Author

admin

image
<| Cisco Articles | Maximum Learning | All Cisco-Network Study Notes | Privacy Policy |>
If you think you own the material being used without permission, contact alperenmad[at]hotmail.com. material will be removed from the site.